User access reviews (UARs) are a “catch-all” control to ensure your joiners, movers and transfers access control practices are working correctly.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
User access reviews support two of the 24 information security requirements; Restrict Administrative Privileges and Access Security.
If the wrong access is provisioned, changes or removals are “missed”, or access is no longer required, the UAR is designed to identify and rectify that. If you do identify any changes required, it’s important to then investigate or at least consider what went wrong, or why that wasn’t identified earlier. Inappropriate access, particularly a leaver that retains access to your systems, can be the cause of a security breach or other inappropriate activity within your systems and data.
We often see clients that have a record of who should have access and the relevant roles and privileges. It's important that your UAR is performed using the live or "real" system access. Otherwise, the UAR is not a “catch-all” and may miss cases where your access records diverges from the real access in the systems.
Depending on your company size and the breadth of your systems environment, the UAR can be a simple or quite onerous exercise. In small organisations, you may have a single person (eg. CTO) complete the UAR across all systems. In this case, they have the direct knowledge of who should have access to what, with a broad view of the organisation and peoples roles. As the number of systems and employees grows, this becomes less feasible and may require line managers and separate system owners to conduct parts of the reviews.
When it comes to demonstrating the UAR is completed appropriately; you should document the date of review, who conducted the review(s), and confirmation of the outcome(s). ie. all access appropriate, or noting the changes required and completed as part of the review. These should be completed at least quarterly, in some cases monthly for more sensitive access like administrative functions.
The CDR Perspective
The CDR Access Security and Restrict Administrative Rights sections require user access reviews to be completed.
"On a regular basis, all access rights to systems within the CDR data environment should be reviewed by appropriate personnel with sufficient knowledge of the system. This includes a review of both whether the person is appropriate to have access (e.g. a legitimate user), and whether the provisioned access is appropriate (e.g. the roles and access rights match the user's responsibilities). Administrative access rights are reviewed on a regular basis, at least monthly."
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.