• blogangle-right
  • A Step-by-Step Guide to User Access Reviews + Template

A Step-by-Step Guide to User Access Reviews + Template

  • March 12, 2025
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

In 2023, OneMain Financial made headlines for experiencing at least three lengthy cybersecurity events between 2018 and 2020. These were tied to security program and access control failures that made it more vulnerable to instances of unauthorized access, according to audit findings from the New York Department of Financial Services.

Ultimately, OneMain paid a $4.25 million penalty to the state regulator for lack of adherence to the NYDFS Cybersecurity Regulation, which requires financial entities to employ a range of best practice measures to protect their information systems and consumer data from security risks. One such requirement is limiting user access privileges for systems that contain consumer data and periodically reviewing access privileges. 

To help avoid cybersecurity incidents tied to unauthorized access and large fines like this, organizations must understand what a user access review is, what the step-by-step process is, why it may be the most important part of access controls and compliance, and how automation can help simplify it. We’ll cover all this below.

What is a user access review?

A user access review, UAR for short, refers to the periodic review of the credentials and privileges of users who can access certain data, applications, and networks in order to remove any unnecessary and inappropriate privileges and/or individuals with credentials. Potential users might be admins, management, employees, vendors, service providers, and other third parties that your organization has worked with. 

This type of review should answer four major questions:

  • Who is accessing what?
  • What level of access do these users have?
  • Do these users have valid reasons for their access rights and privileges?
  • What updates need to be made to their access rights and privileges?

Let’s take a closer look at why UARs are key to information security and regulatory compliance below.

Why is user access review important?

User access reviews are important for a few key reasons. Let’s take a look at them below.

1. Protecting data and assets

Stolen credentials, malicious insiders, and third-party security gaps are just a few causes of data breaches. Periodic access reviews can help your organization identify any individuals who should not have credentials, like malicious insiders, third parties, and departed/disgruntled employees, which can help reduce the risk of data breaches. 

2. Meeting compliance requirements

In addition to protecting an organization's data and IT assets, performing user access reviews can help meet requirements of many security and compliance frameworks, including federal frameworks.

Here are some of the most common cybersecurity frameworks that mandate user access reviews:

3. Enhancing risk management

In addition to meeting regulatory requirements, user access reviews also help organizations improve their overall risk management capabilities, particularly against insider threats and disgruntled former employees. It facilitates several principles that are key to role-based access control (RBAC), including:

  • Separation of duties: Dividing critical business functions into discrete tasks, which are then assigned to different individuals to reduce the chance of one individual carrying out malicious activities, like fraud. When performing periodic user access reviews, you can verify that no single user has all the privileges necessary to complete a critical business function by themselves.
  • The need-to-know principle: Only providing users with the access to information they need to complete their work. An effective user access review will ensure that each user has legitimate reasons to access certain data. 
  • The principle of least privilege: Only providing users with the privileges they need to complete their work.Unlike need-to-know, this principle applies to both users and applications, devices, and service accounts. It also not only limits who has access to certain applications and systems but what they can do if granted access (view, edit, etc.). During user access reviews, you can assess that each user has the bare minimum access needed to perform their job functions. For example, a budget analyst likely only needs read-only privileges to payroll software in order to complete a quarterly or annual report. 

4. Reducing licensing costs

User access reviews can also help organizations reduce spend on licensing costs. During a review, you may identify users who have access to certain systems that they don’t need, or haven’t used in awhile, and remove them. If you don’t perform these reviews, you’ll be at risk of overspending on unnecessary system licenses and accounts. 

Which frameworks require user access reviews for compliance?

As mentioned above, some security and compliance frameworks have requirements that specifically mention user access reviews or can be met by implementing a process for periodic user access reviews, among other controls. 

Take a closer look at those frameworks and their requirements in the table below. 

