Thoropass's Integrated Access Review will save you time and effort when reviewing your organization's privileged user access.
Access reviews with Thoropass will:
Remind you to to start your reviews according to your policy's timelines.
Suggest the most important in-scope and critical systems to review.
Help you assign and track progress.
Leverage your new and existing integrations with Thoropass.
Automate the gathering of evidence for audits (when applicable).
Leverage data from previous access reviews to speed up future reviews using Head Start.
Validate your access changes before finishing your review, preventing costly errors in your change management process.
Key Terms
Access Review Plan: The object that contains all of your individual system access reviews. The Access Review Plan has a global due for all reviews contained within it, and your organization will have many Access Review Plans over time.
Plan Owner: The employee responsible for your Access Review Plan, including assigning owners to individual system access reviews.
System Owner: The employee responsible for the access review of a given system, such as Github or AWS. One employee can be responsible for many system access reviews.
Create your Access Review Plan
First, we'll email the owner of the Review of User Privileges control when it's time to set up their next Access Review Plan.
When creating their Access Review Plan, we'll guide the Plan Owner through selecting the vendors and systems to be reviewed.
Wherever possible, we'll suggest systems that you've already marked as current vendors, systems marked as in-scope, or even recommend systems being used by other organizations like yours.
Selecting access review type
There are three types of access reviews with Thoropass:
Integrated access review
Automatically imports your user list and enables the full suite of access review features like Head Start and change validation.
Import access review list
Manually import the user list and complete your review in app. Benefits from many, but not all, access review features.
Import completed access review
Perform the access review outside of Thoropass and upload the results. Automatically gathers the report as evidence for future audits, benefits from Thoropass reminders/notifications, but doesn't enable other features.
To learn more about access review types and how to choose the correct one, see How to Decide Access Review Types.
Perform your system access reviews
ποΈ If you start an access review for a system you have reviewed in the past, you'll benefit from Head Start. In addition to importing your previous settings, owners, and due dates, Head Start remembers your previous review and highlights the high-leverage decisions you'll need to make in your current review.
We've found that Head Start greatly increases the speed of consecutive access reviews, including completing, on average, 95% of your review with a single click.
To learn more about Head Start, see Conducting Consecutive Access Reviews with Head Start.
Each System Owner, the employee responsible for conducting an access review, will receive an email, an in-app alert, and a Thoropass task informing them that they have been assigned a review.
We'll guide the System Owner with clear instructions about their goal, process, and due dates. If the system being reviewed is integrated with Thoropass, we'll automatically import the user list and any other relevant information we can find.
During the review, the System Owner will propose changes for each user account, to either maintain access, revoke access, or change access.
When all proposed changes have been recorded, the System Owner will be able to download an Access Review Report for use in your organization's IT change management process.
Validate access review changes
Performing the access review, and suggesting the appropriate access changes, is only half of the process. The System Owner will be required to validate that access changes have actually occurred in the system before completing the access review.
π‘ We've found that errors during the change management process are a frequent source of delays and exceptions during audit. The change validation process mitigates or eliminates these problems to keep your audits running smoothly.
To learn more about change validation, see Validation of Access Review Changes.
Track the progress of all reviews
The Plan Owner (or any Thoropass admin) can review all progress from their dashboard, or filter the pending tasks to see which reviews are still in progress.
If any access review needs to be re-evaluated, the Plan Owner can reopen the review and request changes, notifying the System Owner by email, in-app alert, and task.
Finalize the Access Review Plan
When all system access reviews have been completed, the Plan Owner can finalize the Access Review Plan and attach the plan as evidence for ongoing or future audits.
Related Links