The hidden cyber risk you're probably ignoring: User access reviews

Business Journals

2 days ago

Poorly managed user access reviews don't just jeopardize audit outcomes; they create pathways for data breaches, fraud, operational inefficiencies, regulatory fines and reputational damage. Despite these risks, many organizations struggle with timely, thorough and precise execution, or worse, they skip these reviews altogether.
Far from trivial, this 'routine' process plays a pivotal role in broader cybersecurity and risk management strategies. Access reviews serve as a frontline defense, ensuring that only authorized individuals have appropriate access to systems and data, and help prevent privilege escalation, insider threats and vulnerabilities that could compromise an organization's security posture.
User access reviews are essential for maintaining compliance with a wide range of frameworks, including SOX, PCI DSS, ISO 27001, SOC 2, HITRUST, NIST 800-53 & 171, HIPAA, GDPR and others.
A well-executed access review helps reduce the risk of:
Individuals having unauthorized or inappropriate access based on their role.
Excessive access that creates segregation of duties conflicts.
This guide provides an eight-step process for establishing and conducting a quality access review that will satisfy multiple compliance frameworks.
Step 1: Identify relevant compliance frameworks and standards that require an access review
Before identifying compliance requirements, organizations should begin with a clear strategy for their access review process. This includes understanding the overarching goals, such as reducing security risk, maintaining regulatory compliance, enhancing operational efficiency or supporting audit readiness.
With this strategic direction in mind, organizations can then determine which regulations and standards they must adhere to. This will help establish the frequency, scope, control ownership and documentation requirements of the review. In the absence of a specified frequency, a risk-based approach should be used to determine how often reviews should occur. The following factors should be considered:
Minimum required frequency to meet compliance requirements
Complexity of the access within the system
Volume of accounts and frequency of access changes
Significance of the data stored within the system
History of errors
Effectiveness of preventive provisioning and termination controls
Inherent risks of processes being supported by the systems
Step 2: Identify the information systems in scope
Determine which systems (i.e., applications, tools, database management systems, operating systems/servers and network domains) require an access review. This could include enterprise and/or financial applications, PaaS (Platform as a Service), database management systems, operating systems/servers, identity and access management (IAM) systems, source code migration and development tools, facilities and infrastructure components.
Ultimately, the scope should be driven by the relevance and significance of the underlying data and/or system function governed by the system.
Step 3: Assign ownership
Clearly define who is responsible for:
1. Generating the information used in the reviews, and
2. Coordinating and/or executing the review and remediating any exceptions identified.
Tip: Consider leveraging an off-the shelf tool to assist with automating and tracking reviews.
Step 4: Generate the access listings
Generate a complete and accurate listing of accounts from each system. Consider automating these reports for efficiency. The access listings should be granular enough so that the reviewer can see what role and/or permissions are assigned to each account. Provide enough details in the review documents so reviewers can make informed decisions. Some examples are below:
expand
Frazier & Deeter
Tip: Retain documentation for how all access listings were generated (i.e. menus, reports, parameters, queries, time/date stamps, etc.). Explain any exclusions such as inactive accounts or accounts with read-only access. If the report is automated, include evidence that the underlying queries have not been modified.
Step 5: Train the reviewers
Provide clear expectations, guidelines, timelines and definitions for reviewers to reference. Ensure roles and responsibilities are clearly defined.
Tip: Consider implementing a joiner-mover-leaver process in your IAM tools to automatically grant, revoke or modify access when employees join, leave or get promoted. This helps mitigate the risk of individuals being inadvertently granted the wrong level of access or access not being removed upon termination.
Step 6: Execute the review and retain sufficient evidence
Reviewers: Document proof of review, including justifications for approved and revoked access.
Control Owner: Retain audit logs, screenshots, spreadsheets or other reports as needed.
Tip: Store evidence in a central location that makes it easy to distinguish what is being reviewed. Consider using a template to consistently document each review.
Step 7: Revoke unnecessary access and validate remediation
Immediately remove or disable access that has been identified as needing to be revoked. Document the reason for revocation and verify timely deactivation of revoked accounts.
Tip: Run a follow-up report to confirm that all access identified as a revoke within the access review are appropriately disabled and/or removed from the system.
Step 8: Perform a lookback for anomalous activity
Before closing the review:
Review logs and audit trails for any inappropriate and/or unauthorized activity performed by revoked accounts.
Investigate and follow up on any unusual activity. Define the scope of activities that are relevant to the framework and/or standard. Pay close attention to administrative accounts who can perform all transactions (including modifying user access).
Tip: Accounts with admin privileges, segregation of duties conflicts or terminations are the revoked accounts with the highest risk of potential misuse.
Final thought: Making user access reviews a business-as-usual process
While each organization has unique circumstances, these steps may support you in conducting thorough, repeatable and audit-ready access reviews that will allow your organization to meet multiple compliance requirements and mitigate logical security risks in an efficient, consistent and cost-effective manner.
Need help making your access reviews more efficient and compliant? Frazier & Deeter can help you design a process that meets your compliance requirements while saving time and reducing risk. Contact our experts today to get started.
Frazier & Deeter (FD) is comprised of Frazier & Deeter, LLC, a US licensed CPA firm that provides attest services to its clients, and Frazier & Deeter Advisory, LLC, an alternative practice structure that provides tax and advisory services to clients worldwide. Learn more at www.FrazierDeeter.com.