Benefits and Challenges of User Access Review

Benefits

User access review (hereinafter: UAR) is the periodic review and verification of user access rights within one or more IT system of an organisation. This process is vitally important for the security of the organisation's systems and data. UAR, as most of today's data security measures, does not provide complete protection and assurance by itself, however it is a very important part of an organisation's internal control system.

The benefits of a well-designed UAR programme are many:

• UAR helps to detect and to remove unauthorized access rights
• corrects possible errors in the leaver and revocation process
• detects and manages the accumulation of system accesses of staff who change positions within the organisation
• helps to identify and to eliminate certain segregation of duties (SOD) errors and risks
• reduces the risk of security incidents and data loss
• enables more effective work by ensuring that everyone has only the privileges they need to do their job

Challenges

Everyone who has seen or participated in a UAR process have experienced how complex it is. There are many sensitive process steps to which we need to pay attention to have a complete, efficient and effective review.

We have audited and taken an active part in several UAR processes. Based on our experience, we would like to highlight the following key factors that can significantly contribute to the success of the process.

1. Scope

• Define the list of systems, users and roles involved in the UAR process. Based on the risk assessment or external audit requirements, which systems should be included in the scope of the review?
• All users and roles have to be reviewed, or we may be able to exclude view-only rights?
• How to handle users from external partners?
• Do we pay special attention to users with privileged access?

2. Process actors

• Who will coordinate and implement the UAR itself? Is it a periodic (usually twice a year), process with high workload, should it be integrated into the annual tasks of one of the departments? Should we create an internal project team for it or should we outsource the whole process?
• Who will be the approvers? Are all employees' authorizations approved by their immediate line manager? Are there role owners or business owners of IT systems, who can approve all users and their roles? We should consider that one approver shouldn’t get too many items to be approved, as it is not realistic to review thousands of items per system, but it is also important to avoid having thousands of approvers.

3. Data sources

What are the sources of the data for the UAR? How can we make sure that they are complete and accurate? This is particularly important if there is external audit over process.

4. Tools

On which platform do we organise the UAR process? If there are a lot of manual steps in Excel, that is time-consuming and more error-prone. Purchasing an out-of-the-box software can be expensive and it may not be a complete solution to cover all your organisation's needs.

5. Timelines

How do we resolve if an approver is unavailable for a period of time? How does delegation work? Who can perform it?

6. Consequence management

How do we manage responses not received by the deadline? Do we remove all roles, causing potential business disruption? How do we filter out self-review, thus ensuring independent approval?

To conclude, there are many questions and decision points that arise during a UAR process, where the assistance of an external consultant with knowledge of multiple methods and processes may be helpful at any time.

How can we help you?

Our experts have been involved in UAR-related projects for several companies throughout the years. Our services related to user access reviews are the following:

• Process auditing and consulting: after assessing your process, we identify the points where there is room for improvement and development and provide you with the improvement options that best fit your organisation and processes.
• UAR coordination and implementation: our consultants will guide the process through your organisation, from planning, through audit-proof data extraction and cleaning, to final documentation.
• UAR automation: ABT's self-developed UAR software has successfully delivered many reviews and passed several Big4 audits. At one of our clients UAR tool is used to validate over 15 systems and 15,000 roles.

_{1. Figure A screen of ABT's UAR tool}

If you are interested in our UAR services, please contact us!