14) How many access audits does your organisation conduct each year, for privileged employee accounts?
IT Operations Access Review
Written by Haydn Brooks
Created on March 18, 2019
Modified on July 7, 2020

If your organisation does conduct regular access audits of privileged accounts, please state the number of times access audits are completed for users each year. If no access audits are completed, please put 0 (zero).

Privileged user accounts will, by definition, have unrestricted access to your most important systems and sensitive data – often they have access to everything! As such, you should monitor user activity, particularly access to sensitive information and the use of privileged account actions and respond where activities are outside of normal, expected bounds (such as access to large amounts of sensitive information outside of standard working hours).

Privileged user accounts should undergo regular access audits to ensure that the accounts are provisioned with the correct access and that he principle of least privilege is being enforced. It is expected that privileged account access audits will be conducted more frequently than standard user access audits.

Depending on the nature and size of your business you may choose to perform the audits monthly, quarterly or bi-annually. As a minimum, it is recommended that audits are performed quarterly for privileged accounts.

How to implement the control:

Your IT team can complete an access audit either using access lists (typically spreadsheets that show a users access to each IT system) or by using a tool.

Access lists should be sent to line managers or system owners for them to review and approve the access to the systems.

Access reviews should be completed regularly and consistently, Risk Ledger would recommend completing 2 access reviews a year for all employees with regular user accounts, and quarterly access reviews for all employees with privileged user accounts.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.