Learn how to conduct user access reviews in three steps thanks to the Tugboat Labs team (source: Tugboat Logic blog)

How to Conduct User Access Review

Control of the Week #4: User Access

This week’s control is on user access review. Jose Costa (CISO at Tugboat Logic) and Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic) explain why user access review is important and how you can implement it for your audits.

Why this control is important

AC3.7 – User Account Reviews – Management performs a quarterly user access review for in-scope system components to ensure that access is restricted appropriately. Access is modified or removed in a timely manner based on the results of the review.

Much like the “Control of the Week” on access control we covered, this control is another gatekeeper for your data. Through careful documentation and ownership over the systems that grant or deny access, User Account Reviews is a preventative control designed to stop potential risks to your data. It’s also another control that many fail in an audit because it’s easy to overlook.

As your organization grows, more users are going to have access to your data, making it difficult to manage who should and should not have access. Ideally, these users would be managed with an on/offboarding process, but organizations sometimes overlook that documentation process.

How to implement this control for your audits

Follow these three steps to set up a process to check who has access and whether or not they should have access:

  • Step 1: Have your “Security Czar” (or someone on the security and or eng team) get a list of all the users, their roles, system accounts, administrators, and other relevant information. Then send it to the application owner, and then request it back to verify that the accounts are correct.
  • Step 2: Send the list to all of the application owners (i.e. the admins) to verify that the accounts are correct. Have the application owners send their verification back.
  • Step 3: Set a reminder to conduct user access reviews every quarter (or month, if you want to be more stringent in your security). Note that whomever performs the review must remind application owners to clear the review.

Other things to keep in mind for this control

  • Once you get this process in place, you have to make sure sure that all requests for access are documented, especially requests made in “last-minute” situations.
  • If someone other than your “Security Czar” conducts the user access review process, then make sure that s/he adheres to every step.
  • Last, but certainly not least: always review your system accounts!

As always, give us a shout if you have any questions about the controls and how to implement them.

Related Articles

Security Awareness Training: Montage Optional

Security Awareness Training: Montage Optional

Creating a plan for Security Awareness Training is only half the battle. Implementing and ensuring that your employees follow that plan regularly is the key to implementing this control. Also, investing in training and security awareness programs is vital for sustainable business growth and success.

read more
Employee Training Plan: Good Plans Go A Long Way

Employee Training Plan: Good Plans Go A Long Way

How you train your employees will largely determine their effectiveness and adherence to company policies. While many practices can be common sense and their skills catered specifically to the job they were hired to perform, a training plan can go a long way to ensure that elements of your organization stay safe, secure and run as smoothly as possible.

read more


Submit a Comment

Pin It on Pinterest

Share This