Access Reviews – Revisited
What are “Access Reviews”?
Over time, as workforce members leave the company or move to other positions within the same organization, they no longer need access to certain systems, or they require access to new systems. Periodically, it is important to review the access of current and terminated employees to ensure that their access still adheres to the “least privilege” principle or should be deactivated. There are three general types of access reviews that should be conducted:
- Roles and Responsibilities: Access is typically setup using groups, roles, and responsibilities. Not considering the specific individuals who are members of these groups, the entitlements should be reviewed by asset owners to ensure that what is being granted is still reasonable and appropriate
- Group Membership: Group owners should periodically review the rosters of individual groups to ensure the membership is still reasonable and appropriate.
- Privileged Access: Administrators are often given elevated privileges to carry out installations, maintenance, and other tasks that the standard user does not need to perform. On a frequent basis, the access for individuals with elevated privileges should be reviewed. Often, this review is more frequent that standard user reviews.
Why are access reviews important?
While policies and procedures are in place and followed to the best of everyone’s ability, sometimes items are missed. Additionally, we experience a condition referred to as “Access Creep”. This access creep occurs mostly when individuals change roles within the company and their former access is not deactivated. This leads to individuals having more access than is required for their jobs and roles.
What should I do to conduct access reviews?
- Conduct standard access reviews quarterly. The groups and the respective memberships should be examined to make sure the access is still reasonable and appropriate. These reviews should be performed by the owner of the application or asset. Often, these reviews are completed by the Information Technology team and not by the individual or team that knows the environment best.
- Conduct access reviews for elevated access. Is it recommended that privileged access be reviewed every 30-60 days.
- In addition to the reviews of access for logical rights and entitlements, review of physical access should also be conducted using the same cadence.