What is a User Access Review for Physical Security?

Physical access reviews go by many names. Some organizations call them access recertification’s, account attestations, entitlement reviews, others call them periodic access reviews or access certifications.

Regardless of the name, they are important because many regulatory standards contain mandatory requirements for user access reviews around physical security controls.

No surprise that each standard requires the review for a different purpose. For instance, Sarbanes-Oxley, HIPPA, FISMAS or APRA all have a different take on assessing the adequacy of information and physical security controls.

Regardless of the standard, a user access review is the process of reviewing and validating user access rights to locations, systems and information. The process as it stands for many organizations centers around:

1. Planning and selecting the teams or locations to be reviewed
2. Determining the location owners and system admins
3. Collecting user access reports and correlating that to identities
4. Generating and tracking the access reviews
5. Reviewing user access, and generating modifications and revocations
6. Capturing audit information and signing off.

Amongst the biggest challenges is the collection of physical access information and correlating that data to actual people. In most instances, reviewers are working with dense technical, access control system data, across multiple sources and trying to tie that back to a single user identity.

Often user identifiers in the physical access control system are different to corporate standard stored in the HR application. A manual access review requires a good amount of corporate knowledge and time.

In a large organization, with a complex physical environment, there could be many secure areas that require regular review. This clearly has a compounding effect on the resources and time required to support compliance, and a direct cost to the organization.

Wouldn’t it be nice if there was another way to tackle this? We should talk about RightCrowd Access Analytics.

RightCrowd Access Analytics proactively identifies user access entitlement and compliance violations, and access card management breaches.

The application delivers accurate, up-to-date reporting on physical access to facilities, buildings and areas. The product can interact with any physical access control system, and integrate it with HR or ActiveDirectory to identify physical access by people, teams or business units.

RightCrowd Access Analytics adds powerful analytics to existing access control system data and accurately identifies who has access to every location and if it complies with policy. To find out more go to RightCrowd Access Analytics or contact us.