7 Best Practices to Conduct a User Access Review


Every company has workers that have been there from the beginning and worked in every department. They know everything about the company’s processes, and it makes them valuable employees. But they also can access sensitive data, and that makes them dangerous. A periodic user access review can mitigate this danger.


Reviewing user access is an essential part of access management. In this article, we discuss the definition and importance of user access rights review and IT regulations require you to do this. Then we arm you with user access review best practices to make the process fast and effective.

What is a user access review?


A user access review is part of the user account management and access control process, which involves a periodic review of access rights for all of an organization’s employees and vendors. A user access review usually includes re-evaluation of:


  • User roles
  • Access rights and privileges
  • Credentials provided to users


During the review, it’s important to pay special attention to user accounts of employees who have worked in the organization for a long time, recently changed their position, acquired new responsibilities, or left the company.


Reviewing user access mitigates a wide range of cybersecurity issues:


  • Excessive access privileges (privilege creep)
  • Mistakes with user role and account configuration
  • Access abuse and misuse
  • Outdated security policies
  • And more


However, conducting such a review usually takes a lot of time and effort from security officers. That’s why skipping a review may seem tempting — especially if you’ve already implemented the principle of least privilege, a zero trust model, and granular access. Let’s find out why a user access review is worth your time.

Read also: SSH Key Rotation Best Practices

Why is it important to review access rights?


The ultimate goal of a user access review is to reduce the risk of a security breach by limiting access to critical data and resources. Lack of reviews leads to cases such as the WordPress site hack, which was carried out by an ex-employee. The employee used his old account and SSH password along with a backdoor he created to hack the WordPress Multilingual Plugin website, add a security hole as a feature of the product, and send out spam emails on behalf of WordPress.

Threats mitigated by a user access review

Preventing situations like this is one of the reasons to conduct a user access review. It also mitigates threats such as the following:


Privilege creep. Privilege creep happens when employees obtain access to lots of sensitive data during the time they work at an organization. New privileges appear when employees gain new responsibilities and access rights, but privilege creep happens when old access rights aren’t revoked. During an access review, a security officer brings user access rights into sync with users’ current roles.


Excessive privileges. In a perfectly secure world, access privileges can be granted only to users that need them only to do their jobs. In reality, permanent access is often granted when an employee needs access just once or may (or may not) need it in the future. A timely review helps to revoke unneeded user access rights.


Access misuse and employee mistakes. According to Verizon’s 2019 Data Breach Investigations Report, 15% of data breaches happen because of access and data misuse. Unintentional mistakes by employees were the cause of 21% of security threats in 2018. A user access review helps to limit access and, therefore, reduce the possibility of a costly mistake.

Data breach statistics

Insider threats. The key danger of insiders comes from the fact that they have access to sensitive data and know about security measures implemented in the organization. Insider threats can be partially mitigated by revising and restricting access according to the principle of least privilege. However, it’s best to couple reviews with the creation of an insider threat policy and deployment of user monitoring, access, and identity management software. 


Apart from mitigating cybersecurity threats, conducting a user access review is also an essential step in complying with most IT requirements.


Read also: Top 5 Inadvertent Mistakes of Privileged Users and How to Prevent Them

Requirements for conducting a user access review


Reviewing user access rights is a requirement of IT regulations such as NIST, HIPAA, PCI DSS, and SOX. Let’s take a close look at those requirements.


NIST is a non-regulatory US agency that provides cybersecurity guidelines and standards that are followed around the world. The AC-1 and AC-2 controls from NIST Special Publication 800-53 require organizations to conduct a periodic review of access rights and policies. An organization may create its own schedule for reviews, use any NIST compliance tool to conduct it, and doesn’t need to report the results. However, ignoring this procedure will lead to penalties during a compliance audit.


PCI DSS is a worldwide security standard for organizations that process data on credit cards and cardholders. Requirement 7 of this standard describes obligatory access control measures that include granular access, the principle of least privilege, and periodic revision of user roles and rights. Also, requirement 12 states that an access control policy should be reviewed at least once a year. As with NIST, the frequency and quality of reviews can be self-assessed by the organization.


HIPAA is a US law that describes protection measures required for any company that manages healthcare data. Administrative safeguard §164.308 of HIPAA requires a periodic review of access policies and implementation of procedures to establish, document, review, and modify user access rights. Fulfillment of this requirement is checked during audits by the US Department of Health and Human Services.


