User Access Reviews

AL Refs: AMG07, ACL04, ACL13


The purpose of the user access review (UAR) is to identify and correct:
  1. Any access incorrectly provisioned;
  2. Any access privileges no longer required;
  3. Improvements to the way access is restricted to the minimum required.
Where (1) and (2) are identified, investigation should be performed to determine the root cause and whether this represents a control failure to be logged in the .

Review Steps 

Log in to the access control list (ACL) of each system in scope and check whether:
  1. Only active employees with job responsibilities that require access to the system are included on the ACL;
  2. The the ACL privileges are appropriate based on the least privileged access required to conduct their role or provide appropriate redundancy for administrator roles;
  3. There is an opportunity to further restrict access without compromising on business requirements.

Example UAR Evidence

Screen Shot 2022-08-16 at 1.12.01 pm