19-12-2022, Every company has workers that have been there from the beginning and worked in every department. Knowledge of the company’s processes makes them valuable employees, but they can also access and put at risk lots of sensitive data. Regular user access reviews can help you mipngtigate this risk and safeguard your critical assets.
Regularly reviewing user access is an essential part of access management. In this article, we discuss the nature and importance of user access audits and briefly overview IT standards and laws that require you to perform such audits. Arm yourself with a user access review checklist and best practices to make the audit process as efficient as possible.
What is a user access review and why is it essential?
A user access review (or user access audit) is part of the user account management and access control process, which involves periodically reviewing access rights for all of an organization’s employees and third parties.
A user access review involves the re-evaluation of:
The ultimate goal of a user access review is to reduce the risk of a security breach by limiting access to critical data and resources. That’s why for some security officers, it may seem tempting to skip the review if they have practices such as the principle of least privilege, zero trust architecture, and granular access management in place.
However, lack of access audits leads to incidents similar to the Cash App Investing breach carried out by an ex-employee. The perpetrator accessed and downloaded internal Cash App reports with information on over 8 million current and former application users.
Conducting a user access review can help you mitigate the following issues:
A user access review also mitigates threats such as the following:
Privilege creep, which occurs when employees obtain access to more sensitive data than required while working at an organization. New privileges appear as employees gain new responsibilities and access rights without revoking the old ones.
Privilege misuse, when an insider uses granted privileges in a way that is different from or opposite to the intended use. Such actions may be unintentional, deliberate, or caused by ignorance. But no matter their cause, they often lead to cybersecurity threats.
Privilege abuse, when a fraudulent activity involves an account with elevated privileges. Malicious actors may abuse privileges they were granted to access, exfiltrate, compromise, or damage an organization’s confidential assets. Malicious insiders can abuse their privilege. As well, outside attackers can compromise privileged accounts and use their privileges for malicious purposes.
During an access review, a security officer synchronizes users’ access rights with users’ current roles and limits employees’ privileges to keep the risks of privilege creep, misuse, and abuse at a minimum.
Apart from mitigating cybersecurity threats, conducting a user access review is essential for complying with many IT requirements.
What standards, laws, and regulations require a user access review?
Reviewing user access rights is required by many internаtional IT security regimes, including:
Let’s take a closer look at these requirements.
The National Institute of Standards and Technology (NIST) is a non-regulatory US government agency that provides cybersecurity guidelines and standards followed worldwide. The AC-1 and AC-2 controls from NIST Special Publication 800-53 require organizations to conduct a periodic review of access rights and policies. Your organization may create its own schedule for user access reviews and use a software solution to conduct them.
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard for organizations processing data on credit cards and cardholders. Requirement 7 of PCI DSS describes obligatory access control measures that include granular access control, the principle of least privilege, and periodic revision of user roles and rights. Also, requirement 12 obliges organizations to review their access control policies at least once a year. As with NIST, the organization can self-assess the frequency and quality of reviews.
The Health Insurance Portability and Accountability Act (HIPAA) is a US law that describes data protection measures for companies working with healthcare data. HIPAA §164.308, Administrative Safeguards, requires a periodic review of access policies and implementation of procedures to establish, document, review, and modify user access rights. Fulfillment of this requirement and absence of violations is checked during audits by the US Department of Health and Human Services.
The General Data Protection Regulation (GDPR) unites data privacy laws across the European Union (EU) and applies to organizations collecting and processing the personal data of EU residents. Article 32 of the GDPR requires organizations to audit the data they process and people with access to it (including employees and third-party vendors). Non-compliance with this GDPR requirement may result in extensive fines.
The Sarbanes–Oxley Act (SOX) is a US law containing requirements for public accounting organizations. Section 404 of this act demands entities to assess and report on internal controls for financial reporting and on the integrity of reports. Regarding digital records, SOX indicates the need to enforce access control procedures, including via user access reviews. SOX compliance is verified during a yearly audit by an independent auditor.
As you can see, conducting a user access review helps to strengthen data security, facilitate the management of access to critical data and systems, and reduce risks of reputational and financial losses.
Read on to get a user access review checklist that will help you conduct this process appropriately.
Steps to implement a user access review: A hands-on checklist
A well-planned and meticulous user access review process can reduce the risk of cybersecurity threats to your organization’s critical assets.
We’ve created a user access review template that you can use as a checklist during your audits:
Define the scope of the user access audit
Defining the scope for the user access review process is essential. With a defined scope and plan, you can conduct the audit in a more efficient, timely, and structured manner. Consider prioritizing accounts for a review of user access rights according to risk profiles to accelerate the process and make it more efficient.
Revoke permissions of ex-employees
During user access reviews, consider paying close attention to whether accounts of former employees are still active in your network. You may want to have a list of employees who have resigned since the previous user access review to ensure their access rights are terminated. However, revoking user access rights immediately after resignation is the safest option.
You can easily revoke former employees’ permissions with Ekran System — a full-cycle insider risk management platform that allows you to manage user accounts and access rights with a couple of clicks.
