User access reviews are a critical control in almost any IT control framework because they help ensure that users have the appropriate level of access to sensitive data and systems. Without integrity of system access how can you know the data is trustworthy? In many industries, regulatory bodies have strict requirements for how organizations must manage access to sensitive information.
SOC 1 and SOC 2 expect user access to be appropriate for all in-scope systems, one of such controls includes the review of privileged access – whether that be administrative permissions, confidential data, or just even the system or network itself.
A user access review is considered to be a detective control because it is performed after the fact (access was already provided) to detect potential issues overlooked due to inadequate preventative controls (on-boarding/off-boarding).
Performing a user access review that should be sufficient to meet your SOC 1 or SOC 2 controls is straightforward, but like anything takes planning and time to execute properly.
1. Define the Access Review Requirements: Establish the systems, boundaries, criteria, and objectives for the access review in order to ensure compliance with regulations, company policies, and industry best practices.
2. Identify the System Owners: Identify system and business owners of in-scope systems who need to be included in the review.
3. Collect User Access Information: Collect user access information, such as user name, roles, groups, applications, and any other relevant data from in-scope systems.
4. Analyze Access Information: Compare user access information to the previously established criteria to determine if it meets the objectives of the access review.
5. Generate Reports: Produce reports for management detailing the results of the access review. The reports should include a summary of the findings, recommendations, and any necessary actions.