In today’s digital age, maintaining the security of sensitive data is more critical than ever. Protecting customer information in compliance with data security and privacy regulations, such as the FTC Safeguards Rule, HIPAA (Health Insurance Portability and Accountability Act, PCI, and various others is essential. A thorough user access review audit, as part of a comprehensive company’s information security program, ensures that only authorized personnel have access to sensitive information, thereby mitigating the risk of data breaches. This article outlines the 10 must-do steps to perform a compliant user access review audit, helping you protect your organization’s data and comply with industry standards and legal requirements.

User Access Review Process

A user access review audit is a comprehensive examination of user access rights within an organization’s information systems. This audit ensures that access permissions are granted based on legitimate business needs and that unauthorized or unnecessary access is promptly revoked through regular user access reviews. It plays a vital role in an organization’s information security program, safeguarding sensitive data and ensuring regulatory compliance through effective user access management.

User access audits are also essential for ensuring that access to critical accounts and systems is not lost or impacted during adverse events or unforeseen circumstances. By systematically reviewing and updating access rights, organizations can prevent disruptions and maintain operational continuity even in emergencies. Additionally, they are essential for meeting various regulatory compliance requirements.

Step 1: Identify Systems with Sensitive Data

The first step in a user access review audit is to identify systems that contain sensitive data so you can prioritize your audit efforts and focus on areas with the highest risk of data breaches. The types of sensitive information to look for include Non-Public Information (NPI), Personally Identifiable Information (PII), Protected Health Information (PHI), and PCI Card Holder Data such as Primary Account Number (PAN), Cardholder Name, Expiration Date, and Service Codes.

This process is typically part of developing a data flow model or data diagram. Mapping out where sensitive data resides and how it flows through your organization is crucial for understanding the security landscape.

Systems that process, store, and transmit sensitive information need to be included in this mapping. Including all relevant systems and types of data ensures a thorough and effective user access review audit, helping to protect your organization from data breaches and compliance issues.

Step 2: Compare Active Users Against HR Records

Next, compare the list of active users with HR records to ensure that only current employees have access to your systems. This step is crucial for identifying ex-employees or terminated employees who might still have access, which is essential for maintaining security and preventing unauthorized access. Simply reviewing the list of users without a point of comparison can lead to oversight and errors, as it relies on subjective judgment to spot irregularities.

It's imperative to use HR records as an active reference, verifying each user account against the current employee roster. This method provides a concrete benchmark and significantly reduces the likelihood of mistakes that could occur from merely scanning for anomalies. By ensuring that the user audit is thorough and data-driven, organizations can better safeguard their systems from unauthorized access.

Additionally, this process does not need to be performed by a single individual. The task can be distributed across departments and system owners, making it more manageable and ensuring a comprehensive review. Each department or system owner can verify the user accounts relevant to their area, ensuring a more detailed and accurate audit while promoting accountability and collaboration across the organization.

Step 3: Review User Permissions

Reviewing user permissions is essential to ensure that access rights align with job responsibilities and legitimate business needs. This process involves evaluating whether users have the appropriate access permissions for their roles and responsibilities, and revoking unnecessary access to reduce the risk of insider threats and privilege creep.

Utilizing information from HR or other relevant departments is crucial in this step to ensure that permissions match each associate's current role. HR records provide up-to-date information about employees' job titles, responsibilities, and any recent changes in their roles, allowing auditors to verify that access rights are accurately assigned.

During this review, auditors should pay special attention to associates who have changed roles within the organization. It is critical to ensure these individuals do not retain permissions from their previous roles that they should no longer have, as this can create security risks and negate the segregation of duties.

For instance, if an associate has both requesting and approving permissions, they could bypass important checks and balances, leading to potential security breaches. This issue, commonly referred to as privilege creep, occurs when users accumulate excessive permissions over time, often due to role changes without corresponding updates to their access rights.

To simplify this process, organizations can utilize Role-Based Access Control (RBAC), which assigns access rights based on roles within the organization rather than individual users. Each role has a predefined set of permissions appropriate for its responsibilities, ensuring consistency and reducing the risk of privilege creep. When an associate changes roles, their permissions are automatically updated to match the new role, streamlining access management and enhancing security.

Additionally, implementing Single Sign-On (SSO) can further streamline access management. SSO allows users to access multiple applications with a single set of credentials, managed centrally, making it easier to update permissions across different systems when an associate's role changes.