Remove shadow admin accounts
Shadow admin accounts are user accounts that aren’t typically included in privileged Active Directory (AD) groups but are granted administrative access permissions directly. If not adequately monitored, these accounts can be targeted by malicious attackers to escalate and exploit their privileges. Consider removing shadow admin accounts, or at least including them in monitored administrative groups.
Ensure employees don’t have access permissions from previous positions
As employees change positions within the organization, their access permissions can accumulate, causing privilege creep. During a user access review procedure, we recommend you ensure employees’ access permissions match current job responsibilities. Consider checking if employees that recently switched departments still have permissions from their previous job posts.
Make sure that employees and vendors have the fewest privileges possible
The fewer privileges a user has, the less time you’ll spend reviewing them. Consider implementing the principle of least privilege in your organization, which implies giving employees and vendors access only to those resources and assets that are strictly required to do their jobs. Not only does this help to prevent insider threats; it’s also required by the security requirements we discussed earlier.
Ekran System’s privileged access management (PAM) functionality allows you to create new users with a minimum number of access rights or privileges by default and granularly adjust them, thus implementing the principle of least privilege.
Verify that permanent access is only given when necessary
Verify that all users with privileged access permissions require them on a permanent basis. For users that need access only once or twice, consider using one-time passwords (OTP) or implementing just-in-time PAM instead of assigning a user a new role or granting permanent access rights.
With PAM in Ekran System, you can implement the just-in-time approach by granting temporary access to critical assets only when users need it to complete their jobs and revoking access permissions when the task is finished. Additionally, Ekran System allows for manual or automated provisioning of OTPs.
Analyze the results of the review and draw conclusions
Ideally, each user access review procedure should lead to improvements in the way you manage user access in your organization. Hence, we suggest that you note and take into account all issues identified during the review. Afterward, consider creating a summary with analysis of those issues and steps needed for their mitigation.
This checklist should include essential steps to be taken during a user entitlement review. In the next section, take a look at proven best practices to make the user access review process in your organization even more thorough.
Best practices for enhancing user access audits in your organization
A user access review can be swift, effective, and painless if you keep your access control policies up to date and implement globally and industry-recognized security procedures. We’ve gathered six best practices for advancing your organization’s user access reviews.
1. Regularly update your access management policy
Creating a policy is a one-time activity, but updating it as your organization grows is equally important. It helps to ensure that users within your organization have the right level of access to the right data assets. Make sure you document any changes in protected data, user roles, and access control procedures.
If your organization still doesn’t have an access management policy, consider creating one and making sure it contains:
- a list of data and resources you need to protect
- a list of all user roles, levels, and types of access
- controls, tools, and approaches to secure access
- administrative measures and software used to implement the policy
- procedures for granting, reviewing, and revoking access
To create your policy quickly, you can search for and adapt available access management policy templates relevant to your region and industry.
2. Review the user access audit procedure
Along with an access management policy, you should keep your procedure for accessing user rights in your organization up to date. Consider regularly reviewing the way you implement user access reviews.
A written user access review procedure is part of an access management policy. If you don’t have a formalized procedure yet, make sure to create one that:
- establishes a schedule for reviews
- identifies security officers responsible for user access reviews
- sets a period for notifying employees about upcoming reviews
- defines contents of the report and a period for reporting review results
Formalizing these aspects helps you continuously review access permissions and maintain standards.
3. Implement role-based access control
A role-based access control (RBAC) approach is about creating user roles for similar positions instead of configuring each user’s account individually. Each role is then assigned a list of access rights. RBAC speeds up the user access review process. With this approach in place, you can review roles instead of separate profiles.
In Ekran System, role-based access is easy to set up and manage, as the platform’s PAM capabilities allow for adding users with similar privileges to groups and managing those groups in a few clicks.
4. Involve regular employees and management
Employees usually see cybersecurity measures as interfering with their daily work. Involving employees in the user access review can speed up the process and show them why it’s important.
For example, you can send out lists of access rights to users and their managers and ask them to point out what resources they no longer need to access. Since managers know the responsibilities of their subordinates better than anyone else, their involvement can significantly accelerate your user access review process.
5. Document each step of the process
Documenting the user access review implementation process is crucial. Consider keeping detailed records of challenges and results of each step of the review in an access review workbook or any other documentation asset.
Such formalization gives a better understanding of the user access review procedure to all members involved. Besides, it can help you demonstrate compliance with laws and regulations as well as find bottlenecks and flaws in the review procedure.
6. Educate your personnel on the importance of access reviews
If employees don’t understand why it’s important to implement certain practices or use specific tools, there’s a high chance they’ll sabotage them.
That’s why you need to communicate the principles and importance of user access management to your employees during regular cybersecurity awareness training. It’s essential to teach employees involved in a user access review to conduct it appropriately and in accordance with established policy. Furthermore, you should help your employees learn about various cybersecurity threats, including ones related to access rights and privileged accounts.