User access review process is an important control activity required to ensure that employees contractors partners have the correct rights and the permissions within different IT resources and data. This process is run periodically (quarterly or annually) to ensure compliance requirements are met. It also allows companies to undertake continuous improvement initiative where based on the access issues new controls are set up. In general, following steps are undertaken as a part of this process:
1) Collect a list of users, their roles, permission etc across all systems: This step is labor- and time-intensive process for many organizations as it requires fetching user data from a number of locations for employees, contractors, vendors and partners. Proper planning improves the efficiency of the process and greatly reduces the effort involved.
2) Correlate users (identities) to accounts: A user or identity can have different accounts in system. For example John Doe can use JD1 to log into AD authenticated application and use john.doe to log into Salesforce. Before reviews can be assigned, all accounts belonging to an identity must be tabulated.
3)Assign reviews to managers or application owners : Depending on the user review process being followed by the organization, reviews can be assigned to either the manager, application owner or department head or a combination.
4) Resolve or remediate violations: Any time policy violation is found (ie exsistance of orphoned account, excessive privilege etc), user access must be adjusted. Additionally, user access review process should create proof of compliance (reviewer name, approval or denial of access, date etc) for external auditors especially if the organization falls under the preview of SOX, HIPAA etc.
As a best practice, privileged accounts should be reviewed on a monthly basis while accounts in critical systems under the perview of SOX,HIPAA etc should be reviewed on a quarterly basis.
A question often arises is whether these reviews should be automated. This is largely a question of efficiency, risk mitigation and compliance than pure preference. Automating user access process will greatly impact efficiency and accuracy. Automatic data ingestion using connectors makes data collection straightforward. A centralized reviewer dashboard notify approvers of new reports, and ensure the date and approval are tracked with electronic signoff. Then capture this approval, along with any related change requests, in the documented workflow and store it for future audits.
SecurEnds is leading other SaaS providers on the Gartner Peer Reviews and Capterra Reviews. the market with its lightweight, highly configurable and industry first flex-connector product that keeps companies secure while meeting audit and compliance requirements. Our software allows you to load user data from multiple system of record, connect dynamically to applications, match identities with user credentials, manage heartbeat identities across connected and disconnected, schedule one-time or periodic access recertifications and create proof of compliance for external auditors. In only 30 minutes we can demo why our SAAS software is now a leading choice for identity governance
