With proper design, implementation and maintenance, periodic user access reviews can be an effective tool for service organizations in achieving their security and compliance goals.
When properly implemented, these reviews can make up for a multitude of user access errors. In order to ensure that access is continuously monitored, user access reviews are performed on a periodic basis (monthly, quarterly, annually, etc.). While quarterly reviews align with best practices, and are even mandated by certain compliance standards, more or less frequent reviews may be required, depending on the organization.
Typical user access reviews consist of managers validating that an account belongs to an active employee or that the account is authorized to have access to a given system. However, while these are important characteristics to review, the most effective user access reviews require managers to review each user’s privileges within the in-scope systems. These detailed reviews ensure that unauthorized privileged access to critical systems does not go undetected. And as always, the more documentation and retention, the better.
When it comes to compliance, a review with no evidence of dates or approvals does very little good.