What is the User Access Review control?
Strike Graph's default control language is: "Management performs at least an annual review of user access to systems based on job duties. Inactive users are removed and removal is documented. The review is formally documented including system generated user listings and sign off by management."
This language should be customized to reflect the specific process that your organization has defined. For example, if your user access review is conducted by another team or position, then you should update the control language to reflect that. It's important that your stated control description accurately reflects how your organization implements this control.
Which framework is this for?
User access reviews are required for SOC 2, ISO 27001, HIPAA, and almost all other security and compliance framework, as regular access reviews are a key security practice that all organizations should perform.
Why is this control important?
This control is key in determining that the security principle of least privilege is being followed, as well as ensuring that terminated users no longer have access to internal tools and information. Not knowing what tools users have access to can make it difficult to revoke access upon termination, and access reviews can catch accounts related to previously terminated users. Additionally, reviewing user’s privileges to tools that they already have access to is a good practice to avoid issues like data loss or corruption from accidental deletions. Privileges should reflect the user’s role and job duties.
Who’s involved with this control?
The IT team, or in some cases the owner or administrator of the tool that is being reviewed. For example, if the user access review included reviewing the users of the company's payroll administration software, the HR lead may be brought in to determine that access to the tool was limited to the appropriate individuals. The access review may be performed by any member of the team but the results of the review should always be reviewed and approved by a member of executive management, be it the Director of IT, CTO or someone else.
How often should I monitor this control?
Best practice for user access reviews is to perform them quarterly, they should be performed annually at a minimum cadence to stay in compliance with SOC 2, HIPAA and ISO requirements.
How do I monitor this control?
Access reviews are completed by reviewing a user listing for a given tool and then having someone in management (usually the CTO or Director of IT) sign off that the access and privileges are appropriate. This is accomplished by logging a screenshot of the user listing of the given tool under review and captioning the screenshot with a note from management that access has been reviewed by X person on X date and that it was determined all access is appropriate.
Generally we recommend tracking access reviews in tickets, that way it is easy to attach or embed screenshots of the relevant user listings as well as the description that access is appropriate.
Hot Tip: SOC 2, ISO and HIPAA audits will all require you to upload user listings for your critical tools as part of the audit, so it is easy to integrate access reviews into the evidence gathering process for audit. If you are already having to pull a screenshot or user listing for the purposes of audit evidence, it is easy to combine this effort and paste that same user listing or screenshot into a user access review ticket or document.