Maintaining strict control over who accesses your systems and data is an important aspect of information security. It’s critical that you limit access to Protected Health Information, company secrets, Personally Identifiable Information, or any other sensitive data. To ensure that only the list of users who should have access to a specific system or dataset, it is important to perform regular user audits. Whether you’re a small business owner, a corporate IT professional, or a cybersecurity specialist, understanding how to conduct a thorough user access audit is essential for safeguarding your information assets. This detailed guide by will walk you through the steps to perform an effective user access audit, ensuring your organization’s data remains secure and compliant with relevant regulations.
Why Conduct a User Access Audit?
User access audits are crucial for several reasons. They help prevent data breaches by ensuring that only authorized personnel have access to sensitive information. They also play a significant role in complying with various regulatory requirements such as GDPR, HIPAA, and SOX, which mandate strict controls over data access. Regular audits can identify and rectify security vulnerabilities, reduce the risk of insider threats, and help maintain a clear record of access management for audit trails.
How often should I conduct a User Access Audit?
User access audit schedules should be defined by system. Critical systems should be audited more frequently while passive systems, such as teleconferencing systems, can be audited less frequently. Also, privileged accounts (meaning accounts with elevated permissions, such as admin accounts) should be audited more often than standard accounts. For example, a system that doesn’t store any critical or regulated data, such as a teleconferencing system, might only be audited annually for standard users and quarterly for privileged users, whereas the directory services system or accounting system might be audited monthly or quarterly for both privileged and standard users.
What should be audited?
User access audits should include:
Role Permissions: Review each role in the system and make sure that each role has the correct permissions assigned to it.
Privileged User Access Audit: Review each user and verify that they should have access to the system and that they have the proper role assigned.
Standard User Access Audit: Review each user and verify that they should have access to the system.
Who should conduct a User Access Audit?
User access audits should be done in partnership between a Business System Owner (BSO) and a Technical System Owner (TSO). The BSO is the person in the business who understands the system and what roles people should have in the system. For example, the CFO or VP of accounting may be the BSO of the company’s financial system, while the head of HR would be the BSO for the Payroll or HR system. The TSO is the technical administrator of the system who grants users roles and creates accounts, such as your IT administrator. Some small organizations may have one person acting as both BSO and TSO for some systems; however, the best practice is to employ a separation of duties. This separation will help catch mistakes and limit risks from insider threats. If your organization has critical systems with a single person acting as both BSO and TSO, you should look for opportunities to at least have a second reviewer during audits.
What is the flow of a User Access Audit?
As an SMB how do I keep up with all the systems and user audits?
It can be difficult to keep up with user audits, so you need to prioritize the systems that are most important. Our general recommendations are:
Directory Services: Whether you centrally manage your users in Google, Microsoft, Okta, On-Premises Active Directory, or anywhere else it is imperative to audit this system to make sure that no terminations were missed and that any consultants who are no longer working for you have had their access removed.
Accounting/ERP System: Maintaining an updated list of users who should have access to your financial systems is imperative to ensure you limit the risk of fraud, theft, and financial mistakes.
Payroll and HR System: Because these systems contain sensitive employee data, the list of users who have access should be strictly limited.
Any systems that contain Protected Health Information (PHI): Limiting the users who can access patient information is a requirement of HIPAA compliance.
Shared Drives with sensitive information: Drives like the HR drive, Accounting Drive, and IT drive usually hold sensitive documents. Not only should you audit access to them, but if they are hosted in the cloud, you should review any publicly shared links.
As an MSP how do I help my customers?
We routinely encounter MSP’s who follow termination procedures set forth by their clients, which is a great start. However, we’ve found that by being proactive with user audits, you can build trust with your clientele. Something as simple as taking a list of currently active users in a client’s tenant and sending it to HR to review helps build trust, demonstrating that you have the client’s best interests in mind and want to make sure that they have a secure environment.
How do I start?
We find that many small businesses and MSPs start by tracking the list of systems they are managing in Excel. This is a great place to start but lacks reminders and a facility for tracking the audits. More sophisticated MSPs will track some or all of this in their ticketing system. This is a good step forward but provides limited visibility to the client and is not portable should the client’s contract end. Blacksmith InfoSec helps you manage these processes with a built in Business Systems List and User Access Review module that will help you manage your business systems effectively. It includes a notification system to remind your TSO that an audit is due and a workflow engine to facilitate the approval process with the BSO.
