Identity and Access Management (IAM) is a framework that includes processes and technologies that enable an organization to manage its systems’ access. Elements of IAM typically include policies, procedures, processes, workflows, and automation for system access requests, approvals, removals, and periodic access reviews. IAM principles are used to align user privileges to information resources based on user responsibilities. Managing user privileges through effective IAM processes and technologies is a critical component of an organization’s information security program.
The periodic access review process can be time intensive due to the many systems, users, and reviewers involved. Incorporate the complicated nature of system security authorizations and you may end up working with what resembles a spaghetti bowl diagram.
We have identified some pitfalls to avoid when building and maintaining your periodic access review program.
Reviewing users for employment status and not actually reviewing access rights
Too often we find that a reviewer has not performed a review of user access rights. Instead, the reviewer has only focused on whether the user is an active or terminated employee. The reviewer should also confirm access rights in the system are appropriate based on job responsibilities.
Providing the reviewer a manually maintained user access rights listing instead of a system generated listing
Some system security tables are complex or may be very difficult to extract user access rights data and reports. As a result, some organizations manually maintain user access rights listings outside of the system. This is not a best practice because the manually maintained list may be inaccurate or incomplete and does not reflect actual access. The reviewer should only review user access rights listings that are generated from the system or from an IAM solution; they should not perform a review of the manually maintained list.
System and privileged accounts are not included in the periodic review listing
User access right listings that are reviewed in a periodic review process must include all accounts, including system accounts and privileged accounts. These accounts should not be omitted from the listing because of the perception or reality that the system business owner does not understand them. Instead, explain their purpose and obtain approval or alternatively, design a review process that includes multiple reviewers to confirm system accounts and privileged accounts are appropriate. The option of leaving these accounts out of the review process is not appropriate.
Contractors and temporary workers are not included in the periodic review listing
As noted, periodic access reviews must include all accounts. This rule includes contractors and temporary workers. Sometimes contractors and temporary workers are not included in periodic reviews because they are put into a separate network group or they aren’t considered long term employees, but instead one-off, short term access anomalies. Additionally, sometimes IT vendor accounts are only activated when they need access to provide support, and they are therefore left off the periodic review list because they don’t appear active. The periodic access review process must include all accounts, including contractors and temporary workers so that their access rights can be evaluated.
Business system owner is not included in the periodic review process
IAM is not an IT siloed activity. The periodic access review process should include the business system owner as well. Furthermore, the IT department does not have sufficient knowledge of business processes to attempt to validate the business users of an application based on job responsibilities. That is a tough task for IT to accomplish, but more importantly it is not their role in the periodic review process. The evaluation of business user access rights should be performed by the business system owner.
Taking too long to complete the user access review
Periodic access review processes and frequencies may vary by risk, industry, company size, system complexity, and regulatory or compliance requirements. For example, some system access rights may be reviewed annually, and others may be reviewed quarterly. There is no authoritative guidance on how quickly a user access rights listing should be reviewed after it has been generated, however, the leading practice is to complete the review within 30 days of generating the user access rights listing to prevent assessing stale user access rights. If the reviews are not completed timely, an organization should re-evaluate its IAM process and tools to design a pragmatic solution.
Periodic reviews performed are not documented in enough detail
Some periodic user access reviews do not include the necessary documentation to evidence who performed the review, what was reviewed, when it was performed, and what the results were. If the extent of the documentation is an email trail that does not include a marked-up user access listing with notes of the work performed, it does not provide adequate evidence that the review of all users was performed. An organization should leverage a template or tool to assist with easily documenting the details necessary to provide clarity on the periodic access review activity.
The periodic user access review process and system mappings are not documented in a procedural manual for others to understand the process
It is best practice to document procedures on how to extract user access rights from in-scope systems, the responsibilities for conducting the review of the user rights, the distribution of the user access reports, and how the user reviews need to be performed. Additionally, the procedural manual should include an oversight process to make sure the key steps in the process occur as defined. Undocumented review processes might result in incorrect, inconsistent, and inefficient results.
