How to lessen the pain points of user access reviews

Application Risk Insights

As businesses accelerate their digital transformation, user access reviews (UAR) have become a major priority for modern enterprises to support their evolving workforce and customers. Once viewed as an operational back-office issue, UARs are now gaining board-level visibility to stay compliant and manage risks effectively.

However, managing UARs can be difficult, but by understanding their pain points organizations can put together a framework to help lessen their complexities and discover ways to improve the process.

UAR is the process of periodically re-certifying the appropriateness of logical user access and security entitlements for production applications. Executing periodic UARs is a key control that verifies the adherence of user community to the risk-based principle of least privilege and ensures access is limited to the right users within the organization.

A well-defined, documented UAR policy helps mitigate potential risks and control failures while providing auditable evidence for satisfying compliance requirements, such as SOX, which mandates firms to know who has access to secure data.

The need to control who has access to what systems and data is more than just a matter of enterprise security-it’s a compliance necessity as well. Conducting user account review periodically is critical for monitoring, managing, and auditing the user account lifecycle to prevent potential risk concerns. UAR shouldn’t be the tool you use to clean up access once a year, instead, it should validate the appropriateness of the work you’ve been doing all year. By being able to control “who has access to what” from the initial access request approval process to the fulfilment of access on target systems, UARs enable organizations to improve their overall security posture and prevent inappropriate access from being granted.

Contact us

Brian Jensen

Brian Jensen

Managing Director, GRC Technology, KPMG LLP

+1 817-946-9552
Christian Leva

Christian Leva

Managing Director, GRC, KPMG LLP

+1 214-840-2000
Joe Franczkowski

Joe Franczkowski

Managing Director, GRC Technology, KPMG

+1 267 256 3242