What is an access review and how does it relate to your identity audit?

Managing user accounts is essential to maintaining the security and integrity of your company’s data.  This is why the NIST Cybersecurity Framework, section PR.AC-4 recommends that access reviews are conducted on a semiannual basis. 

YouAttest automates access reviews for Okta and other resources.

When you fail to manage access to sensitive information, you expose your company to the risk of data breaches and fraud, leading to an inability to comply with identity governance regulations. To protect vital information, completing regular or periodic access reviews will ensure that only those who are meant to access secure data can. This will also play a key role when performing identity audits for your organization. 

To start, what is an access review? An access review requires business administrators to review what each user in their system has access to. The process allows a company to keep track of what information users have the privilege to access so that they can change or revoke access when necessary. 

This process is vital to information security. As work lifecycles become more complex, it becomes more challenging to monitor when people have changed roles or have ended their work relationship with their employer. For example, when someone’s employment is terminated, they may still retain access to the employer’s systems and the sensitive information it contains. Alternatively, if someone transitions to a new role, they may still be able to access information their previous duties required. These scenarios both cause vulnerabilities in the security of the data they have access to. An access review serves to remedy this, making sure that those only those who need access are given it. 

Access reviews play directly into an organization’s identity audit, whether internal or external. To ensure compliance with identity governance regulations, such as SOX or HITEST, identity audits analyze user accounts within an organization’s system. During an identity audit, companies want to make sure that those accessing sensitive information are authorized and maintaining compliance with information security protocols and regulations. Those who are not compliant with regulations can face steep fines and penalties that their organization will have to pay.

Conducting regular access reviews and identity audits ensures that there are no violations of regulations before information gets into the wrong hands. If data is breached, it can severely impact a company, whether it garners them fines, the loss of business, or a negative reputation in their industry. Without the combination of the two processes, companies cannot gain a true understanding of the information they are allowing their employees to access. 

Keeping sensitive information safe and secure from malicious actions and threats is a key responsibility of organizations that require their employees to access the information to perform their responsibilities. Access reviews allow the organization to ensure access to the information is controlled so that breaches can be prevented and they maintain compliance with the regulations that they are required to follow.

YouAttest automates the creation and review of these access reviews.  To learn more about YouAttest, please watch a customer webinar with Craig Guinasso, Director of Information Security of Exact Sciences discussing using YouAttest for access reviews.

Garret Grajek, CISSP, CEH
CEO of YouAttest