Framework (Best Practices) for Setting-up Your Access Reviews

Access Reviews Pose a Critical Challenge Even Today

Access reviews pose a challenge for all companies. Compliance with regulatory statutes aside, which can be even more critical in highly regulated industries like banking and healthcare, the process is fraught with complications. Manual access reviews are prone to rubber-stamping (simply approving all accesses to save time) because they are cumbersome. Automated access review systems pose their own challenges due to human error and potentially malicious actions. So, what are some of the best practices when conducting an access review?

Start at the Top

A top-down view of everything is the place to start. This can be used as a high-level framework for access reviews across your company, not just for a single department. Access Reviews being about accuracy and punctuality – having a logical, systematic process that penetrates all departments is key to successful access reviews.

Define, Define, Define

The first 3 steps are to define different aspects of your access review environment.

• Define your access review assets: Since Access Reviews encompass all kinds of technologies and accesses such as various office department networks, applications, data centers, etc., it is vital to start the process by making a comprehensive list of all of your ‘reviewable’ assets. These include things like all your networks, data centers, office locations, applications, and even the different kinds of user devices that employees use within your office networks. Knowing exactly what assets you have to contain within your access review net allows you to plan categorically and ensures that no holes are created in the system due to ignorance.
• Define asset owners: after making a list of all reviewable assets, define which department and/or manager is responsible for which asset. For instance,  the owner of a given app might be a manager and not an IT admin, but the owner of the network on an office floor would be a specific IT admin.
• Define user roles: After you have defined all possible access review assets in order to know WHAT could potentially need access review frameworks in place, it is time to define WHO could possibly be involved in all possible access reviews. The purpose of this step is to ensure that access review processes in your company are all-inclusive and well defined. So, the next step is to define the different roles (note: this is not the job title or job description but a more detailed view of what role the person plays in your IT environment.
  For instance, an IT admin in the financial department would not just be an ‘IT admin’ as his or her role, but something along the lines of ‘All-IT Access Reviewer and Enabler’. This precision helps to create order within the system, and sort users by the risk their roles pose in terms of segregation of duty threats, etc., by naming users according to what role they play in your IT systems rather than what role they play at your company.  Different role combinations must also be included, as well as various access levels, reporting chains (who reports to whom), and different frequency intervals at which reporting is done. All this premeditated organizing only empowers your access review environment.
• Define processes: Here, we get closer to the access review process itself. You must determine how often you want to conduct access reviews for each level (office level, department level, etc.) and how deep each review must go. Is it a total review of all accesses or only an incremental review of new accesses granted within the last year or quarter? Define your provisioning and de-provisioning process (manual or automated?), and consider any training you might like to conduct for your staff to enable them better to conduct access reviews.
  It should be noted that, when defining access review frequency, you must take into consideration how to administer your upcoming reviews. Some companies work off previous reviews and follow the same process every time, but this isn’t advisable for all organizations. Companies that have changed a lot in a given time period, for example, a company that has undergone a recent reorganization or restructuring, have adopted new applications or systems, or been involved in a merger or acquisition should define these processes from scratch.
  The next steps are to actually conduct the reviews and take appropriate actions on the results of the reviews. After making reports of all the definables, it’s time to jump into the review process.

The Actual Review

The Review Process: When performing manual reviews, which are inadvisable due to their cumbersome nature, send a copy of the reports you made in the previous steps to each asset owner, who must then audit the list to verify who has access and at what level, and whose access privileges should be changed or revoked. As mentioned, however, this only really works for very small organizations. Larger organizations should buy an Access Review solution that automates a large part of the process, including the subsequent provisioning and de-provisioning. Cross Identity CI offers extensive access review functionality, and Cross Identity ARaaS (Access Review as a Service) offers just access review capabilities on a pay-as-you-consume, service-based model. Both are excellent options to consider when you shop around.

Action: Once access reviews are conducted, accesses that are flagged for being revoked must be revoked in a timely manner. Again, small companies can do this manually, or products such as Cross Identity CI or Cross Identity ARaaS offer both manual (with the press of a button) or automated fulfillment (flagged accesses are automatically documented and revoked).

Conclusion

Access Reviews depend largely on the solution that is used to conduct the reviews and fulfill necessary actions, but the outlined process gives you a topographical view of what all assets could potentially require reviews and a foolproof framework to deal with the entire process. Access Reviews are critical today to business survival as they not only offer a competitive edge from saved licenses and by averting potential data breach disasters, but many industries such as Healthcare and Banking have stringent laws that must be abided by. Following a good framework like the one described above, in tandem with a solid Access Review solution like Cross Identity or ARaaS will take you a long way in solving your Access Review challenges.