AM-09 Access Management
Periodic User Access Review
Access remains appropriate via periodic owner attestation.
- Domain
- Access Management
- Control type
- Detective
- Automated / manual
- Manual
- Frequency
- Quarterly
- Framework reference
- COBIT DSS05.04; MAS TRM – Access
What good looks like
Owners review user-access listings on a defined cadence and remediate flagged access.
Risk if it fails
Stale/inappropriate access undetected.
How Tess tests it
4 tests — each concludes only on cited evidence.
UAR policy defines scope, cadence, reviewers
Design- Procedure
- Inspect the UAR policy.
- Expected
- In-scope systems, cadence and owners defined.
- Sample
- 1 (design inspection)
- Evidence
- UAR campaign records, sign-offs, remediation tickets.
Review performed and signed off on time
Operating- Procedure
- Inspect the completed campaign.
- Expected
- Completed within cadence with reviewer sign-off.
- Sample
- 2
- Evidence
- UAR campaign records, sign-offs, remediation tickets.
Reviewers used a complete user listing
Operating- Procedure
- Inspect the population reviewed vs source.
- Expected
- Listing complete and reconciled to source.
- Sample
- 2
- Evidence
- UAR campaign records, sign-offs, remediation tickets.
Flagged access remediated
Operating- Procedure
- Trace flagged items to removal/change.
- Expected
- All flagged access actioned and closed.
- Sample
- 2
- Evidence
- UAR campaign records, sign-offs, remediation tickets.
Evidence Tess looks for
UAR campaign records, sign-offs, remediation tickets.
More in Access Management
Want Tess to test AM-09 against your evidence?
Book a demo