Information Security
Guidance for Conducting Access Reviews for Information Resources
Last modified 2/9/2023
Access reviews are a critical aspect of information security, as they help ensure that only authorized individuals have access to sensitive information. This guidance provides information resource owners with instructions on how to conduct access reviews in an effective and efficient manner.
- Step 1: Identify the Information Resource
The first step in conducting an access review is to identify the information resource that requires review. This may include databases, files, or applications containing sensitive information.
- Step 2: Determine the Approval Process
Next, determine the approval process for granting access to the information resource. This may include obtaining approval from the appropriate manager or supervisor, as well as completing any necessary forms or agreements.
- Step 3: Gather Information
Gather information about the individuals who have access to the information resource. This may include their names, roles, and the specific access they have been granted.
- Step 4: Evaluate Access Requirements
Evaluate the access requirements for each individual. This may include reviewing their role and responsibilities, as well as any regulations or policies that apply to their access to the information resource.
- Step 5: Review Access
Review the access for each individual and determine if it is still necessary and appropriate. Consider factors such as whether the individual is still with the organization, if their role or responsibilities have changed, and if they are still authorized to access the information resource.
Get Help
The Information Security Office can help by providing a report on the users you are reviewing. They will collect relevant data across a variety of systems and provide a recommendation based on their findings.
- Step 6: Revoke or Modify Access
If necessary, revoke or modify access to the information resource. This may include removing individuals who no longer require access or adjusting the level of access they have been granted.
- Step 7: Document Changes
Document any changes made to access to the information resource, including the reasons for the changes and the approval process used.
- Step 8: Schedule Regular Reviews
Finally, schedule regular access reviews to ensure that access to sensitive information is kept up-to-date and secure.