What is a user access review?

Post by Glenn Folkes, Regional Sales Director

User access reviews go by many names. Some organisations call them access recertification’s, account attestations, entitlement reviews, others call them periodic access reviews or access certifications.

Regardless of the name, they are important because many Regulatory Standards contain mandatory requirements for user access reviews.

No surprise that each Standard requires the review for a different purpose. For instance, Sarbanes-Oxley is assessing the integrity of financial statements, where APRA CPS234 is assessing the adequacy of information security controls.

Regardless of the Standard, a user access review is the process of reviewing and validating user access rights to systems, and information. The process as it stands for many organisations centres around:

  1. Planning the audit and selecting the systems to be reviewed
  2. Determining the system owners and system admins
  3. Collecting system user access reports and correlating that to identities
  4. Generating and tracking the user access reviews
  5. Reviewing user access, andgenerating modifications and revocations
  6. Capturing audit information, and signing off.

Certainly amongst the biggest challenges of the process is the collection and correlation of entitlement data. In most instances IT auditors and reviewers are working with dense technical, security data, across multiple sources and trying to tie that back to a single user identity.

Legacy or in-house applications might never have been designed for external administration, let alone compliance reporting. Often user identifiers are completely at odds with the current corporate standard, that require complex correlations, and a good amount of corporate knowledge. No surprise that a lot of this effort is manual.

In a large organisation, with a complex IT environment there could be many systems that fit this profile. This clearly has a compounding effect on the resources and time required to support compliance, and a direct cost to the organisation.

Wouldn’t it be nice if there was another way to tackle this? We should talk about RightCrowd IQ.