In 2023, OneMain Financial made headlines for experiencing at least three lengthy cybersecurity events between 2018 and 2020. These were tied to security program and access control failures that made it more vulnerable to instances of unauthorized access, according to audit findings from the New York Department of Financial Services.

Ultimately, OneMain paid a $4.25 million penalty to the state regulator for lack of adherence to the NYDFS Cybersecurity Regulation, which requires financial entities to employ a range of best practice measures to protect their information systems and consumer data from security risks. One such requirement is limiting user access privileges for systems that contain consumer data and periodically reviewing access privileges. 

To help avoid cybersecurity incidents tied to unauthorized access and large fines like this, organizations must understand what a user access review is, what the step-by-step process is, why it may be the most important part of access controls and compliance, and how automation can help simplify it. We’ll cover all this below.

What is a user access review?

A user access review, UAR for short, refers to the periodic review of the credentials and privileges of users who can access certain data, applications, and networks in order to remove any unnecessary and inappropriate privileges and/or individuals with credentials. Potential users might be admins, management, employees, vendors, service providers, and other third parties that your organization has worked with. 

This type of review should answer four major questions:

• Who is accessing what?
• What level of access do these users have?
• Do these users have valid reasons for their access rights and privileges?
• What updates need to be made to their access rights and privileges?

Why is user access review important?

User access reviews are important for a few key reasons. Let’s take a look at them below.

1. Protecting data and assets

Stolen credentials, malicious insiders, and third-party security gaps are just a few causes of data breaches. Periodic access reviews can help your organization identify any individuals who should not have credentials, like malicious insiders, third parties, and departed/disgruntled employees, which can help reduce the risk of data breaches. 

2. Meeting compliance requirements

In addition to protecting an organization's data and IT assets, a user access review is an essential prerequisite for the thorough implementation of security and compliance frameworks.

‍Access reviews are mandatory for complying with many of the most common security frameworks and standards including the following: 

• SOC 1®
• SOC 2®
• HIPAA
• SOX
• ISO 27001
• PCI DSS
• GDPR
• FTC Safeguards Rule
• NYDFS NYCRR 500
• NIST 800-53
• NIST CSF
• CMMC
• CIS
• Cyber Essentials
• CJIS

3. Enhancing risk management

User access reviews also help organizations improve their overall risk management capabilities, particularly against insider threats and disgruntled former employees. It facilitates several principles that are key to access control, including:

• Separation of duties: Dividing critical business functions into discrete tasks, which are then assigned to different individuals to reduce the chance of one individual carrying out malicious activities, like fraud. When performing periodic user access reviews, you can verify that no single user has all the privileges necessary to complete a critical business function by themselves.
• The need-to-know principle: Only providing users with the access to information they need to complete their work. An effective user access review will ensure that each user has legitimate reasons to access certain data. 
• The principle of least privilege: Only providing users with the privileges they need to complete their work.Unlike need-to-know, this principle applies to both users and applications, devices, and service accounts. It also not only limits who has access to certain applications and systems but what they can do if granted access (view, edit, etc.). During user access reviews, you can assess that each user has the bare minimum access needed to perform their job functions. For example, a budget analyst likely only needs read-only privileges to payroll software in order to complete a quarterly or annual report. 

4. Reducing licensing costs

User access reviews can also help organizations reduce spend on licensing costs. During a review, you may identify users who have access to certain systems that they don’t need, or haven’t used in awhile, and remove them. If you don’t perform these reviews, you’ll be at risk of overspending on unnecessary system licenses and accounts. 

User access review process

Now that you understand the benefits of user access reviews, it’s time to map out each step of the process. 

1. Inventory your tools and users

To start, inventory all current tools and technologies that you use. Then list all users, including internal and external users as well as users who have been terminated, and what access and privileges they have to each tool and technology. Make sure to note whether they are an admin or user and if they have access to privileged accounts.

Now you’re ready to review whether their current access rights are appropriate and necessary, or whether they need to be changed. 

2. Revoke access rights of terminated employees and third-parties

During user access reviews, it’s important to check that the accounts of former employees, partners, and other third parties are inactive.

The access rights of these users should be revoked immediately upon termination. If you notice they haven’t been, you can revoke them and then update your offboarding process to ensure this takes place upon termination. 

3. Move or revoke permissions of shadow admin accounts

You should also check for shadow admin accounts during user access reviews. These are non-admin user accounts with sensitive privileges that effectively make them admins. Unlike privileged admin accounts, these typically aren’t part of a privileged admin Active Directory (AD) group because they were granted sensitive privileges directly.

Shadow admin accounts are highly desired by malicious users because they can be exploited to gain access to critical infrastructure and sensitive data, but are not as easy to identify and monitor as accounts under the well-known admin groups. To mitigate the risk of these accounts, you can revoke the sensitive privileges they don’t need or move them into a privileged admin group where they can be closely monitored. 