Framework User Access Review Requirement
CIS Critical Security Controls® Control 6 (Access Control Management) requires periodic reviews to manage, modify, or remove user access as needed.
CJIS CJIS Security Policy requirement 5.5.1 mandates regular reviews of user access permissions to ensure only authorized personnel can access law enforcement data.
CMMC AC.L2-3.01.05 requires periodic user access reviews to achieve least privilege.
Cyber Essentials Cyber Essentials requires organizations to control and review user access, ensuring only authorized personnel have the access to devices, applications, and sensitive business information they need to perform their job.
FTC Safeguards Rule The Safeguards Rule mandates financial institutions to conduct periodic access reviews to ensure employees have appropriate access to customer information based on a legitimate business need.
GDPR Article 25 (Data protection by design and by default) requires limiting access to personal data, which can be enforced via user access reviews.
CCPA/CPRA Section 1798.100 (General Duties of Businesses that Collect Personal Information) requires organizations to implement reasonable security procedures and practices to protect the personal information from unauthorized or illegal access, which includes user access reviews.
HIPAA 45 CFR § 164.308 specifies administrative safeguards to ensure that all members of its workforce have appropriate access to electronic protected health information (ePHI).
ISO 27001:2022 Annex A 5.18 requires organizations to regularly review and adjust user access rights to ensure consistency with job responsibilities.
NIST CSF PR.AC (Identity Management and Access Control) highlights the need for managing and reviewing user access rights to mitigate risks.
NIST 800-53 AC-02(j) (Account Management) requires periodic reviews of user accounts to ensure compliance with account management requirements.
FedRAMP FedRAMP uses NIST 800-53’s AC-02(j) control but specifies an additional parameter, requiring monthly reviews for privileged access and every six months for non-privileged access.
TX-RAMP TX-RAMP uses NIST 800-53’s AC-02(j) control but specifies an additional parameter, requiring reviews at least annually.
NYDFS NYCRR 500 Section 500.7 (Access Privileges) mandates that each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.
PCI DSS Requirement 7 (Restrict Access to System Components and Cardholder Data by Business Need to Know) requires organizations to conduct periodic access reviews to ensure only authorized users can access sensitive system components.
SOC 1® SOC 1 requires access controls, including user access reviews, to maintain the security and integrity of financial reporting systems.
SOC 2® CC6.2 specifies that organizations must register, authorize, and remove user system access and credentials when necessary.
SOX Section 404 requires companies to implement and maintain internal controls to prevent fraud and ensure financial data integrity, which can include user access reviews.

User access review process

Now that you understand the benefits of user access reviews, it’s time to map out each step of the process. 

1. Inventory your tools and users

To start, inventory all current tools and technologies that you use. 

Then list all users, including internal and external users as well as users who have been terminated, and what access and privileges they have to each tool and technology. Make sure to note whether they are an admin or user and if they have access to privileged accounts.

Now you’re ready to review whether their current access rights are appropriate and necessary, or whether they need to be changed. 

2. Revoke access rights of terminated employees and third-parties

During user access reviews, it’s important to check that the accounts of former employees, partners, and other third parties are inactive.

The access rights of these users should be revoked immediately upon termination, but periodic reviews help catch any oversight. If access wasn’t revoked, disable and remove these accounts immediately and update your employee and vendor offboarding processes to ensure this step happens automatically in the future.

3. Move or revoke permissions of shadow admin accounts

You should also check for shadow admin accounts during user access reviews. These are non-admin user accounts with sensitive privileges that effectively make them admins. Unlike privileged admin accounts, these typically aren’t part of a privileged admin Active Directory (AD) group because they were granted sensitive privileges directly.

Shadow admin accounts are highly desired by malicious users because they can be exploited to gain access to critical infrastructure and sensitive data, but are not as easy to identify and monitor as accounts under the well-known admin groups. To mitigate the risk of these accounts, you can revoke the sensitive privileges they don’t need or move them into a privileged admin group where they can be closely monitored. 

4. Check for privilege creep of employees that have changed roles

As employees are promoted, switch teams, or otherwise change roles within the organization, their access permissions can accumulate. This gradual accumulation of access rights that exceed what they need to do their job is known as privilege creep.

You can look for this during a user access review. To start, identify any employees that have recently switched departments or roles and ensure that these employees’ access permissions match their current job responsibilities. Remove any permissions that were only necessary in their previous position. 

