User Access Reviews - FAQ
A user access review (UAR) is the process of reviewing and validating access rights, user roles and privileges to systems, databases and critical information with the objective to demonstrate security and compliance.
The process of a user access review for many organizations centers around:
- Planning and selecting the teams or locations to be reviewed
- Determining the location owners and system admins
- Collecting user access reports and correlating that to identities
- Generating and tracking the access reviews
- Reviewing user access, and generating modifications and revocations
- Capturing audit information and signing off
Have you heard the tale of the intern who has more access rights than the company executive?
User access reviews should be an important part of every compliance program. Ignoring user access reviews creates a number of security and regulatory issues around separation of duties, malicious insider threat, credentials theft, sensitive data exposure and potential system breaches.
User access reviews should recur periodically and at regular intervals by asset owners. To ensure a quality access review, it should be done quarterly or at least once a year to align with best practice and to meet certain compliance standards (ISO 27001, NIST, PCI DSS, SOX etc.) However, depending on the organization, more or less frequent reviews may be required.
Traditionally, the process of conducting User Access Reviews has been manual, complicated and time-consuming work for information security and compliance teams. Even today, delivering accurate, easy to review user access information is incredibly difficult.
In every organization, there are people who’ve accumulated user access to too many systems. Role changes happen so frequently, that team leaders and IT can’t keep up with the pace of change. The IT team have no way of pulling together a holistic view of access and wouldn’t know what systems are appropriate for a person’s role.
By automating user access reviews, you can dramatically increases the accuracy of user and entitlement data, as well as monitor privileged user access, reducing audit preparation time and improving compliance outcomes. IT and Compliance Teams can instantly assess access across their systems and quickly determine where further investigation or remediation is required.