Which frameworks require user access reviews for compliance?

In 2023, OneMain Financial made headlines for experiencing at least three lengthy cybersecurity events between 2018 and 2020. These were tied to security program and access control failures that made it more vulnerable to instances of unauthorized access, according to audit findings from the New York Department of Financial Services.

Ultimately, OneMain paid a $4.25 million penalty to the state regulator for lack of adherence to the NYDFS Cybersecurity Regulation, which requires financial entities to employ a range of best practice measures to protect their information systems and consumer data from security risks. One such requirement is limiting user access privileges for systems that contain consumer data and periodically reviewing access privileges. 

To help avoid cybersecurity incidents tied to unauthorized access and large fines like this, organizations must understand what a user access review is, what the step-by-step process is, why it may be the most important part of access controls and compliance, and how automation can help simplify it. We’ll cover all this below.

What is a user access review?

A user access review, UAR for short, refers to the periodic review of the credentials and privileges of users who can access certain data, applications, and networks in order to remove any unnecessary and inappropriate privileges and/or individuals with credentials. Potential users might be admins, management, employees, vendors, service providers, and other third parties that your organization has worked with. 

This type of review should answer four major questions:

• Who is accessing what?
• What level of access do these users have?
• Do these users have valid reasons for their access rights and privileges?
• What updates need to be made to their access rights and privileges?

Let’s take a closer look at why UARs are key to information security and regulatory compliance below.

Why is user access review important?

User access reviews are important for a few key reasons. Let’s take a look at them below.

1. Protecting data and assets

Stolen credentials, malicious insiders, and third-party security gaps are just a few causes of data breaches. Periodic access reviews can help your organization identify any individuals who should not have credentials, like malicious insiders, third parties, and departed/disgruntled employees, which can help reduce the risk of data breaches. 

2. Meeting compliance requirements

In addition to protecting an organization's data and IT assets, performing user access reviews can help meet requirements of many security and compliance frameworks, including federal frameworks.

Here are some of the most common cybersecurity frameworks that mandate user access reviews:

• CIS Critical Security Controls®
• CJIS
• CMMC
• Cyber Essentials
• FTC Safeguards Rule
• GDPR
• CCPA/CPRA
• HIPAA
• ISO 27001
• NIST CSF
• NIST 800-53
• FedRAMP
• TX-RAMP
• NYDFS NYCRR 500
• PCI DSS
• SOC 1®
• SOC 2®
• SOX

3. Enhancing risk management

In addition to meeting regulatory requirements, user access reviews also help organizations improve their overall risk management capabilities, particularly against insider threats and disgruntled former employees. It facilitates several principles that are key to role-based access control (RBAC), including:

• Separation of duties: Dividing critical business functions into discrete tasks, which are then assigned to different individuals to reduce the chance of one individual carrying out malicious activities, like fraud. When performing periodic user access reviews, you can verify that no single user has all the privileges necessary to complete a critical business function by themselves.
• The need-to-know principle: Only providing users with the access to information they need to complete their work. An effective user access review will ensure that each user has legitimate reasons to access certain data. 
• The principle of least privilege: Only providing users with the privileges they need to complete their work.Unlike need-to-know, this principle applies to both users and applications, devices, and service accounts. It also not only limits who has access to certain applications and systems but what they can do if granted access (view, edit, etc.). During user access reviews, you can assess that each user has the bare minimum access needed to perform their job functions. For example, a budget analyst likely only needs read-only privileges to payroll software in order to complete a quarterly or annual report. 

4. Reducing licensing costs

User access reviews can also help organizations reduce spend on licensing costs. During a review, you may identify users who have access to certain systems that they don’t need, or haven’t used in awhile, and remove them. If you don’t perform these reviews, you’ll be at risk of overspending on unnecessary system licenses and accounts. 

Which frameworks require user access reviews for compliance?

As mentioned above, some security and compliance frameworks have requirements that specifically mention user access reviews or can be met by implementing a process for periodic user access reviews, among other controls. 

Take a closer look at those frameworks and their requirements in the table below. 

User access review process

Now that you understand the benefits of user access reviews, it’s time to map out each step of the process. 

1. Inventory your tools and users

To start, inventory all current tools and technologies that you use. 

Then list all users, including internal and external users as well as users who have been terminated, and what access and privileges they have to each tool and technology. Make sure to note whether they are an admin or user and if they have access to privileged accounts.

