How to Perform User Access Reviews
A user access review is a process that involves regularly reviewing access rights for a company’s employees and third-party vendors.
There’s a good chance that you’ve shared a login with a colleague to help them quickly complete a task. While this may seem harmless, one small instance of sharing access to systems containing sensitive information can quickly snowball into a much bigger problem.
The truth is countless data breaches can stem from improper access management. Verizon’s 2022 Data Breach Report found that 82% of data breaches were caused by credential theft, phishing attacks, and employee misuse or mistakes.
The good news is that there are steps you can take to help protect your data and better control how access is granted and managed. Below, we dive into how to perform user access reviews and provide a simple checklist to streamline the process.
What Are User Access Reviews?
A user access review is a process that involves regularly reviewing access rights for a company’s employees and third-party vendors. The goal is to limit the number of employees who can access sensitive data to reduce the risk of a data breach.
A user is a term that describes more than just your organization’s employees. The term also extends to:
Partners
Third parties
Service providers
Vendors
Why Are Access Reviews Important?
With data breaches on the rise, it’s all the more important to ensure the access to sensitive data gets locked down within your organization.
Proactively addressing user access can help you avoid costly data breaches, like the Cash App breach of 2022. A former employee downloaded internal reports without permission, leading to a data leak that impacted 8 million Cash App customers.
Access reviews help alleviate a number of data issues, including:
Privilege creep: Occurs when an employee changes job roles within an organization and receives new privileges. Privilege creep can occur naturally over time, where employees who have been with the organization a long time obtain access to more and more systems.
Privilege misuse: Involves mishandling data or installing unapproved hardware or software.
Privilege abuse: Happens when user accounts get used inappropriately or fraudulently used—either maliciously, accidentally, or through willful ignorance of policies.
What Standards, Laws, and Regulations Encourage User Access Reviews?
Many standards, laws, and regulations include guidance for companies to implement user access measures within their organization. We dig into a few common security frameworks and how they handle user access reviews below.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is a data security standard that ensures companies accept, process, store, or transmit cardholder data safely and securely. PCI DSS is transitioning from the current version v3.2.1 to v4.0, effective March 31, 2025.
This new version includes updated requirements regarding access reviews to be aware of, including:
User accounts and related access privileges (including third-party/vendor accounts) must be reviewed every six months to ensure access remains appropriate.
Application and system accounts must be based on least privileges needed for operability.
Employee access must be limited to the systems, applications, or processes that are necessary for them to perform their roles. This is also referred to as Role-Based Access Control.
Organizations must employ policies and procedures to manage and assign accounts and related access privileges.
SOC 2
SOC 2 is a security framework that guides how companies should manage, process, and store customer data based on the Trust Services Criteria (TSC).
When it comes to access management for SOC 2, best practices include:
Employee offboarding management: Consider implementing automated access restrictions when an employee leaves to ensure departures don’t turn into security breaches.
Physical access controls: Access control isn’t limited to the digital world. Consider the physical access points (security gates, door locks, employee ID cards) that also need to be managed.
Multi-factor authentication (MFA): MFA is a common control that helps companies secure logins and prevent unnecessary access sharing.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act—better known as HIPAA—is the United States’ legal standard for protected health information (PHI) protection. The HIPAA Security Rule specifically outlines requirements for managing access to PHI and electronic protected health information (e-PHI), which includes:
Information access management: Covered entities must implement policies and procedures for authorizing role-based access to e-PHI.
Workstation and device security: Covered entities must implement policies and procedures outlining the proper use of and access to workstations and electronic media.
Audit controls: Covered entities must implement hardware, software, or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
General Data Protection Regulation (GDPR)
The European Union passed the General Data Protection Regulation (GDPR) in 2016 and went into effect in 2018. GDPR aims to regulate how organizations collect, process, and store the personal data of EU residents. Article 32 of the regulation requires organizations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,” which includes identity and access management (IAM).