For systems that do not support RBAC or SSO, organizations can use a simple checklist of permissions for each role. This checklist should be reviewed and updated regularly to ensure that permissions are correctly assigned. By maintaining an accurate checklist, auditors can quickly verify that each user has the appropriate access rights for their current role and identify any discrepancies that need to be addressed.

Step 4: Identify Number of Active Admins

Administrators often have extensive access privileges, making them high-value targets for cyber attackers. Identifying the number of active admins and ensuring that only those with a legitimate business need have administrative access is crucial. Implementing the principle of least privilege can further reduce security risks associated with admin accounts.

A system should only have administrative rights assigned to those with a specific and immediate need. This approach minimizes the number of users with elevated privileges, thereby reducing potential security vulnerabilities. However, it is important to ensure that there are at least two administrators to prevent issues related to being locked out of the system. This redundancy is a safeguard against situations where the primary administrator is unavailable, ensuring continued access and management capabilities.

For larger systems that require more administrative support, organizations should consider segregating administrative access across multiple users. Rather than using "global admins" for all administrative roles—which grants full administrative rights to everything—it's more secure and efficient to create admin roles with specific administrative permissions. This method involves defining distinct administrative roles tailored to particular functions, such as:

• User Administration: Admins responsible for managing user accounts, including creating, modifying, and deleting user profiles.

• Mail/Exchange Administration: Admins who handle email systems, including configuring mail servers, managing email accounts, and ensuring email security.

• Endpoint Administration: Admins dedicated to managing endpoints like desktops, laptops, and mobile devices, including deploying updates and monitoring endpoint security.

By assigning these specific administrative roles, organizations can limit the scope of access for each admin, reducing the risk of accidental or malicious misuse of privileges. This role-based approach ensures that administrators have only the access necessary for their job functions, adhering to the principle of least privilege.

Step 5: Confirm Break-glass Accounts or Access

Break-glass accounts are emergency access accounts used during critical situations. The management of break-glass accounts should be part of the organization's written information security program.

Confirming the existence and proper management of these accounts ensures they are only used when necessary and are not a security vulnerability. Despite their importance, break-glass accounts are typically an overlooked consideration, yet they play a crucial role in maintaining system integrity during emergencies.

When reviewing break-glass accounts, the auditor should ensure several key points to maximize security and effectiveness:

• Separate Email Addresses: Break-glass accounts should not be tied to the same email as other admin accounts. Ideally, they should have a backup email that is secure and outside the organization. This separation reduces the risk of a single point of failure if the organization’s email system is compromised.

• Distinct MFA Methods: Break-glass accounts should utilize different Multi-Factor Authentication (MFA) methods than current admin accounts. This could involve using another authenticator application on a different device. The purpose is to ensure that if the primary admin accounts’ MFA devices are compromised or unavailable, the break-glass account remains secure and accessible.

• Regular Testing: Break-glass accounts should be regularly tested to confirm they can still access the system. This helps prevent issues with stale accounts or outdated credentials, ensuring that the emergency access mechanism works when needed.

Additionally, break-glass accounts should adhere to the following best practices to enhance security:

• Monitoring and Alerts: These accounts should be monitored continuously, with immediate alerts and notifications sent whenever a break-glass account is used. Since these accounts should rarely be accessed, any use should trigger an immediate investigation to ensure it is legitimate and necessary.

• Split Authentication Credentials: To increase security, the authentication credentials for break-glass accounts can be divided among multiple parties. For instance, the password could be split, with each part held by different individuals, or one person could have the password while another holds the MFA token(s). This ensures that no single individual can access the break-glass account unilaterally.

• Secure Storage: Consider storing the credentials for break-glass accounts in a physical safe or a secure digital vault. This approach adds an additional layer of security, ensuring that the credentials are only accessible when absolutely necessary.

Confirming and managing break-glass accounts is a vital part of comprehensive user access reviews. By ensuring that these accounts are properly configured, regularly tested, and monitored, organizations can maintain robust security even in emergency situations.

Step 6: Confirm Password & MFA Settings

Password policies and multi-factor authentication (MFA) settings are foundational components of data security. Confirming that strong password policies are enforced and MFA is enabled for all user accounts significantly enhances security measures. Ensuring these elements are in place helps prevent unauthorized access, even if passwords are compromised, by adding an additional layer of protection.

It is essential to verify that the passwords on each system adhere to proper length and complexity requirements. Password policies should mandate a minimum length (typically eight characters or more) and include a mix of uppercase and lowercase letters, numbers, and special characters.

