User Access Reviews Best Practices: Fix Permission Risks Before Audits Find Them

Imagine an employee at your organization is terminated, but due to a communication gap or manual off-boarding process, their account isn’t disabled. Weeks later, another employee needs access to restricted data but hasn’t yet received approval for such access. Frustrated with delays, this employee uses the former employee’s still-active credentials to access the restricted data. To avoid future access issues and work from home, the employee downloads the data and emails it to their personal device, including a few other colleagues who are working on a project together. The restricted data is now beyond the boundaries controlled by your organization, increasing the risk of data exposure. No malicious hacker was required; just an inactive account, still enabled, which left data at risk.

Could this scenario exist at your organization? In a survey conducted by Beyond Identity in 2022 of over 900 employees from the United States, the United Kingdom, and Ireland, 83% of respondents reported maintaining some level of access to digital assets of their former employer. A simple, well-run user access review (UAR) can help lessen the risk of incidents associated with the misuse of credentials and user permissions.

A UAR is an important control in any security or compliance program. At its core, a UAR is a periodic audit of who has access to what, ensuring permissions remain aligned with job duties, organizational changes, and security principles (i.e., access of least privilege). Further, UARs can help mitigate privilege creep, which is the gradual accumulation of permission over time, particularly as users change roles. In addition, UARs help identify orphan accounts, which are active accounts that belong to individuals no longer with the company or in the related role.

This blog outlines the steps of a UAR and some best practices, including actionable recommendations you can apply across any organization.

What Is a User Access Review (UAR)?

​​A user access review is a formal, periodic process where user permissions are evaluated to ensure they are appropriate, necessary, and aligned with the user’s job role. At a high level, a UAR should address the following questions:

• Who currently has access to a system or dataset?
• Should each user, including third-party users, still have that level of access?
• Are there any users with excessive privileges?
• Were recent terminations or role changes handled properly?

 

Why Are User Access Reviews Important?

Poor access management creates significant risks to an organization. These can include insider threats (malicious or accidental), unauthorized access by former employees, data breaches caused by excessive privileges, operational disruption due to improper access, and audit and compliance failures.

In addition, many compliance frameworks (e.g., SOC 2, ISO 27001, PCI DSS, SOX, and HIPAA) require or recommend user access reviews. Auditors regularly ask for documented review results and evidence of completed follow-up or remediation of identified issues.

Having a strong, repeatable UAR process reduces your security risk and strengthens your adherence to compliance standards.

How to Conduct a User Access Review

There is flexibility in how UARs are performed and managed, but they all follow the same basic principles or steps.

• Identify and Prioritize Systems: Start by determining which systems should have access reviewed and how frequently. Not all systems and data are equal. Some will require more scrutiny and should be reviewed more frequently.
• Inventory Current Access: Generate a current list of all users and permissions for the relevant systems, and a current list of personnel (employees and contractors). Be sure to capture data such as usernames, group memberships, last login timestamp, roles/job functions, and start termination dates.
• Perform the Review: Review the access lists for each system and consider the following questions:
  • Does the user still need access to this system?
  • Does their permission level match their job role?
  • Are there any dormant accounts?
  • Are there any terminated personnel who still have active accounts enabled?
• Remediate and Document: Revoke or modify access based on the results of the review and confirm that the changes have been made. When complete, document the results of the review along with the actions taken.

 

User Access Review Best Practices

While the UAR process is rather straightforward, not all UAR processes are created equally. There are some practices that should be considered to enhance your UAR process and add value to your organization.

1) Do it

The biggest UAR failure I see at organizations I have audited is simply not performing reviews at all. Even imperfect or manual reviews are better than none. Organizations that fail to perform UARs often cite a lack of tooling, time constraints, and confusion about responsibilities. Start simple, even with a spreadsheet, and improve over time.

2) Base the Review on Risk

Organizations often feel overwhelmed with the idea of reviewing access to all systems on a periodic basis. However, not all systems and data are equal. Systems should be prioritized. Consider data sensitivity (personal identifiable information (PII), protected health information (PHI), financials), privileged vs. standard access, external vs. internal users, regulatory obligations, etc. Also, consider user turnover and the number of users managed by the organization. Use a formal risk assessment to determine review cadence. Based on risk, you may determine that some systems or permissions should be reviewed monthly or quarterly while others are reviewed annually.

3) Involve the Right Stakeholders

It is not uncommon to see the entire UAR process being performed by one team member in the information technology or compliance group. These should not be the only reviewers for the UAR process to be effective. The people who understand what access users should have include department managers, system owners, application data owners, and business process owners. They know what their team members need to perform their duties.

4) Verify that All Changes Were Applied

I have seen instances where a thorough UAR was performed and detailed notes were taken of what access modifications needed to be made, but no action was taken. The notes got lost in the cycle, and access remained unchanged. Organizations should build a verification step into the process, such as re-pulling access lists, creating work tickets for each request, etc.

5) Document the Review

As it relates to audits and compliance, if it is not documented, auditors will treat it as though it never happened. Documentation can take many forms, such as email communication, spreadsheets, automated tasks/logs, etc.  No matter the form, it is essential to capture information such as which systems were reviewed, who performed the review and when, access lists used in the review, results of the review, and actions taken based on the review.

6) Automate the Process When Possible

Automation improves accuracy and reduces the administrative burden of the UAR. Automated tools can generate access lists, send notifications and reminders, flag dormant or high-risk accounts, track action steps, enforce approvals, and support access policies. There are many tools (e.g., government, risk and compliance tools; identity and access management platforms) now available to assist with streamlining the UAR process, which can help make it more effective and efficient.

7) Formalize an Access Review Policy and Schedule

Formalize the UAR process. Make it known that it is an important process and one in which management expects to be performed. Establish a written policy that defines review frequency, roles and responsibilities for reviews, and procedures for modifying access.

8) Utilize Role-Based Access Control (RBAC)

RBAC is the process of assigning permissions to roles and not individual users. This makes the access review process more efficient, as the reviewer can verify that users are assigned to the correct roles rather than checking each individual permission for each user.

 

Common User Access Review Questions

These are some of the more common questions we get from clients with regard to user access reviews.

How Often Should User Access Be Reviewed?

This will vary by organization and the risks associated with your systems.  Reviews should be performed at least annually, but more frequently (e.g., monthly or quarterly) for high-risk systems. Other factors, such as turnover, number of personnel, and the effectiveness of other access management controls, can be considered in determining the frequency of the reviews.

What Are the Risks of Not Conducting User Access Reviews?

Risks include the following:

• Unauthorized access
• Data breaches
• Excessive privileges
• Insider threats
• Audit findings and compliance penalties
• Orphan accounts with active credentials
• Increased attack surface

How Do You Perform a User Access Review Step by Step?

1. Identify and classify systems
2. Pull access lists
3. Review permissions
4. Revoke or modify access
5. Verify changes
6. Document the review

What Documentation Do Auditors Expect?

Auditors typically expect evidence showing:

• The systems and access lists that were included in the review
• When the review occurred
• Who reviewed it
• What decisions were made
• What changes were implemented
• Proof that changes were completed

Take Action: Improve Your User Access Reviews

Regular user access reviews are one of the simplest and most effective ways to reduce security risk and maintain compliance. By following best practices, organizations can reduce their exposure to incidents caused by excessive or outdated access.

Linford & Company is an independent CPA firm with a team of external auditors specializing in SOC 2 assessments and other various audit services. If you have questions about user access reviews or are interested in an audit against specific frameworks, please feel free to contact us.