Queries and methods used to generate each system listing are not documented
The queries used to generate system listings need to be documented for every user access rights listing that is generated and ultimately reviewed. The queries become part of the control to evidence the completeness and accuracy of the user access listings. Without this evidence, there is an increased risk the user access review is not accurate, and the reviewer or a subsequent auditor will not be able to rely on the work. To provide stronger evidence and to increase the likelihood of reliance on the work, clearly document the queries used to generate the listings and how the reviewer validated the completeness and accuracy of the reports generated.
Not modifying user access timely based on the requested access changes
After a periodic access review is completed, it typically results in a list of requested access changes. It is important for those access changes to be reviewed and made in a timely manner because they are typically requested to correct an inappropriate access right. For example, if an organization takes weeks to remove an inappropriate access right, they will likely be out of compliance with their policies and controls. Additionally, the organization is at risk of unauthorized or inappropriate access and transactions occurring putting themselves at undue risk.
An annual review of security role design is not performed
Depending on the complexity of system security design, the periodic review process may include a user access rights listing that only identifies a user’s security role, but not the underlying privileges associated with that security role. The security role is typically the aggregation of different privileges within a system that authorizes a user to access, edit, and perform transactions in different parts of the system. Since the security role can typically be designed and customized to include any privileges, it is important to annually review the security design of roles to confirm the privileges assigned to a role are appropriate. If the review of security role design does not occur, then the user access reviews may not be sufficient to provide assurance that access rights are commensurate with job responsibilities.
An annual review of segregation of duties (SOD) matrices and job title databases that are used to determine access rights are appropriate is not performed
Some organizations rely on SOD matrices and job title databases to determine whether access rights are appropriate. They can be used via manual review processes or may be integrated into an IAM tool for automated SOD and risk checks. If these are used by an organization as part of the periodic review process, they should be reviewed at least annually to confirm accuracy.
Reviewers assigned to assess user access are not appropriate based on competency and experience
It is important to have appropriate reviewers perform periodic access reviews. The reviewers should have the correct competency and experience to understand the security design, access rights, SOD risks, and business risks. If an organization has assigned inappropriate reviewers, then there is a greater likelihood of access being inappropriately assigned.
Reviewers are assigned to review their own access rights
The reviewer should not be assigned to review their own access rights. Instead, their access should either be reviewed by someone else completely or there could be a secondary review to ensure access rights are appropriate. If a reviewer reviews their own access rights, there is a greater likelihood of access being inappropriately assigned.
IAM workflows are not configured to route reviews to assigned reviewers
IAM tools can increase efficiency and automation through the use of workflows. The workflows should be configured to route requests to the assigned reviewers to perform and document their reviews. Otherwise, there is a risk that the wrong person will be routed requests for review. This could result in delays or approvals performed by personnel without the requisite knowledge to perform the work.
IAM tools are not integrated correctly, and user access rights lists reviewed are not accurate
IAM tools can increase the speed to perform periodic access reviews. To be relied upon, IAM tools must be integrated with your systems properly by mapping the correct security tables, privileges, and roles into the IAM tools. If the IAM tool is not integrated correctly, then the resulting user access rights listings may not be accurate for reviews and reports.
IAM tools and processes do not follow change management practices, including testing and approval prior to implementing changes
IAM tools should follow organization defined and best practice change management. As such, IAM tools should be maintained with recommended versions and patches. Additionally, changes to IAM tools should follow change management policies and procedures, which may differ based on the size, complexity, and risk associated with the change request. In most cases, at a minimum, changes should be tested and approved prior to implementing a change into the production environment.
Ineffective oversight of the inventory of systems that require periodic access review can result in adding or removing systems without sufficient communication and approval
It is important to maintain an accurate list of systems that require periodic access review. To do so, the process of adding and removing systems requires communication with stakeholders, owners, and appropriate personnel. For organizations with many systems in their inventory, the ability to maintain an accurate system inventory can be a difficult task which may result in low-risk out-of-scope systems being reviewed, and high-risk in-scope systems being overlooked.
Employing an IAM technology with automation and workflows can help reduce the burden of user access reviews over time. Whether you use IAM technology or not, there are many pitfalls. It is important for leaders responsible for IAM to continue to re-evaluate the periodic access review process to determine whether the process is efficient and effective.