• Sign In
  • Get Started
HomeBlogAccess Review Myths

3 Myths You Should Know About Access Reviews

Access reviews are crucial for keeping your business secure, so it’s important to be clear on what is and isn’t true surrounding employee privileges and how they can be monitored.
Troy Fine

by Troy Fine

May 17, 2023
4 Myths You Should Know About Access Reviews - Header
Contents
Myth 1: They Need to Be Performed OftenMyth 2: They Are Difficult for Small Businesses to ManageMyth 3: They Take Small Businesses Months to Finish

It’s not always easy to know which of your employees should be allowed access to the systems you use—especially when so many data breaches involve a human element. Regularly reviewing personnel privileges can save your business from a costly cybersecurity incident, but how much of what we hear about access reviews is actually true?

We’re breaking down some of the most widespread myths about access reviews.

Myth 1: They Need to Be Performed Often

One of the most common misconceptions about access reviews is that they need to be performed quarterly or even monthly. This can make them feel largely overwhelming and difficult to keep up with.

In Reality

In most cases, compliance frameworks require access reviews to be done once a year at a minimum. PCI DSS 4.0 has a periodic access review requirement, but you will have to do it annually to satisfy the control. Both NIST 800-53 and HIPAA leave it up to you to create your own periodic schedule of access reviews. 

Of course, yearly is a minimum requirement, and the more closely you monitor employee access, the better, but we recommend establishing a cadence that matches your bandwidth—whether that’s monthly, quarterly, or yearly.

Myth 2: They Are Difficult for Small Businesses to Manage

It’s easy to feel like access reviews require lots of documentation and labor to complete. Going through each of your employees’ privileges and authorizations can be time-consuming and expensive in labor costs.

In Reality

This is only true if your company hasn’t implemented things like role-based access control, temporary authorization, and least privilege. Let’s take a look at each of these and how they can streamline the access review process.

  • Least privilege: The Principle of Least Privilege (POLP) is the idea that employees should only have access to the minimum amount of privileges they need to do their job.

  • Role-based access control: This allows you to put POLP into action by monitoring employee access based on their role. For example, someone on the marketing team may have access to Google Analytics or the company’s social media accounts, while those in the finance team may not.

  • Temporary authorization: Many software services allow you to offer temporary access to your employees. This is especially helpful when an employee is working on a special project or needs access to something that’s typically out of their scope.

Even just one of these things can help organize your access reviews by keeping the information needed manageable and easy to find.

Myth 3: They Take Small Businesses Months to Finish

Many companies are easily deterred from completing access reviews because of the time it might take to complete them. 

In Reality

The amount of time an access review takes is directly related to the number of employees your business has, applications that need to be reviewed, and people involved in the review—mostly because the process requires a look at each employee’s permissions. This means access reviews aren’t as big of a project for smaller businesses than they are for enterprise businesses. If you are a newer startup—or you simply keep your team lean—and you have about a hundred employees, access reviews shouldn’t take longer than a month or so.

Drata is built on trust, and that begins with being transparent about every step throughout the compliance process. Access reviews are crucial for keeping your business secure, which makes it easy to believe they can only be completed with an automation tool. The truth is, the access review functionality that’s on the market today may end up adding more work for some businesses.

For more industry insight, subscribe to Trusted, our bimonthly newsletter.

Trusted Newsletter
Resources for you
7 myths about SOC 2 compliance blog hero

7 Myths About SOC 2 Compliance

Debunking the Top 5 GDPR Myths and Misconceptions

Debunking the Top 5 GDPR Myths and Misconceptions

SOC 2 Type 2 Hero

SOC 2 Type 2: A Beginner’s Guide

Cost of Not Being Compliant with Frameworks

The Cost of Non-Compliance

Troy Fine
Troy Fine
Troy Fine is a 10-year auditor. His area of expertise focuses on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
7 myths about SOC 2 compliance blog hero

7 Myths About SOC 2 Compliance

Debunking the Top 5 GDPR Myths and Misconceptions

Debunking the Top 5 GDPR Myths and Misconceptions

SOC 2 Type 2 Hero

SOC 2 Type 2: A Beginner’s Guide

Cost of Not Being Compliant with Frameworks

The Cost of Non-Compliance