What would you improve about your user access review process?

Identity & Access Management (IAM)Governance, Risk & Compliance

2.6k views1 Upvote5 Comments

Sort by:

Director ERP Management in Travel and Hospitality4 years ago

I used to review user access for our ERP system which was subject to annual external audit. Initially semi-annual review cycle was ok, then we moved to quarterly reviews and then monthly. I would classify access levels into at least two groups; Users and Elevated Access (Admins) groups. Admins access reviews would be more frequently and thorough vs. Users. E.g. if report shows an Admin access was updated within review period, the Admin's manager approval for access change must be documented. I would improve the process by adding a change log report to the audit procedures.

Director of IT in Healthcare and Biotech4 years ago

Ensuring access is provided quickly, allowing managers to easily change the role profile and entitlements, and creating tools to help staff do this work without IT involvement.

1 1 Reply

no title4 years ago

And doing ALL of that securely; that's the balance we all have to try to take into account. quickly and easily is great as long as we can secure it.

Secure Facilities Information Technology Manager in Manufacturing4 years ago

I would be nice to have an automated process that flags users who have not accessed certain applications within certain time periods, especially when it comes to individual seat licenses.

IT Strategist in Government4 years ago

Having guidelines and tools helping to guide users and decision makers through the process will help with clarity and expedite the whole process.

Content you might like

Can you share any effective processes/strategies you’ve used to integrate cyber risk management and enterprise risk management at your org?

Curious how people are dealing with fraud, and specifically tech support scams, in their organisation. Our service desk have a protocol (using personal questions and answers or escalation to a manager) when validating staff requesting password resets. This wouldn't be scalable to our wider population. I've heard of one tech firm implementing something simple like 2 random words generated on an internally hosted website every, say, 60s that can be used as a challenge & response. Does anyone have any other smart, easy to use, bits of tech that I should consider as part of a wider on-going education and awareness campaign? I'm assuming this is a hot topic for many of you, given the recent Quick Assist social engineering ransomware attacks.

Does your organization have an in-house environmental, social and governance (ESG) working group?

Yes35%

Not yet, but we have plans to form one.40%

No, but it is being discussed.10%

No13%

Unsure

View Results

How do you give access to your data sources at your organization? (i.e. Oracle, MySQL, SQL Server, MongoDB)

Internal applicaiton to share34%

Export data in excel to share54%

Direct access to data source44%

Using reporting tools to share out data29%

Other (please share below)2%