User Access Reviews: Best Practices for Successful Audits

May 10, 2023 · 9 min read Access ReviewComplianceAudits
Feature Image

Effectively managing employee (and third-party) access to applications, data, and IT infrastructure is crucial for modern businesses. And this means conducting thorough user access reviews on a regular basis.

The average company loses 18% of its workforce every year — 12 percent leave voluntarily, and six percent are laid off or terminated. Consequently, organizations run the risk that former employees may retain access to sensitive corporate systems and data, even after they leave. In addition, existing employees who amass user privileges and access over time (privilege creep) as they change roles and/or departments pose another risk. And most companies provide some level of access to third-party vendors or contractors as well — access that is often meant to be temporary and highly restricted but isn’t revoked when it should be.

Regular user access reviews can mitigate these security risks and help companies safeguard critical business data.

In this blog post, we’ll discuss what user access reviews are, the types of user access reviews, and why they’re important. We’ll also provide a brief overview of the IT security certifications and standards that require businesses to perform user access reviews, along with how to perform them and best practices to ensure that the process is efficient.

What are user access reviews?

User access reviews, sometimes called access certifications or access recertifications, are periodic audits of the access rights of everyone who can interact with an organization’s data, applications, and infrastructure, including employees and people outside the company, such as vendors and business partners.

The aim of user access reviews is to remove outdated or unnecessary access and permissions, ensuring that the access rights granted to users are approved and applicable to their roles and/or functions.

The importance of reviewing user access rights

User access reviews help companies prevent cybersecurity breaches by limiting unauthorized individuals’ access to sensitive corporate data and resources.

User access reviews can help organizations mitigate the following threats:

Orphaned accounts: Accounts become orphaned when they’re not needed any longer but are not removed — these are ownerless accounts with corporate applications and systems. This might happen if the offboarding process wasn’t done properly or if a user has forgotten that they have access to an application.

Overprovisioning: Sometimes a user is given greater access privileges so they can execute a one-time transaction. Imagine an engineer who receives access to a production environment for an urgent bug fix. If this access isn’t revoked after they complete the task, the user could wind up with more access privileges than they need to do their job — privileges that malicious actors could exploit.

Privilege creep: Privilege creep happens when a user retains access to certain critical business data although they no longer need that access. Privilege creep occurs frequently for early employees of start-up companies. As a worker changes roles or departments, they’re given more responsibilities and access to more data. However, if previous access rights aren’t revoked, the user could use those privileges improperly. In addition, an intruder who gains access to a user with excess privileges could exploit that access to steal or compromise the company’s data.

Insider threats: This is one of the most significant threats most companies face, as disgruntled or malicious employees can exploit their access rights to sensitive business data to wreak havoc on an organization. User access reviews can help companies mitigate insider threats by limiting users’ access to data, consistent with the principle of least privilege (which we’ll discuss in more detail later in this post).

Types of user access reviews

There are two types of user access reviews: the periodic user access review and the continuous user access review.

The periodic access review entails verifying at regular intervals that employees and third parties have the appropriate access rights. The periodic access review focuses on ensuring that organizations are in compliance with standards, laws, and regulations, such as SOC 2, ISO 27001, and Sarbanes-Oxley (SOX).

The goal of the continuous user access review is to minimize the risk of user access rights by continuously monitoring changes within a company, such as the hiring of new employees, the departure of existing workers, changes in users’ roles and responsibilities, and the granting of additional permissions, to detect possible security breaches.

The standards, laws, and regulations that require user access reviews

Many international IT compliance standards, laws, and regulations require regular user access reviews, including:

System and Organization Controls 2 (SOC 2): SOC 2 is a security framework that defines how service providers should manage their customers’ data. The SOC 2 standard is based on five trust principles: security, availability, processing integrity, confidentiality, and privacy. To comply with SOC 2 CC 6.2, service providers must conduct periodic user access reviews.

ISO 27001: ISO 27001 is a global standard for information security management systems and their requirements. Annex A.9.2.5 Review User Access Rights states that businesses are required to perform user access reviews at regular intervals. They’re also required to conduct user access reviews for privileged access rights more frequently.

The Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is the global security standard for merchants and other businesses that process, store, and/or transmit credit card data. PCI DSS requirement 7 details the mandatory access control procedures these companies must use, including the principle of least privilege and periodic user access reviews. Although PCI DSS requirement 12 states that organizations must review their access control policies at least once a year, businesses can determine the frequency of their reviews.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA is a U.S. law that details the data protection methods for organizations that deal with healthcare data. HIPAA §164.308, Administrative Safeguards, requires that companies conduct periodic reviews of their access policies and implement procedures “to establish, document, review, and modify” user access rights.

