Drata

Based on our experience, we recommend the following process for conducting access reviews covering your in-scope systems for your audit: 

1. The [RESPONSIBLE DEPARTMENT/TEAM]  initiates the review of user access by creating a ticket in the [COMPANY NAME] Ticketing System. 

2. The [RESPONSIBLE DEPARTMENT/TEAM] is assigned to review [COMPANY NAME] users with access to in scope systems and services. The access review is conducted based on two key criteria: 

Is the user’s access to the system or service appropriate based on their role? 

Are the user’s permissions within the system or service appropriate based on their role?  

1. Is the user’s access to the system or service appropriate based on their role? 
2. Are the user’s permissions within the system or service appropriate based on their role?  

3. If user access is found during review that is not in line with the least privilege principle, the [RESPONSIBLE DEPARTMENT/TEAM] will open a ticket to modify user access and notify the user of access changes. 

For repeat or significant access issues, a review should be conducted to determine the root cause to prevent issues in the future. 

1. For repeat or significant access issues, a review should be conducted to determine the root cause to prevent issues in the future. 

4. As each system or service is reviewed, the [RESPONSIBLE DEPARTMENT/TEAM] will attach the reviewed user listing or screenshot to the ticket. 

5. Once the in scope systems and services have been reviewed, the ticket is closed or marked as done.

Example Access Review Procedure

Find answers and get help from Intercom Support and Community Experts

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Title

Track the progress of all tickets related to your company.

Tickets portal.

{assigneeName} needs more information from you