Additionally, systems should be configured to lock out accounts after a certain number of failed login attempts to prevent brute-force attacks. Reviewing these settings across all systems ensures that weak passwords do not become an easy entry point for attackers.

Moreover, if your written information security policies specify particular MFA requirements, it is crucial to ensure that each system and platform fully supports these requirements. MFA can involve various methods such as SMS codes, authentication apps, biometric verification, or hardware tokens.

Confirming that all systems comply with these password and MFA standards helps maintain a consistent security posture across the organization, safeguarding against potential breaches and enhancing overall data protection.

Step 7: Confirm MFA Backup Codes or Access

MFA backup codes provide an additional layer of security for account recovery, ensuring that users can regain access to their accounts if their primary MFA method becomes unavailable.Users should be thoroughly trained on the importance of safeguarding their MFA backup codes to prevent unauthorized access, emphasizing that these codes are as critical as their primary authentication methods.

For critical accounts, ensuring that robust MFA backup codes or alternative processes are in place is paramount. The backup methods should not rely on the same authenticators as the primary MFA to avoid a single point of failure. For example, if the primary method is an authentication app on a mobile device, the backup could be a hardware token or printed codes stored securely.

Additionally, backup MFA processes and codes must themselves be secured to prevent misuse by bad actors. This includes storing backup codes in a secure manner, such as in an encrypted digital vault or a physically secure location. Regularly updating and auditing these backup methods can further enhance their security.

Step 8: Confirm Access to Logs

Access to logs is crucial for monitoring and auditing user activities and meeting compliance requirements. Logs provide a detailed record of user interactions with the system, allowing security teams to trace actions back to specific users and identify any anomalies that could indicate a security threat.

Typical logs that each system should support include:

• Successful and unsuccessful login attempts

• Logins and logouts including dates and times,

• Connecting IP addresses, and

• Files and folders accessed and modified.

The logs collected should be relevant to each systems' assessed risk and based on applicable compliance requirements.

Step 9: Ensure Logs Are Retained According to Retention Requirements

Log retention policies must comply with legal and regulatory requirements, as different regulations mandate specific retention periods. For instance, HIPAA requires that logs be retained for six years. Ensuring that logs are retained for the required period is crucial for maintaining audit trails and conducting forensic investigations. This step is essential for demonstrating compliance and accountability in the event of a security breach.

During an audit, it is important to confirm that the system retains logs for the appropriate amount of time or that logs can be extracted and stored externally to meet applicable requirements. This includes verifying that logs are protected against tampering and unauthorized access during the retention period. Proper log retention practices ensure that an organization can effectively respond to security incidents, comply with regulatory standards, and provide accurate records for audits and investigations.

Step 10: Document & Review Discrepancies

Documenting the entire audit process and its findings is crucial for meeting regulatory and compliance requirements. This documentation serves as a formal record of the audit and can be used to demonstrate due diligence in maintaining and securing user access controls.

The auditor should ensure that every discrepancy related to the requirements identified in the organization's written information security policy is meticulously documented, including the context and nature of the discrepancy.

Additionally, each discrepancy should be evaluated through a risk assessment process. This involves identifying the potential impact of the discrepancy on the organization's security posture and making informed decisions on how to address it. The risk assessment and the corresponding decisions should be clearly recorded to provide a transparent audit trail.

By documenting all discrepancies and their associated risk assessments, organizations can not only improve their security measures but also provide a clear rationale for their security decisions. This comprehensive documentation supports ongoing risk management efforts and helps in demonstrating accountability and compliance during audits and regulatory reviews. Regularly updating this documentation ensures that the organization remains vigilant and responsive to emerging security threats and compliance requirements.

Importance of User Access Reviews for Compliance Standards

Compliance standards such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the FTC Safeguards Rule, and state laws mandate stringent access controls and data security measures. A company's information security program should include implementing and documenting steps to comply with various laws and regulations. Adhering to these standards not only protects sensitive information but also helps in avoiding legal penalties and reputational damage.

Conclusion

Performing a compliant user access review audit is crucial for an organization's information security. By following the 10 outlined steps, you can manage user access rights effectively, protect sensitive data, and maintain regulatory compliance.

Regularly updating access controls, employing robust access management strategies, and adhering to industry standards are vital for mitigating security risks. Incorporating these steps into your audit process enhances security, demonstrates a commitment to data protection, and fosters trust with customers and stakeholders.