12) Does your organisation review employee access rights for all IT services (whether internal or third party based) at regular intervals?
IT Operations Access Review
Written by Haydn Brooks
Created on March 18, 2019
Modified on June 7, 2020

Answer yes if your organisation conducts regular user access audits to make sure that all users have the correct and up-to-date access to business information. Please outline the audit process in the notes section or provide a supporting document (as a PDF file) as evidence.

As employees are constantly changing roles, leaving the company, and joining, it is important to regularly run an access audit to ensure all of your employees only have access to the systems that they require to perform their job role. This control supports a strong joiner/mover/leaver process and should pick up any employees that have been provisioned with incorrect access.

If the access audit finds employees that have been provisioned the incorrect access, or who have not had their access removed after leaving, these findings should be investigated and the joiner/mover/leaver process improved.

An access audit can be completed using an Identity and Access Management tool, or by simply making a list of each employees access to each IT system and sending it around all of the line managers for review and approval.

How to implement the control:

Your IT team can complete an access audit either using access lists (typically spreadsheets that show a users access to each IT system) or by using a tool.

Access lists should be sent to line managers or system owners for them to review and approve the access to the systems.

Access reviews should be completed regularly and consistently, Risk Ledger would recommend completing 2 access reviews a year for all employees with regular user accounts, and quarterly access reviews for all employees with privileged user accounts.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.