System Security
      Back to home
      1. AssuranceLab - Knowledgebase
      2. System Security

      User Access Reviews

      AL Refs: AMG07, ACL04, ACL13

      Purpose

      The purpose of the user access review (UAR) is to identify and correct:
      1. Any access incorrectly provisioned;
      2. Any access privileges no longer required;
      3. Improvements to the way access is restricted to the minimum required.
      Where (1) and (2) are identified, investigation should be performed to determine the root cause and whether this represents a control failure to be logged in the .

      Review Steps 

      Log in to the access control list (ACL) of each system in scope and check whether:
      1. Only active employees with job responsibilities that require access to the system are included on the ACL;
      2. The the ACL privileges are appropriate based on the least privileged access required to conduct their role or provide appropriate redundancy for administrator roles;
      3. There is an opportunity to further restrict access without compromising on business requirements.

      Example UAR Evidence

      Screen Shot 2022-08-16 at 1.12.01 pm