SOX is a US law that contains a set of requirements for public accounting organizations. Section 404 of this act demands that entities assess and report on internal control for financial reporting and the integrity of reports. Regarding digital records, SOX indicates the need to enforce access control procedures, including via user access review. SOX compliance is verified during a yearly audit by an independent auditor.


As we can see, conducting a user access review is a must, despite all the troubles it entails. In the next part of this article, we’ll discuss what user access and rights review is and how to conduct it.

Best practices for reviewing user access


A user access review can be swift, effective, and painless if you keep your access control policies up to date and implement world- and industry-recognized security procedures. We’ve gathered seven best practices for user access review that fit almost any organization.

Best practices to conduct a user access review

1. Create and update an access management policy 


An access management policy is a must for any organization and should include:


  • a list of data and resources you need to protect
  • a list of all user roles, levels, and their types of access
  • controls, tools, and approaches to secure access
  • administrative measures and software used to implement the policy
  • procedures for granting, reviewing, and revoking access


To create an access management policy quickly, you can adapt one of these samples. Creating a policy is a one-time activity, but updating it as your organization grows is equally important. Make sure you document any changes in protected data, user roles, and access control procedures.


2. Create a formalized review procedure


A written procedure is part of an access management policy. This procedure should:


  • establish a schedule for reviews
  • identify responsible security officers
  • set a period for notifying employees
  • define a period for reporting and contents of the report


Formalizing all those aspects helps you make access review a continuous process and maintain standards.


3. Implement role-based access control (RBAC)


This access control model allows for creating user roles for positions instead of configuring each user’s account individually. Each role is assigned a list of access rights. RBAC speeds up a user access review because, with this model in place, you can review roles instead of separate profiles.


In Ekran System, role-based access is easy to set up and manage: you can add users with similar privileges to groups and manage their privileges in a few clicks.


Read also: Role-based Access Control vs Attribute-based Access Control: How to Choose


4. Implement the principle of least privilege


This principle dictates that users should have access to data only if they absolutely need it. The fewer privileges a user has, the less time you need to spend reviewing them. The principle of least privilege is required by security standards we’ve discussed earlier.


This principle is easily implemented with Ekran System: new users have a minimum number of access rights or privileges by default. An administrator can assign a user to a privileged user role by adding them to a specific group or can provide constant or temporary access to resources.


5. Provide temporary access instead of permanent


How often do you provide access to a user who needs it only once or twice? During an access review, revoking such access rights takes a lot of time. Whenever possible, it’s best to use features like one-time passwords instead of assigning a user a new role or granting permanent access rights.


Another option for providing temporary access is to implement just-in-time privileged access management (PAM). This approach is based on granting access only when users need it to complete their jobs and revoking it when the task is finished.


Ekran System can implement both approaches and allows for manual or automated provisioning of one-time passwords. The manual procedure requires administrator approval. This helps to secure the most protected data and verify each access attempt. The automatic procedure allows you to define hours when a temporary password can be generated without approval (for example, during working hours).


Lightweight PAM functionality helps to manage privileges of users or user groups according to their needs. With PAM functionality in Ekran, setting up, configuring, and reviewing a user profile takes only a few minutes.


Learn more about Light-weight Privileged Access Management


6. Involve employees and management


Employees usually see cybersecurity measures as interfering with their daily work. By involving employees in the review, you can speed up the process and show them why it’s important. For example, you can send out lists of access rights to users and their managers and ask them to point out what resources they no longer need to access.


7. Explain the goals and importance of a review


Communicating with employees is vital for cybersecurity. If employees don’t understand why it’s important to implement a certain practice or use a specific tool, there’s a high chance they’ll find a way not to comply. That’s why you need to communicate the principles and importance of access management to your employees during cybersecurity training.


Whitepaper on insider threat program



Conducting a user access review is an essential component of the access management process. It reduces the risk of a data breach and mitigates a wide range of security issues, but the review itself can be time-consuming and slow down work processes.

With Ekran System, you can take your access management to another level, as this solution provides:


  • role-based access control to configure user roles instead of configuring each account
  • an access request and approval workflow to ensure granular and secured access
  • control over privileged accounts and sessions to secure remote sessions
  • continuous monitoring and alerts to respond to security violations in real time