The General Data Protection Regulation (GDPR): The GDPR, Europe’s data privacy and security law, pertains to companies that collect and process the personal data of residents of the European Union. Article 32 of the GDPR mandates that companies audit the data they process, as well as the individuals who access that data, including employees and third parties.

The Sarbanes–Oxley Act of 2002 (SOX): SOX is a U.S. law that aims to strengthen accountability in the financial sector and protect investors from corporate fraud. Section 404 requires that corporations enforce access control procedures for digital records, including via user access reviews.

How to conduct user access reviews

To conduct user access reviews, companies should:

  • Identify user accounts and permissions that need to be reviewed.
  • Determine whether each user’s roles, access rights, and privileges are appropriate, based on their job requirements or other criteria.
  • Keep a record of any changes to existing privileges, roles, or access rights for employees whose jobs have changed since their last reviews.
  • Institute a schedule for periodic reviews of user profiles and access rights.
  • If appropriate, implement an automated process for conducting periodic reviews of user accounts and privileges.
  • Properly document and track any changes to user access, in audit logs or other systems of record.

Who should conduct user access reviews?

Performing user access reviews shouldn’t be the responsibility of the IT department. Rather, the people responsible for reviewing user access rights must understand the user’s tasks and roles and know who needs which rights: for instance, department heads, middle managers, and supervisors — people who have the data necessary to make the correct decisions.

For example:

  • Managers should review user access, as they know the responsibilities of their direct reports.
  • Application admins should review user access, as they are in a better position to understand the software and the implications of specific permissions.

However, organizations may want to have managers conduct user access reviews first and then have application admins perform their reviews, to ensure that privileges are kept in check.

How often should companies conduct user access reviews?

The proper frequency of user access reviews will vary by company. However, at a minimum, organizations should conduct complete user access reviews at least once a year and when certain events occur, such as when an employee changes jobs or roles, or when a new employee is hired. Organizations should conduct user access reviews of privileged accounts on a monthly basis, and on a quarterly basis for accounts in critical systems, as recommended or required by SOC 2, ISO27001, SOX, HIPAA, and so on.

Best practices for conducting user access reviews

To ensure that user access reviews are effective, organizations should follow these best practices:

Track and document access and user permissions: After these lists are created, they are then edited so managers can give their feedback on which access rights or permissions are still relevant and which need to be removed. This often involves using multiple systems to collect the data, display the data, and then communicate the necessary changes.

Document the user access review and its process: Organizations must keep detailed records of the user access review process so all stakeholders have a better understanding of it. For example, organizations should document which applications should be reviewed, how often, and by whom. Doing this can also help organizations demonstrate that they’re in compliance with relevant laws and regulations. The results of user access reviews should also be documented as evidence for internal and external audits.

Revoke permissions of ex-employees: When organizations conduct user access reviews, they must pay close attention to whether former employees’ accounts are still active within their networks. Companies should maintain records of all the employees who have left since the last user access review to ensure that their access has been terminated.

Employ role-based access control: Rather than configuring each user’s account individually, the role-based access control (RBAC) model enables companies to organize users by roles. Each role is then given a certain set of access privileges, making it easier for organizations to review and manage user access. RBAC accelerates user access reviews because it allows organizations to review roles rather than individual accounts. The downside is that users can’t be given a custom set of permissions.

Implement the principle of least privilege: The principle of least privilege means that users have access only to the data they need to do their jobs — in other words, the minimum level of access rights or privileges for their roles.

Mistakes to avoid when performing user access reviews

User access reviews are critical for organizations, as they enable them to maintain security and compliance. However, there are some common mistakes that companies should avoid when they’re conducting user access reviews. These include:

Conducting access reviews with outdated or incorrect data: When companies prepare to conduct user access reviews, they must gather application data as quickly as possible, ensuring that this information is accurate and up to date.

Failing to properly document user access reviews: Some organizations don’t document who performed the review, what they reviewed, when they performed the review, or what the results were. This information is necessary as evidence that the reviewers conducted user access reviews of all users.

Not using automation: Manual access reviews take a lot of time to complete, require a tremendous amount of effort, and increase compliance risk. Organizations that don’t implement automation must rely on processes and tools that don’t scale well and weren’t built specifically for conducting user access reviews. Automating the user access review process helps companies save time and effort, meet compliance requirements, improve security, and operate more efficiently.

Summarizing User Access Reviews

User access reviews are a critical component of the access management process. They help companies decrease their cybersecurity risks by enabling them to revoke unnecessary user access to sensitive corporate data and limiting users’ privileges to just what they need to do their jobs. By automating the user access review process, organizations can conduct their user access reviews more easily, more quickly, and more efficiently.