866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

System Access Reviews are Critical for Strong Internal Controls Blog Feature

By: MIKE MEYER

Print/Save as PDF

System Access Reviews are Critical for Strong Internal Controls

Compliance and Certification | SOC Examinations

Periodic reviews of system access are critical for service organizations who wish to maintain strong internal control around information security. Access privileges to systems or physical locations that impact the customer’s business environment should be commensurate with the requirements of the services provided. These privileges should also facilitate segregation of incompatible duties. For example, in order to segregate incompatible duties, a system developer generally should not also have access to migrate changes to the production environment.

Similarly, a service would almost never require a billing clerk to have access to a proprietary data center. As a general rule, restriction of access privileges should be considered for the following:

  • Production data centers or server rooms
  • Office buildings
  • Production networks
  • Production server operating systems
  • Production databases
  • Production applications
  • Ancillary applications that could allow indirect access to the above environments (e.g., password safes or badge access systems)

In order to ensure that systems are both physically and logically secure, a service organization should first design and implement strong preventive controls around user provisioning and de-provisioning. These controls commonly include creation of access change requests within a ticketing system, approval from a user’s manager prior to granting access, and assignment of responsibility for executing the approved changes.

However, as human and technological errors are almost certain to occur throughout these processes, detective and corrective controls are also needed to ensure that access is appropriately restricted. A properly designed and implemented user access review should act as both a detective and corrective control. Below are a few key steps to help ensure that a user access review is performed completely, accurately and in a timely matter.

Planning the Review

  1. Assign responsibility for facilitating the access review.
    Whether this review is automated or performed manually by human resources or IT, a person or group should be responsible for ensuring the review is completed. This person or group does not necessarily perform the review, but rather ensures the review is completed by the appropriate personnel (Note: The access review should generally be performed as a function of the business, and not by an independent internal audit function).
  2. Ensure that logical and physical access listings for all systems relevant to the service are considered as part of the review.
    The bulleted list above is a solid place to start when determining the scope of an access review. It may also be beneficial to assign responsibility to a manager or administrator for each system.
  3. Determine a frequency for the access review.
    A quarterly review aligns with best practices and is even required by certain compliance standards. However, more or less frequent reviews may be required, depending on the organization. At a minimum, these reviews should occur annually.
  4. Although not required, a ticketing system can be a valuable tool in performing an access review.
    A ticketing system is an easy way to disseminate access listings, assign responsibility, and track the progress of the review.
  5. Document the user access review process within a policy or procedural document.
     The access review procedures should be documented in detail to guide relevant personnel in the performance of the review.

Performing the Review:

  1. Obtain full user access listings with privileges for all systems in scope for the review. Examples include application or database user privilege listings, server operating system group listings, network domain group listings and badge access listings with zone definitions.
  2. Request that system administrators review privileged user access. “Privileged users” can be loosely defined as those users with the ability to modify user access or make changes to systems. In the case of physical access, this includes users with access to proprietary data centers as well as administrative access to badge access systems. Of course, the service organization should make a determination based on its environment as to which privileges must be periodically reviewed. Each review should be performed shortly after the user access listings are extracted to ensure that relevant information is being reviewed.
  3. Execute corrective changes based on management’s review. Once a review of each privileged user has been performed, any changes noted in the review should be made by system administrators in order to ensure that access is appropriate.
  4. Retain detailed documentation of the user access review. Key elements from each access review should be retained in an internal repository or folder as evidence of the review. If a ticketing system is utilized for the review, any attachments or approvals will be inherently maintained within the system. However, any e-mail approvals or other communications outside the ticketing system should be retained as well. No matter what retention system is used, the following information should be retained:a. The date the user listing was extracted
    b. The date the manager or administrator performed the review
    c. The name of each manager or administrator performing the review
    d. Approvals and names of users deemed to have inappropriate access

Much of the access review process seems relatively basic, but when done right, it can make up for a multitude of information security mistakes. With proper design, documentation and assignment of responsibility, this can be an effective tool for service organizations in achieving their security and compliance goals.

 

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.