Problem solve Get help with specific problems with your technologies, process and projects.

How to conduct a periodic user access review for account privileges

Periodic access reviews for enterprise identity and access management (IAM) can help ensure the necessary personnel have access to essential systems and unauthorized employees (or miscreants) don't. In this IAM expert response, learn how to do a periodic access review with this access review standard.

Where could I find a template or example version of a written standard for periodic access reviews? Something that...

would help with ensuring all the right areas/topics are included in the standard. This would be used as a sort of guidance for data/IT security analysts, internal auditors, application owners, data custodians and delegated administrators, ensuring all were working from the same set of directions and expectations.

I'm happy to share the high-level overview of my periodic user access review standard:

  1. Identify the business owners of every application.
  2. Instruct business owners to classify the data in their applications. Corporate policy should define the different classifications.
  3. If there is no policy on periodicity of access reviews based on the data classification, create one. I would suggest access to high-risk applications should be reviewed quarterly and every application should have a review conducted at least on an annual basis.
  4. The business owner should identify the departments that use its application(s) and approve or reject them. I recommend this approach because the business owner may not know what individuals should have access to the application, but they should know what departments are and what level of access is appropriate for those departments. At the end of this step there should be two lists: Approved departments and rejected departments.
  5. Notify the managers of the rejected departments that all of the people in their department will have their access removed from the application(s). I would give the managers two weeks to negotiate with the business owner before removal.
  6. Send the managers of the approved departments a list of all their employees with access to the applications and give them two weeks to approve each individual. There should be two new lists at the end of this step: the approved individuals and the rejected individuals.
  7. Remove access of the rejected individuals.
  8. Make sure that all of the approval transactions are recorded in an auditable manner.

Also, a separate but important best practice is to make sure separation of duties among developers, data custodians and IT administration is well defined and documented.

There are some great products on the market that can help with this process. They are auditable, provide workflow engines, and some even interface with automated provisioning solutions. SailPoint Technologies Inc.'s Identity IQ and CA Inc.'s Eurekify's Sage are products worth investigating.

More on this topic


This was last published in February 2009

Dig Deeper on Privileged access management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

User access and entitlement reviews for access certification audits are tedious and cumbersome. However, User Entitlement Reviews are an important control activity required for internal and external IT security audits.
SecurEnds CEM product automates User Entitlement reviews allowing you to get in control of users’ entitlements across a wide range of systems and at the same time enable them to stay in control for access certification.