5. Remove any unnecessary access or privileges of the users that are left

Once you’ve carefully evaluated and revoked any unnecessary privileges of terminated users, shadow admins, and employees that changed roles, it’s time to review the access rights of users that are left. You want to ensure that all employees, vendors, and other users only have access to resources and assets as well as privileges in apps and systems that are strictly required to do their jobs. 

6. Downgrade permanent to temporary access when possible

During a user access review, you may also evaluate whether users need permanent access to the applications and data that they currently have. Some users only need access to certain data or applications for a short time (e.g., to complete a project or conduct an audit). In that case, they don’t need permanent access rights. 

You can convert permanent access to temporary access or provide new users temporary access using a variety of methods, such as:

  • Time-restricted accounts that automatically expire after a set duration
  • One-time passwords (OTPs) or just-in-time (JIT) access models
  • Privileged access management (PAM) tools that enforce temporary elevated privileges when necessary
  • Expiration policies and alerts to revoke temporary access when it is no longer needed.

7. Review access approval workflows

In addition to reviewing individual users’ access and privileges, you should also review the workflows for granting or revoking access. Questions to consider include:

  • Who has the authority to approve access requests? Ensure that access requests go through proper managerial or IT security approvals.
  • Are approvals documented? Keep an audit trail of who requested, approved, and modified access permissions and when these were done.
  • Are multi-factor authentication (MFA) or other authentication controls in place? Ensure that sensitive accounts require additional authentication for access.

8. Document the changes you made

To ensure transparency and simplify subsequent reviews, document each review cycle. You may include the list of tools and who has user or admin rights to each as well as reviewer comments, approver decisions, and any access changes made.

9. Formalize a review cycle

User access reviews should be conducted on a regular basis based on organizational policies and compliance requirements. It’s typical for user access reviews to take place at least annually. High-risk industries like finance and healthcare may need to take place semi-annually or quarterly. 

Reviews should also take place when there is a major organizational change, such as layoffs, mergers, or new compliance mandates.

User access review template

We've created a free user access review template to help simplify the process of evaluating and managing user permissions so you can better protect your data, meet compliance requirements, enhance risk management, and reduce licensing costs at your organization.

Download free user access review template

Ready to implement user access reviews at your organization? Use the template below to kick off the process.

User access review best practices

To ensure your user access management program is set up for success, here are a few best practices to keep in mind when performing user access reviews.

Be consistent

Consistency is key to a successful access management program. Setting up a consistent review schedule for access reviews can ensure that you identify any unnecessary or inappropriate individuals with access and sensitive privileges and revoke them before any security incident or reputational damage takes place. 

Include access reviews in employee training

Training your employees on how best to review access rights can also help improve the access review process. Training might cover:

  • sending timely communication or notifications about employee turnover
  • involving leadership in access reviews
  • submitting user access reports to IT or systems administrators when changes need to occur
  • using access review tools to automate some parts of the process

Get key stakeholders involved

When setting up a user access review process at your organization, consider if the correct stakeholders are involved. For example, rather than delegating the responsibility of distributing and reviewing access to users to the IT team, consider getting managers involved in the review process. Managers will have more insight into who on their teams or departments should have access to certain data and applications, especially if there has been turnover or other changes on their team. 

Review privileged administrators and users access quarterly

Regularly reviewing privileged admin or privileged user access on a quarterly basis is crucial for maintaining security. Since privileged administrators and users have the most capabilities within a system, it is critical to review their access quarterly. Additionally, this promotes accountability and transparency within an organization, fostering a culture of responsibility and trust in managing sensitive information and keeping access up to date and in accordance with least privilege.

Integrate user access reviews into the onboarding and offboarding lifecycle

User access should be part of the employee onboarding and offboarding process. For example, before a new employee starts, HR and IT should coordinate and communicate to figure out what tools they’ll need access to and what permissions they’ll need. If an existing employee is changing roles, then they should also communicate what systems and permissions that they will gain or lose access to.

Access review and control plays an even more prominent role in offboarding. You want to ensure that you remove access to sensitive data and systems and tools at the appropriate time, based on their risk level. As long as the employee isn’t high-risk, it’s important to notify them of the date when their accounts will no longer be available. 

