What exactly is a user access review? In its simplest form, this review is a process that certifies that users’ (including vendors’) access within systems are appropriate and legitimate leveraging the principle of least privilege. The least privilege concept dictates that users should only have the minimum required access to data to complete their duties.
User access reviews help mitigate the following threats.
- Excessive access – Too much access poses both compliance and cyber risk.
- Segregation of duties – This reduces the risk of errors and inappropriate actions.
- Insider Threats – Limiting access reduces the risk or capability of insiders to complete fraudulent transactions.
- Limit the impact of future security incidents – Oftentimes, malicious activity propagates based on the permission or user access of a compromised account. Limiting access can help reduce the impact and scope of such events
Using a risk-based approach, user roles and access rights should be reviewed at a frequency commensurate with the sensitive nature of data contained within the system. At a minimum, these reviews should be performed annually for systems that store or have access to confidential information. Less frequent reviews are appropriate for lower-risk systems.
Who should perform the reviews? The Application Owners are in the best position to perform user access reviews as they should be the most knowledgeable about the product. The IT team may be brought in from a technical perspective, but much of the function remains with the Application Owners.
Every organization has employees that have been with the company since the beginning, and they know just about everything. They are likely some of your most valuable assets and understand many of the internal processes. If user access reviews haven’t been completed in a while, it’s likely that they have obtained an inordinate amount of access over their tenure giving them “admin level” access.
User access reviews can be performed manually with basic office productivity applications or with specialized software based on the size and complexity of your environment. Bedel Security has experience assisting with the development and maintenance of effective user access review programs and we’d be happy to review your program. Drop us a line at support@bedelsecurity.com to learn more.