User Access Review Checklist: 5 Must-Haves for IT Teams

Compliance policies need to keep up with cyber criminals. Regulatory demands on companies are growing which in turn drives audits. Compliance audits make IT staff nervous. You always hear of an audit as a fire drill for the IT team. If you are a typical enterprise, you probably have a combination of AWS, Office 365, Google Drive, Active Directory, and SharePoint. The more IT sprawl across cloud, custom, and enterprise applications, the greater the risk profile for any IT audit as access control gets difficult to administer and manage. Internal and external auditors are looking for compliance with controls to prevent security incidents.

One of the biggest issues auditors discover is application users being granted inappropriate access. This is due to multiple reasons. Most employees ask for more access than they need to do their job, thus leading to excessive privileges. A typical product or service company is in a mad rush to innovate and deliver newer products and services. Unfortunately, often times in haste to meet project timelines, managers lax the access governance rules.

More often than not, these mistakes are attributed to the manager’s lack of understanding of organization policies and procedures rather than willful omission. Cloning new employees’ user access after another employee is another anti-pattern. Say, Jenna, a new hire, has her access modeled after Jody, who has been in the company for ten years. Unless Jody’s privileges have been correctly aligned to her current role, Jenna will have excess privileges into systems, file shares, etc. Poorly designed roles can also lead to access issues such as too much or too little access being granted.

Roles should be aligned with business processes rather than specific users or jobs. Auditors have found situations where a contractor is assigned a role which should be ready-only. However, as a part of the annual SOX audit, this role was found to have writing capabilities, as well. Below are a few leading practices from the auditor’s point to view to help organizations implement better security, efficiency, and compliance.

📌 Formalize Process for User Access Reviews

Audit findings can lead to monetary loss and tarnish reputations. Organizations must have a formal process — collect data across all applications periodically, application owners should review user entitlements, and formal documentation should be made of any remediation. Manual access reviews, though not ideal, are better than not having any at all.

📌 Enforce Segregation of Duties (SOD) & Least Privileges

Every role and entitlement should be created with least privileges and evaluated for SOD violation. Giving people the minimum level of access that they need to do their jobs ensures there is no policy violation down the road. Auditors are looking for evidence that SOD controls are in place to prevent fraud.

📌 Special Treatment for Privileged Accounts

Once a cybercriminal gets past the endpoint it is only a matter of time before they gain access to privileged accounts. Every organization must adopt a zero-trust mindset for these accounts. Privileged account creation, modification and deletion should be codified as an automated process. Many auditors recommend creating privileged accounts with a predefined expiry date. Above all, access to these accounts should be evaluated periodically to know who has access to what.

📌 Manage Adhoc Privileges

Users working on special projects may need evaluated privileges. Auditors recommend that such requests be thoroughly vetted in scope (read, write, etc.) and duration for which the access is needed.

📌 Maintain Proof of Compliance

Auditors require proof of compliance to finalize the audit. Organizations need to ensure documentation exist for audit trails, etc. If there were any audit findings in the previous year that have not been remediated, auditors recommend organizations maintain this documentation.

Whether it’s a public company’s Sarbanes-Oxley (SOX), healthcare’s HIPAA, or the credit card industry’s PCI, IT audits are complex. A good identity governance or user access review software takes out the complexity and helps enforce IT controls while demonstrating compliance. SecurEnds is leading the market with its lightweight, highly configurable and industry-first flex-connector product that keeps companies secure while meeting audit and compliance requirements.

Our software allows you to load user data from multiple systems of record, connect dynamically to applications, match identities with user credentials, manage heartbeat identities across connected and disconnected, schedule one-time or periodic access recertifications and create proof of compliance for external auditors.

✍ Article by Abhi Kumar Sood