26 Nov 19 Part 3: How often should you perform a User Access Review?
How Often Should you Perform a User Access Review?
Well, only you can really answer this question; but let me give you my thoughts on how often you should be performing a User Access Review.
“As often as possible”
End of article.
No, sorry, that’s not really a good answer I know so let’s step back a little and answer it properly.
Different Reviews at Different Frequencies
As a minimum, conducting a complete user access review at least once a year is a good place to start, but it is often a little more complicated than that.
Different kinds of access often represent different kinds of risk, and so it is often a good approach to segment your access reviews based on the level of risk. This can allow you to perform focused reviews for specific areas more frequently if needed.
Here are a few examples…
- Since it requires the most effort, you might choose to only perform a full company-wide review once a year.
- Access that is in-scope for compliance purposes (such as Sarbanes-Oxley), you might choose to review this type of access twice a year.
- For your IT-based users and responsibilities, you might choose to do a review of this type of access every quarter.
- If you have a means of identifying access related risk (i.e. Segregation of Duties and Sensitive Access), then you might want to review access where critical risk is present once a month.
- You might choose to segment your reviews based on geographical location and each location manages their own reviews at different times of the year.
There are many types of user access review that you may want to perform and all of them might be needed at different times of the year.
How “big” the review is and the number of people involved (i.e. the number of reviewers) will play a part in determining how regular you perform a User Access Review.
You may have a large Oracle EBS user base but perhaps only a handful of “process owners”. So, when doing a process owner type of review, there will be a lot of access that needs to be reviewed, but only a handful of reviewers involved.
Whereas for a supervisor or manager type review, there will likely be just as much access to review (i.e. the same number of people with access to the system), but there could be dozens or even hundreds of people doing the review.
In a perfect world, access would be reviewed continuously (which can be achieved if you use an access control solution such as CS*Comply) but in terms of an overall review where access is reviewed at a high-level (i.e. responsibility level), you have to way up the benefits of doing the review vs. the time and costs involved in conducting the review vs. the risk of having users with inappropriate access and find the right balance that works for your organization.
Basically, the more frequently you perform an access review, the more accurate and correct your users’ access will be.
Ongoing “Change of Circumstance” Reviews
There is a scenario where very frequent access reviews may be required; this is when a person moves within an organization, perhaps to another department.
For example, if a person currently works in the purchasing department then their access will likely be based on what they need from a purchasing perspective, but if they then move into the payables department then their access requirements will be different.
In these situations, it is good practice to have their access reviewed as a kind of mini ad-hoc review; we call this a “Transfer Review” and these might be needed on a daily basis.
Trying to manage your access reviews without any kind of software automation is going to be very difficult at best and often impossible, especially if you need to perform more than one review per year.
Surely there must be a better way?
Want to know how we can help you streamline and automate your Oracle EBS user access reviews? Get in touch and ask us about CS*Provisum PAR.
Want a quick overview of CS*Provisum PAR, check out the video below…
Next Week & Early Access
The final article in this series is “How CS*Provisum PAR can Simplify and Streamline your User Access Reviews“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.