Now you’re ready to review whether their current access rights are appropriate and necessary, or whether they need to be changed. 

2. Revoke access rights of terminated employees and third-parties

During user access reviews, it’s important to check that the accounts of former employees, partners, and other third parties are inactive.

The access rights of these users should be revoked immediately upon termination, but periodic reviews help catch any oversight. If access wasn’t revoked, disable and remove these accounts immediately and update your employee and vendor offboarding processes to ensure this step happens automatically in the future.

3. Move or revoke permissions of shadow admin accounts

You should also check for shadow admin accounts during user access reviews. These are non-admin user accounts with sensitive privileges that effectively make them admins. Unlike privileged admin accounts, these typically aren’t part of a privileged admin Active Directory (AD) group because they were granted sensitive privileges directly.

Shadow admin accounts are highly desired by malicious users because they can be exploited to gain access to critical infrastructure and sensitive data, but are not as easy to identify and monitor as accounts under the well-known admin groups. To mitigate the risk of these accounts, you can revoke the sensitive privileges they don’t need or move them into a privileged admin group where they can be closely monitored. 

4. Check for privilege creep of employees that have changed roles

As employees are promoted, switch teams, or otherwise change roles within the organization, their access permissions can accumulate. This gradual accumulation of access rights that exceed what they need to do their job is known as privilege creep.

You can look for this during a user access review. To start, identify any employees that have recently switched departments or roles and ensure that these employees’ access permissions match their current job responsibilities. Remove any permissions that were only necessary in their previous position. 

5. Remove any unnecessary access or privileges of the users that are left

Once you’ve carefully evaluated and revoked any unnecessary privileges of terminated users, shadow admins, and employees that changed roles, it’s time to review the access rights of users that are left. You want to ensure that all employees, vendors, and other users only have access to resources and assets as well as privileges in apps and systems that are strictly required to do their jobs. 

6. Downgrade permanent to temporary access when possible

During a user access review, you may also evaluate whether users need permanent access to the applications and data that they currently have. Some users only need access to certain data or applications for a short time (e.g., to complete a project or conduct an audit). In that case, they don’t need permanent access rights. 

You can convert permanent access to temporary access or provide new users temporary access using a variety of methods, such as:

• Time-restricted accounts that automatically expire after a set duration
• One-time passwords (OTPs) or just-in-time (JIT) access models
• Privileged access management (PAM) tools that enforce temporary elevated privileges when necessary
• Expiration policies and alerts to revoke temporary access when it is no longer needed.

7. Review access approval workflows

In addition to reviewing individual users’ access and privileges, you should also review the workflows for granting or revoking access. Questions to consider include:

• Who has the authority to approve access requests? Ensure that access requests go through proper managerial or IT security approvals.
• Are approvals documented? Keep an audit trail of who requested, approved, and modified access permissions and when these were done.
• Are multi-factor authentication (MFA) or other authentication controls in place? Ensure that sensitive accounts require additional authentication for access.

8. Document the changes you made

To ensure transparency and simplify subsequent reviews, document each review cycle. You may include the list of tools and who has user or admin rights to each as well as reviewer comments, approver decisions, and any access changes made.

9. Formalize a review cycle

User access reviews should be conducted on a regular basis based on organizational policies and compliance requirements. It’s typical for user access reviews to take place at least annually. High-risk industries like finance and healthcare may need to take place semi-annually or quarterly. 

Reviews should also take place when there is a major organizational change, such as layoffs, mergers, or new compliance mandates.

User access review template

We've created a free user access review template to help simplify the process of evaluating and managing user permissions so you can better protect your data, meet compliance requirements, enhance risk management, and reduce licensing costs at your organization.

User access review best practices

To ensure your user access management program is set up for success, here are a few best practices to keep in mind when performing user access reviews.

Be consistent

Consistency is key to a successful access management program. Setting up a consistent review schedule for access reviews can ensure that you identify any unnecessary or inappropriate individuals with access and sensitive privileges and revoke them before any security incident or reputational damage takes place. 

Include access reviews in employee training

Training your employees on how best to review access rights can also help improve the access review process. Training might cover:

• sending timely communication or notifications about employee turnover
• involving leadership in access reviews
• submitting user access reports to IT or systems administrators when changes need to occur
• using access review tools to automate some parts of the process

Get key stakeholders involved

When setting up a user access review process at your organization, consider if the correct stakeholders are involved. For example, rather than delegating the responsibility of distributing and reviewing access to users to the IT team, consider getting managers involved in the review process. Managers will have more insight into who on their teams or departments should have access to certain data and applications, especially if there has been turnover or other changes on their team. 

