Identity & Access Management: User Security & Reviews
      Back to home
      1. Trustero Support
      2. Phase 3: Operationalize Controls
      3. Identity & Access Management: User Security & Reviews

      Conducting User Access Reviews

      An instructional guide for SMBs

      Introduction

      Access control is the bedrock of organizational security. Controlling who can access systems and data is vital to upholding information security standards, meeting audit requirements, and maintaining trust. Scheduled reviews of user access ensure that the right individuals have the right access to do their work. Regular reviews also help detect unauthorized access, which can lead to data breaches and compliance issues.

      Why conduct user access reviews? 

      Below are some of the most important reasons:

      1. Security: Ensures that only authorized individuals have access to systems based on the principle of least privilege, especially after role changes or terminations.
      2. Compliance: Meets regulatory and audit requirements by proving due diligence in access control.
      3. Operational Integrity: Ensures employees have access to only the systems they need to prevent errors and misuse.
      4. Efficiency and Cost Savings: Identifies and removes inactive accounts, reducing unnecessary license costs and potential security vulnerabilities.

      User Access Review Process

      Here’s how to conduct a user access review:

      1. Gather User Lists: Compile system-generated lists from all in-scope infrastructure systems, capturing all user accounts, including administrative accounts.
      2. HR Verification: Obtain an updated list of active employees from your HR system, the source of truth for job roles. Include records of employees with job role changes or those who have been terminated.
      3. Cross-Reference: Check the system user lists against the HR records to:
        • Verify that terminated employees no longer have system access.
        • Confirm that job role changes are reflected in access rights, with necessary adjustments made.
        • Ensure administrative access is still required and properly authorized.
      4. Document Deviations: Log any deviations from expected access levels or any exceptions to standard policies.
      5. Corrective Actions: Take necessary actions, such as revoking access for inactive or unauthorized accounts, ideally within 90 days of inactivity.
      6. Risk-Based Frequency: Determine the frequency of user access reviews based on the risk level. For example, using an Identity and Access Management (IAM) solution with Single Sign-On (SSO) can minimize risk, potentially extending review periods.

      Completing the User Access Review Worksheet

      Utilize Trustero's user access review worksheet template to streamline your user access review. Download template here.

      1. Populate the Worksheet
        Enter user data, roles, and access levels into the provided template, using system-generated reports and HR records. (You can customize the Trustero worksheet to align with your specific systems and access rights framework.)
      2. Review Access Rights
        Compare access rights in the worksheet against the defined access matrix for each role.
      3. Update as Needed
        Make changes directly in the worksheet to reflect any access revocations or adjustments needed.
      4. Evidence of Review
        Maintain the completed worksheet as evidence of your review, ready for audit trails or compliance checks.

      You can customize the User Access Review worksheet to align with your specific systems and access rights framework. By following this guide and using the provided worksheet, you can conduct thorough User Access Reviews that satisfy security and compliance requirements.

      Conclusion

      Regular user access reviews are not just a compliance exercise; they are a best practice that keeps your data and systems secure.