[Video] Best Practice Tips For Periodic User Access Reviews In ERP Systems
Unauthorized access is a significant but preventable threat to an organization. Periodic User Access Reviews help you identify redundant or unneeded access, which is critical for good ERP security. Unfortunately, this process can be challenging and unwieldy.
In this episode of the Appsian Insights video series, we’re going to review the importance of conducting user access reviews, examine the specific information the review should contain, and tips for reviewing and approving access.
What Are User Access Controls?
Access controls are necessary to ensure only authorized users can obtain access to an organization’s information and systems. Access controls also manage the granting user’s access to only the specific resources they require to complete their job-related duties.
Why Is A User Access Review Important?
Conducting periodic user access reviews confirms that an organization has adequate controls to restrict access to systems and data. At a more detailed level, it also confirms that:
- Access procedures are documented and followed.
- Segregation of duties is checked.
- Data privacy measures are in place.
- Privileged access is heavily scrutinized.
What Information Should Be Included In Your Access Review?
The effectiveness and efficiency of your periodic review depend on how clearly you tell the story of user access. Some of the information you should provide includes:
- User full name
- Job title
- Roles within the application with descriptions
- Status of system access (is the user enabled or disabled)
- System access rights (what can the user access within the system).
Tips For Reviewing And Approving Access
The department responsible for the management or provisioning of access should be the one who prepares and organizes the reviews. Periodic reviews should ensure the data can be easily understood by a supervisor or manager and include the following points:
- Procedure documents are readily available.
- Original extracts of the data are kept in a secure location.
- The review should be sent and reviewed by management, typically within five business days.
- Rejections or changes should be tracked and incorporated into your provisioning processes.
- Signoffs for reviews should be kept in a secure location for audit sampling.
What should supervisors or managers be looking for in the periodic review? As a supervisor or manager reviewing the information, ask yourself the following questions as you go through the data:
- Are all users I am responsible for listed?
- What is the employment status of the users listed?
- Does the user’s access match with their current job tasks and duties?
- Does the role provision to the users have the appropriate access rights within the system?
With careful planning and specialized tools, you can keep your ERP systems secure and adhere to general information technology controls (ITGC) in your upcoming audit. Contact the experts at Appsian to learn how we can help alleviate some of the pain and effort of periodic access reviews.