How to conduct access reviews without overworking the detail
Access reviews are an essential part of maintaining the security of your systems, especially those holding sensitive data. The purpose ensures everyone who has access to these critical systems actually needs it. Whether due to incorrect provisioning, changes in business roles, or the failure to remove access after an employee leaves, unauthorized access can lead to significant risks.
What are access reviews?
Access reviews are a systematic process where you check who has access to your critical systems and whether they still need it. The focus is on ensuring access aligns with current job roles and responsibilities. If someone has access they shouldn’t, or no longer need, it’s crucial to adjust this promptly to prevent potential security breaches.
Why access reviews matter:
Access reviews address are important to address:
- Provisioning errors: sometimes, access is granted incorrectly e.g. maybe someone has more access than they need.
- Role changes: as employees move into new roles, the access they needed before might no longer be necessary, or they need greater access.
- Terminations: if access isn’t revoked when someone leaves the company, they might still have entry to sensitive systems.
- Identify critical systems: not all systems are created equal. Focus on the ones that hold the most sensitive or valuable data. Trying to review too many systems can dilute your efforts and increase the chances of missing something crucial.
- Define review frequency: some systems might need to be reviewed quarterly, while others could be on a less frequent schedule. The goal is to minimize the risk of unauthorized access while not overloading your team with unnecessary reviews.
- Assign responsibility: clearly define who is responsible for each review. It’s important to track who reviewed the system and what actions, if any, were taken.
- Document everything: auditors will want to see which systems were reviewed, by whom, and whether any changes were made. This documentation is key to demonstrating your access reviews are effective and well-managed.
Implementing 'just enough'
To meet the minimum expectations of access reviews:
- Complete a review process at least quarterly.
- Review user access to your cloud infrastructure, code repository, identity provider, administrator access to any in-house developed software, and any other critical systems holding client data.
- Document who completed the review of each system, the date it was reviewed, and whether any actions were completed to fix access issues.
Better practices
- To uplift your compliance controls you may consider:
- Implement an identity solution or compliance platform that centralizes the monitoring and management of system access to simplify and scale your access reviews.
- Map out a complete list of your systems with details on whether they hold sensitive personal data, customer data, or other confidential data, and assign a risk rating per system.
- Based on the risk rating, devise a periodic review frequency to align; for example monthly for high risk systems or access (eg. admin roles), quarterly for moderate risk, and annual for lower risk.
- Assign ownership per system to conduct the reviews, and take actions where the access reviews identify issues to rectify process failures or otherwise enhance the access control.
In a nutshell
Access reviews are a vital part of your security posture, but they don’t need to be overwhelming. By identifying critical systems, setting a reasonable review frequency, assigning clear responsibilities, and maintaining good documentation, you can keep your access reviews efficient and focused. Remember, doing less—when done right—means doing enough. Keep it simple, keep it focused and keep your systems secure.
Example Access Review Evidence: