Information Security

Guidance for Conducting Access Reviews for Information Resources

Last modified 2/9/2023

Access reviews are a critical aspect of information security, as they help ensure that only authorized individuals have access to sensitive information. This guidance provides information resource owners with instructions on how to conduct access reviews in an effective and efficient manner.

  • Step 1: Identify the Information Resource

The first step in conducting an access review is to identify the information resource that requires review. This may include databases, files, or applications containing sensitive information.

  • Step 2: Determine the Approval Process

Next, determine the approval process for granting access to the information resource. This may include obtaining approval from the appropriate manager or supervisor, as well as completing any necessary forms or agreements.

  • Step 3: Gather Information

Gather information about the individuals who have access to the information resource. This may include their names, roles, and the specific access they have been granted.

  • Step 4: Evaluate Access Requirements

Evaluate the access requirements for each individual. This may include reviewing their role and responsibilities, as well as any regulations or policies that apply to their access to the information resource.

  • Step 5: Review Access

Review the access for each individual and determine if it is still necessary and appropriate. Consider factors such as whether the individual is still with the organization, if their role or responsibilities have changed, and if they are still authorized to access the information resource.

Get Help

The Information Security Office can help by providing a report on the users you are reviewing. They will collect relevant data across a variety of systems and provide a recommendation based on their findings.

  • Step 6: Revoke or Modify Access

If necessary, revoke or modify access to the information resource. This may include removing individuals who no longer require access or adjusting the level of access they have been granted.

  • Step 7: Document Changes

Document any changes made to access to the information resource, including the reasons for the changes and the approval process used.

  • Step 8: Schedule Regular Reviews

Finally, schedule regular access reviews to ensure that access to sensitive information is kept up-to-date and secure.

By following these steps, information resource owners can conduct effective and efficient access reviews that help ensure the security and confidentiality of sensitive information.