Back to Blog

Step 4 – User Access Review Best Practices: Review System Access and Permissions

By Finosec

January 26, 2023

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

Step Four in the FINOSEC user access review best practice series is to ensure users who have access to your systems have legitimate duties that justify not only access but their specific permissions for those systems.

Step Four: Review System Access and Permissions

In Step Three, you assessed your system risks and categorized them as high, medium, or low. This assessment helped you create your annual plan for user access reviews based on risk. Now, it’s time to get a bit more granular. Continuing our theme of starting with the most important, we must look at privileged access permissions first. You need to validate that the users with privileged access to your systems have job duties requiring that level of access. You then need to confirm you are managing all of your users to the principle of least privilege, meaning that users have the least permissions necessary to do their jobs.

Who exactly are “users”?

The term “users” includes employee accounts, contractor accounts, system accounts, service accounts, vendor accounts, and API integrations. The systems and data accessed by these accounts may exist outside your institution’s firewall and should be reviewed.

About those vendor accounts…

The access vendors have to your data, such as for managed services providers, should be analyzed in terms of “active or inactive.” For example, do all the vendors currently classified as active need to be active, or should some be classified as inactive?

Where do I start?

Your permissions review should start with the high-risk functions on your highest-risk systems. This lets you focus on perhaps 20-30 of the most crucial privileged permissions. Then you can address the rest of the more typical users at a later time.

You need to review all account changes from previous reviews.

When roles change, ensure the permissions no longer needed have been removed and confirm that the appropriate new permissions have been added. You also have to inspect individual permission changes and permissions that have been added to a security group. If you can structure your review to focus only on what’s changed, it’s a far more efficient process.

Finally, work together!

Reach out to HR, Department Managers, and anyone else who can help you validate what permissions are required to fulfill the duties of a given role. The odds are that it needs to be clearly defined, and users may have more access than they need.

There are three significant side effects of this effort:

  1. Onboarding a new employee
    When hired for a specific job role, IT will know precisely what permissions to give the user to complete their work resulting in fewer helpdesk tickets.
  2. Terminating a user
    One of the most common IT Security Audit findings is a terminated user with an active account hanging around. By documenting the systems a user has access to, you will know what systems they need to be removed from and can avoid that audit finding.
  3. Changing Job Roles
    If a user is changing jobs, more often than not, they are given the permissions they need for their new role, but the permissions they don’t need are not removed. By documenting the required permissions for each job role, you will know what to add and, most importantly, what to remove.

Want more information?

Are you intrigued by what you’ve read? This is the fourth step of a five-step improved UAR process. There’s one more yet to come. You can review the previous blogs here:

Or, if your frustration has already spiked because your institution still follows outdated processes to complete your user access reviews, you should contact FINOSEC today. We’d love to work alongside you to simplify your user access review process and make them easier than ever!

More from Finosec

Partnering for Peace of Mind and Effective Oversight

Partnering for Peace of Mind and Effective Oversight

Pendleton Community Bank, a $700 Million Dollar Bank with 133 Employees in Franklin, WV, led by CEO Bill Loving, faced a critical challenge when their Information Security Officer departed, leaving a significant void in their oversight capabilities. Their goal was clear: establish an effective process for information security governance and cybersecurity oversight to ensure compliance and peace of mind.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765