Perform thorough yet fast access audits
Access audits are some of the more painful and tedious compliance tasks that IT and Security teams have to deal with.
They require IT or Security to identify all of the assets that need to have their access reviewed, find out who is responsible for knowing who should have access, message those parties for confirmation, and chase down people who don’t reply. Plus, keep track that each of those conversations happened, and that access was confirmed for auditor evidence. Manual lists and screenshots of Slack or Teams conversations are often the painstakingly-gathered evidence that is later provided to auditors.
What seems like a simple task can balloon into a frustrating process that can take upwards of a month to complete each time. Access audits are manual, time consuming, and can leave everyone involved frustrated.
Worse yet, because they’re so difficult to accomplish, deeper access audits can be skipped in favor of higher-level access reviews. Instead of checking to see if access to specific assets is correct, teams focus on what they can easily do, which is top-level access to specific applications. This leaves risk of unauthorized access on the table and diminishes the purpose of doing an access audit in the first place.
Access audits should be quick and easy to complete. You should be able to select the exact criteria you’d like audited, no matter how specific. For example, making sure that access to every shared drive is reviewed by its owners. Or, having the Finance team review access to SOX-related assets.
Once the criteria is selected, the system should automatically contact every single employee that needs to review access. Employees should be able to see a list of the exact items they need to review and exactly who has access to those items. They should be able to make any access changes they need to—like removing internal accounts that no longer need access, taking off personal accounts with access, or closing open links. Employees should be able to easily confirm that they’ve completed the access audit.
Throughout the access audit process, administrators should be able to see exactly who has and has not completed the audit.
An ideal solution would allow administrators to remind everyone who has not completed the access audit to complete it. No manual Slack or Teams messages to hundreds or thousands of people—just a quick automated reminder message to employees who haven’t finished their work.
And, such a system would provide simple evidence that can be given to external and internal auditors to show that the comprehensive access audit was completed.
This system would allow administrators to select one or many applications as part of their criteria. For example, having employees review access to assets residing in Google Drive, Microsoft OneDrive, Microsoft Sharepoint, GitHub, and GitLab.