4. Check for privilege creep of employees that have changed roles

As employees are promoted, switch teams, or otherwise change roles within the organization, their access permissions can accumulate. This gradual accumulation of access rights that exceed what they need to do their job is known as privilege creep.

You can look for this during a user access review. To start, identify any employees that have recently switched departments or roles and ensure that these employees’ access permissions match their current job responsibilities. Remove any permissions that were only necessary in their previous position. 

5. Remove any unnecessary access or privileges of the users that are left

Once you’ve carefully evaluated and revoked any unnecessary privileges of terminated users, shadow admins, and employees that changed roles, it’s time to review the access rights of users that are left. You want to ensure that all employees, vendors, and other users only have access to resources and assets as well as privileges in apps and systems that are strictly required to do their jobs. 

6. Downgrade permanent to temporary access when possible

During a user access review, you may also evaluate whether users need permanent access to the applications and data that they currently have. Some users only need access to certain data or applications once or a couple times. In that case, they don’t need permanent access rights. They can be granted temporary access instead in the form of one-time passwords, for example.

7. Document the changes you made

To ensure transparency and simplify subsequent reviews, document each review cycle. You may include the list of tools and who has user or admin rights to each as well as reviewer comments, approver decisions, and any access changes made.

User access review best practices

To ensure your user access management program is set up for success, here are a few best practices to keep in mind when performing user access reviews.

Be consistent

Consistency is key to a successful access management program. Setting up a consistent review schedule for access reviews can ensure that you identify any unnecessary or inappropriate individuals with access and sensitive privileges and revoke them before any security incident or reputational damage takes place. 

Include access reviews in employee training

Training your employees on how best to review access rights can also help improve the access review process. Training might cover sending timely communication or notifications about employee turnover, involving leadership in access reviews, submitting user access reports to IT or systems administrators when changes need to occur, and using access review tools to automate some parts of the process.

Get key stakeholders involved

When setting up a user access review process at your organization, consider if the correct stakeholders are involved. For example, rather than delegating the responsibility of distributing and reviewing access to users to the IT team, consider getting managers involved in the review process. Managers will have more insight into who on their teams or departments should have access to certain data and applications, especially if there has been turnover or other changes on their team. 

Review privileged administrators and users access quarterly

Regularly reviewing privileged admin or privileged user access on a quarterly basis is crucial for maintaining security. Since privileged administrators and users have the most capabilities within a system, it is critical to review their access quarterly. Additionally, this promotes accountability and transparency within an organization, fostering a culture of responsibility and trust in managing sensitive information and keeping access up to date and in accordance with least privilege.

Integrate user access reviews into the onboarding and offboarding lifecycle

User access should be part of the employee onboarding and offboarding process. For example, before a new employee starts, HR and IT should coordinate and communicate to figure out what tools they’ll need access to and what permissions they’ll need. If an existing employee is changing roles, then they should also communicate what systems and permissions that they will gain or lose access to.

Access review and control plays an even more prominent role in offboarding. You want to ensure that you remove access to sensitive data and systems and tools at the appropriate time, based on their risk level. As long as the employee isn’t high-risk, it’s important to notify them of the date when their accounts will no longer be available. 

Automate user access reviews

If possible, automating user access reviews can reduce the risk of human error and improve efficiency in the user access review process.

Here are two key ways it can improve the process:

• Reducing the back-and-forth communication required among IT and other teams: If using an automation platform like Secureframe, for example, all information about personnel, vendors, and their access rights will be pulled in and updated automatically. That means IT and other key stakeholders in the user review process can access all the necessary and up-to-date information about users and their access rights. 
• Improving accuracy and reporting: Automation tools can also reduce the chances of errors that may occur during manual user access reviews. They can also generate more comprehensive data and reports about user access. 

User access review template

Ready to implement user access reviews at your organization? Use this template to kick off the process.

How Secureframe can help simplify user access reviews

Periodically reviewing and limiting access privileges can help protect your organization from  cyber incidents related to unauthorized access. 

Secureframe can help simplify and automate parts of user access management to help keep your organization safe, including:

• Tracking all users, including inactive and non-personnel: Manage roles, groups, and permissions, providing necessary access to systems and resources based on what each person needs to perform their job duties all in one platform. 
• Monitoring vendor access: Track the level of access each personnel has to your integrations and make sure each has the necessary access to get their job done. Decrease your attack surface and strengthen your security posture by limiting the number of personnel with full access to your sensitive data. 
• Reducing shadow IT: Detect any systems and applications employees are using with their work credentials (work email) that may not be approved by the IT department.

To learn more about how Secureframe can help you simplify access management, schedule a demo.