Document a user access review policy

Having a formalized policy about user access reviews ensures consistency and accountability across the organization. This policy can be standalone or part of a broader Access Control Policy that covers user provisioning, authentication, least privilege enforcement, and revocation processes.

Key elements to include in a User Access Review or Access Control Policy are:

  • Review frequency: Define how often user access reviews should be conducted (e.g., quarterly for privileged accounts, annually for standard users).
  • Roles and responsibilities: Assign accountability to IT teams, department managers, security teams, and auditors.
  • Review process: Outline the steps for reviewing, approving, and revoking access rights.
  • Compliance requirements: Reference frameworks like NIST 800-53, ISO 27001, HIPAA, and SOC 2 to ensure alignment with security best practices.
  • Documentation and reporting: Specify how access reviews will be logged, reported, and retained for audits.

Automate user access reviews

Manually tracking and reviewing access can be time-consuming and prone to errors. Automating user access reviews using software can significantly improve efficiency. A tool that integrates with HR and IT systems, like a compliance automation tool, can help align your account management processes with personal termination and transfer processes. That way, you’re more likely to catch inactive or excessive privileges.

Many compliance frameworks encourage the use of automated tools for user account management for this reason. For example, NIST 800-53’s vast catalog of controls for systems and organizations to manage cybersecurity and privacy risk includes a control enhancement for automated system account management, AC-02(01).

Challenges of manual user access reviews

Manual user access reviews present significant challenges that can drain resources, create bottlenecks, and leave gaps in security visibility. 

In a survey by Zluri, when asked what the main challenges their organization faced in conducting manual access reviews, respondents said:

  • Takes up a lot of company resources (45%)
  • Modifying access individually for each application after conducting reviews (45%)
  • Overshoots deadlines (41%)
  • Generating evidence for auditors post review (37%)
  • Takes a lot of time (31%)
  • Need to coordinate with multiple stakeholders (29%)
  • No/limited visibility into who has access to what applications (27%)
  • No/limited visibility into application usage information (24%)

Here’s a closer look at these obstacles:

Resource-intensive process

Manual access reviews require teams to go through each user’s access permissions across various applications, a time-consuming task that diverts resources away from strategic initiatives. Security and IT teams often have to allocate a substantial portion of their time to this tedious task, increasing the risk of burnout, inefficiency, and error.

The same survey by Zluri found that organizations with completely manual access reviews need 23 people on average to complete an access review compared to those with fully automated access reviews who need 15. 

Complexity of modifying access

During access review, identifying each user’s access permissions is only part of the process. Modifying permissions based on user status or designation is another key part. If doing so manually, IT staff need to log into multiple systems, track down specific users, and make adjustments one at a time. This should occur whenever employees change roles or leave, not just on a periodic basis like once a year. Modifying access permissions manually across several applications can introduce delays, increasing the risk of excessive or inappropriate access.

Difficulty generating evidence for auditors

After completing a manual access review, generating audit-ready evidence can be a challenge. Many organizations lack tools that can easily document the changes made or track who approved access modifications. This lack of automated evidence generation creates additional work for IT teams and can delay audits, introduce gaps, or lead to additional back-and-forth or requests from the auditor.

Time-consuming

When taking a manual approach, each user’s access must be evaluated individually across multiple applications. That means the user access review team must manually retrieve user data from each application and review their current role or designation against data from a single-sign on (SSO) or human resources tool. For large organizations with hundreds or thousands of users, this can translate into weeks or even months of manual effort for each review cycle. This time burden often leads to delays and missed deadlines and, in some cases, skipped reviews, leaving the company vulnerable to breaches and compliance risks. 

Also in the survey by Zluri, it took organizations with completely manual access reviews 149 days to complete a full access review versus the 55 days it took organizations with fully automated access reviews. 

Coordination across multiple stakeholders

User access reviews often require input from several stakeholders, including department heads, IT, and compliance teams. Coordinating with these groups is challenging, as each may have different availability and priorities. Without streamlined collaboration tools, delays and misunderstandings are common and can impact the timeliness and accuracy of the access review process.