Managing identity and access management under GDPR can include:
The Principle of Least Privilege (POLP): Providing the minimal level of permissions to a user to do their job
Segregation of duties: An approach requiring more than one user to complete tasks related to the collection or processing of customer information
Authentication: Techniques like two-factor authentication (2FA) or MFA can verify user identities
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act is a law passed by the U.S. Congress on July 30, 2002. Known as the SOX Act, it means to protect investors from fraudulent financial reporting by corporations. ITGCs or IT General Controls are a subset of the Sarbanes-Oxley (SOX) internal control set that protect the security of IT systems and data centers, data backup and storage, and change management activities.
The ITGS portion of the SOX Act also includes requirements for limiting access to and protecting financial data. Managing access rights under SOX includes:
Overseeing access rights when onboarding new employees, as employees transition to new roles, and when they leave the organization.
Implementing Segregation of Duties (SoD.)
Maintaining an access control matrix.
Performing periodic access audits.
How to Perform an Access Review: 6 Steps
So, how exactly do you review employee access? We have an easy six-step process for you to follow below.
1. Create an Access Control Matrix
The first step in locking down user access is to understand where your high-risk data lives and determine who needs access. One way to do this is by creating an access control matrix.
An access control matrix is a table that identifies access permissions between specific subjects and objects. A subject refers to the people who need access to objects. Objects are files, resources, system processes,data, or tools that subjects need to do their job.
Within the matrix, designate user permissions for each subject and object within your organization. Companies often use the following attributes to assign varying levels of permissions:
Read: The subject can open and read the object but not edit it.
Write: The subject can read the object and add or write new content.
Execute: The subject can execute particular programs.
2. Develop an Access Management Policy
After establishing your access control matrix and understanding the current access permissions within your organization, you can draft your access management policy.
Within your policy, you may want to include:
An inventory of the data and resources that require protection.
A list of roles, responsibilities, and their necessary permissions.
Documentation of the processes and controls in place to secure user access.
Documentation of the software used to protect user access.
Documentation of your process for granting, revoking, and reviewing access.
3. Begin an Access Review Process
Once you have your access management policy documented, begin the access review process. For your first access review, it’s key to establish a cadence. One access review myth is that reviews need to occur quarterly or monthly. However, best practices are to do access reviews every six months or once a year.
You’ll also need to assign responsibilities to relevant team members. While this might involve your IT department, we recommend that you assign access review tasks to the people that deal directly with the data or system on a day-to-day basis. This could involve various department heads and managers from different departments within your organization.
An access review is conducted based on two key criteria:
Is the user’s access to the system or service appropriate based on their role?
Are the user’s permissions within the system or service appropriate based on their role?
For organizations with complex IT environments, it can be helpful to prioritize critical and high-risk systems/tools during the access review.
4. Train Team Members on the Importance of Access Permissions
Training is another key aspect of protecting your organization’s access permissions. Your team should receive formal training on your access management policy to ensure they understand the importance of following those procedures.
During this training, you should also alert the team of the consequences for failing to comply with your access management policy. Depending on your industry and where your business is located, these consequences may map back to certain data protection regulations like HIPAA or GDPR that come with their own specific non-compliance repercussions.
5. Implement Role-Based Access Control and the Principle of Least Privilege
As you’re considering ways to further protect your data from unauthorized access, there are two effective techniques to consider:
Role-based access control (RBAC) is a process where organizations assign permissions to employees based on their job role.
Principle of Least Privilege (POLP) is a process where organizations limit employee access rights to only those they need to effectively perform their job.
Building RBAC and POLP into your access management procedures helps your security program shift left and prevent access issues in the first place.
6. Analyze Access Review Results and Improve Processes Continuously
After you complete each access review, look for patterns in managing user access to help improve your permissions security moving forward. For example, are certain systems consistently resulting in findings during access reviews?
Over time, you may consider adding access protections like 2FA, MFA, or passwordless login methods such as biometrics-based login.
User Access Review Checklist
To help you perform effective user access reviews, we created this downloadable checklist.
How Drata Can Help You Automate User Access Reviews
Protecting your data from improper user access is no small task—whether your organization is just starting up or at the enterprise level. Finding ways to help automate aspects of user access management not only frees up your employees to focus on their responsibilities but also helps prevent human error.
A tool like Drata enables you to automate risk management processes, sending you alerts for new or evolving risks, helping you determine a treatment plan, and addressing concerns before they pose a real threat to your business.
Ready to learn more? Schedule a demo with our team today.