Review privileged administrators and users access quarterly

Regularly reviewing privileged admin or privileged user access on a quarterly basis is crucial for maintaining security. Since privileged administrators and users have the most capabilities within a system, it is critical to review their access quarterly. Additionally, this promotes accountability and transparency within an organization, fostering a culture of responsibility and trust in managing sensitive information and keeping access up to date and in accordance with least privilege.

Integrate user access reviews into the onboarding and offboarding lifecycle

User access should be part of the employee onboarding and offboarding process. For example, before a new employee starts, HR and IT should coordinate and communicate to figure out what tools they’ll need access to and what permissions they’ll need. If an existing employee is changing roles, then they should also communicate what systems and permissions that they will gain or lose access to.

Access review and control plays an even more prominent role in offboarding. You want to ensure that you remove access to sensitive data and systems and tools at the appropriate time, based on their risk level. As long as the employee isn’t high-risk, it’s important to notify them of the date when their accounts will no longer be available. 

Document a user access review policy

Having a formalized policy about user access reviews ensures consistency and accountability across the organization. This policy can be standalone or part of a broader Access Control Policy that covers user provisioning, authentication, least privilege enforcement, and revocation processes.

Key elements to include in a User Access Review or Access Control Policy are:

• Review frequency: Define how often user access reviews should be conducted (e.g., quarterly for privileged accounts, annually for standard users).
• Roles and responsibilities: Assign accountability to IT teams, department managers, security teams, and auditors.
• Review process: Outline the steps for reviewing, approving, and revoking access rights.
• Compliance requirements: Reference frameworks like NIST 800-53, ISO 27001, HIPAA, and SOC 2 to ensure alignment with security best practices.
• Documentation and reporting: Specify how access reviews will be logged, reported, and retained for audits.

Automate user access reviews

Manually tracking and reviewing access can be time-consuming and prone to errors. Automating user access reviews using software can significantly improve efficiency. A tool that integrates with HR and IT systems, like a compliance automation tool, can help align your account management processes with personal termination and transfer processes. That way, you’re more likely to catch inactive or excessive privileges.

Many compliance frameworks encourage the use of automated tools for user account management for this reason. For example, NIST 800-53’s vast catalog of controls for systems and organizations to manage cybersecurity and privacy risk includes a control enhancement for automated system account management, AC-02(01).

How automation can simplify user access reviews

Automating user access reviews can help address the challenges above, reducing the risk of human error and improving efficiency in the user access review process.

Here are key ways it can improve the workflow:

• Reducing the back-and-forth communication required among IT and other teams: If using an automation platform like Secureframe, for example, all information about personnel, vendors, and their access rights will be pulled in and updated automatically. That means IT and other key stakeholders in the user review process can access all the necessary and up-to-date information about users and their access rights. 
• Improving accuracy and reporting: A compliance automation platform that can seamlessly integrate with your systems and platforms is crucial for an accurate and comprehensive user access review. Automation tools can not only generate more comprehensive data and reports about user access, they can also reduce the chances of errors that may occur during manual user access reviews. According to Zluri’s The State of Access Review, organizations with fully automated access review processes have reduced their error rate by 40% on average.
• Reducing headcount and time constraints: Automating the user review process can also free up valuable resources and time for other high-priority initiatives. According to Zluri’s research, organizations with fully automated access reviews have reduced the number of employees managing the access review process by 30% and reduced the time spent conducting access reviews by 40% on average. 

How Secureframe can help simplify user access reviews

Periodically reviewing and limiting access privileges can help protect your organization from  cyber incidents related to unauthorized access. 

Secureframe can help simplify and automate parts of user access management to help keep your organization safe, including:

• Tracking all users, including inactive and non-personnel: Manage roles, groups, and permissions, providing necessary access to systems and resources based on what each person needs to perform their job duties all in one platform. 
• Monitoring vendor access: Track the level of access each personnel has to your integrations and make sure each has the necessary access to get their job done. Decrease your attack surface and strengthen your security posture by limiting the number of personnel with full access to your sensitive data. 
• Reducing shadow IT: Detect any systems and applications employees are using with their work credentials (work email) that may not be approved by the IT department.

To learn more about how Secureframe can help you simplify access management, schedule a demo.