Limited visibility

In a manual setup, companies often lack centralized visibility into who has access to each application or how they use different applications. Without a consolidated view, it’s difficult to identify over-privileged users or to detect access patterns that may indicate security risks. This lack of visibility not only compromises security but also makes it harder to ensure that access reviews are comprehensive and effective.

As a result of these challenges, many organizations are moving toward automated user access review solutions. In fact, nearly 90% of IT and security professionals agree that their organization would benefit from automating access reviews. Let’s take a closer look at the benefits of automation below.

How automation can simplify user access reviews

Automating user access reviews can help address the challenges above, reducing the risk of human error and improving efficiency in the user access review process.

Here are key ways it can improve the workflow:

  • Reducing the back-and-forth communication required among IT and other teams: If using an automation platform like Secureframe, for example, all information about personnel, vendors, and their access rights will be pulled in and updated automatically. That means IT and other key stakeholders in the user review process can access all the necessary and up-to-date information about users and their access rights. 
  • Improving accuracy and reporting: A compliance automation platform that can seamlessly integrate with your systems and platforms is crucial for an accurate and comprehensive user access review. Automation tools can not only generate more comprehensive data and reports about user access, they can also reduce the chances of errors that may occur during manual user access reviews. According to Zluri’s The State of Access Review, organizations with fully automated access review processes have reduced their error rate by 40% on average.
  • Reducing headcount and time constraints: Automating the user review process can also free up valuable resources and time for other high-priority initiatives. According to Zluri’s research, organizations with fully automated access reviews have reduced the number of employees managing the access review process by 30% and reduced the time spent conducting access reviews by 40% on average. 

How Secureframe can help simplify user access reviews

Periodically reviewing and limiting access privileges can help protect your organization from  cyber incidents related to unauthorized access. 

Secureframe can help simplify and automate parts of user access management to help keep your organization safe, including:

  • Tracking all users, including inactive and non-personnel: Manage roles, groups, and permissions, providing necessary access to systems and resources based on what each person needs to perform their job duties all in one platform. 
  • Monitoring vendor access: Track the level of access each personnel has to your integrations and make sure each has the necessary access to get their job done. Decrease your attack surface and strengthen your security posture by limiting the number of personnel with full access to your sensitive data. 
  • Reducing shadow IT: Detect any systems and applications employees are using with their work credentials (work email) that may not be approved by the IT department.

To learn more about how Secureframe can help you simplify access management, schedule a demo.

FAQs

What is the user access review approach?

Each organization may take a unique approach to user access reviews. However, it should include some common components like:

  • Revoking access rights of terminated employees and third-parties
  • Identifying and removing shadow admin accounts
  • Checking for privilege creep of employees that have changed roles or teams
  • Limiting users' privileges to the bare minimum to do their jobs
  • Reviewing each employee’s access and privileges at a granular level to ensure they were reviewed. Auditor’s will look to see that the review is done at that granular level. 

What is access review?

An access review is a security control to periodically assess and verify that legitimate users have only the access to data, applications, and infrastructure they need to perform their job functions.

Who should do the user access review?

Each application’s IT owner should perform the user access review. They can delegate some parts of the process to managers and other employees, but the owner is ultimately responsible and accountable for this control and any violations.

How frequently should you do user access reviews?

The frequency of user access reviews depends on industry regulations and standards, organizational risk tolerance, and the sensitivity of the systems and data being accessed. Many frameworks, including NIST 800-53, PCI DSS, ISO 27001, and SOC 2, emphasize the importance of periodic access reviews to ensure that only authorized individuals retain access to critical systems. 

While organizations should determine a review frequency that aligns with their security posture, compliance obligations, and operational needs, here are some guidelines based on compliance common cybersecurity frameworks:

  • Privileged users and admins: Review at least quarterly (SOC 2, PCI DSS, NIST 800-53 AC-6).
  • General user accounts: Review at least annually (ISO 27001, HIPAA, NIST 800-53 AC-2).

Use trust to accelerate growth

Request a demoangle-right
cta-bg