Data in the PCS (and other systems) should be accessible only to authorised users. In practice, users who leave the organisations they work for, are sometimes not deleted. As a result, they are still able to perform actions on behalf of those organisations and able to view, modify or delete sensitive data.
Quarterly reviews are a tool to review this periodically. Because some of the data in question belongs to other community members, we as a community have decided to make this review mandatory for all organisations. This is one of the improvement actions in the Securely Sharing Data Together programme.
The quarterly reviews are performed by the main administrator, either alone or with the user administrators.
Quarterly reviews are not necessary if no other employees are registered besides the main administrator. Organisations with one registered employee are therefore exempt from quarterly reviews.
The review should be performed within two weeks. Both the main administrator and the user administrator(s) will receive an email reminder at the beginning of each new quarter.
You can review your employees in two ways:
The procedure via the screen is as follows;
In the Quarterly reviews screen, you will see the list of employees who are yet to be validated. Clicking the arrow beside the employee opens the details of that employee and allows you to suspend or delete them.
Select the employees you want to validate. Click on the checkbox before the name. Next, click the Validate Employees button. You will get an on-screen confirmation when the validation has been successful. The reviewed employees will also no longer appear on the list.
Once all employees have been validated, Quarter Completed appears on the screen.
Previous quarterly reviews can be found under Previous reviews. These can be found at the bottom of the Quarterly reviews page.
Please note: only the main administrator can review user administrators. User administrators cannot review themselves or each other.
This second method is particularly suitable for reviewing larger numbers of employees.
Step 1: Download the list of employees
Under the Employees tab, you can download the list of employees using the Download User Overview button. You can open this download for example in Excel or in your own verification tool.
Tip: compare the list (manually or automatically) with an up-to-date internal list of employees. When doing so, use the e-mail address as the search key. In Excel, use the VLOOKUP function for this purpose.
Step 2: Changes to employees
Review if all the employees in the list still require access. Delete the employees who no longer need access in IAMconnected. Go to the Employees tab. Find the corresponding employee and click the arrow beside the employee to open the detail screen. Here you can delete the employee.
Step 3: Validate all remaining employees at once
If you are sure that all the employees listed still work for the organisation, you can validate the entire list of employees at once. Go to the Quarterly reviews tab. Click on the top checkbox beside the names column to select the entire list. Click Validate Employees to validate all the employees. You will now see a popup asking to confirm that you want to validate the entire list. Click on Validate All Employees to confirm. Once all employees have been reviewed, Quarter Completed appears on the screen.
Please note: user administrators cannot validate themselves or other user administrators. Only the main administrator can validate user administrators.
Only the main administrator can validate user administrators. That means user administrators cannot validate themselves or each other.
The main administrator cannot validate him/herself. This is the responsibility of the authorized representative and this functionality will be supported at a later date. This means that the main administrator does not need to be validated yet.
You have two weeks to perform the review. After two weeks, you will receive a reminder.
If no action is taken, employees who have not logged in for more than 6 months will be suspended. This measure is designed to increase security, by blocking inactive accounts that could potentially be misused. This measure will be triggered if the quarterly review is not completed within 4 weeks.
Main administrators and user administrators will never be suspended in this way.
This action is in accordance with article 7.3 and 7.5 of our terms & conditions.
In this overview you can see the following information for previous quarters: (1) whether a quarterly review was performed (2) who performed the quarterly review (3) when the quarterly review was performed.
This overview is useful if there are multiple user administrators. The information can also be shown to an (internal/external) auditor or the CISO upon request.
Quarterly reviews are intended as an additional tool for assuring appropriate access. Deleting employees should be part of your “offboarding process”.
Two examples of how this can be implemented:
Tip: You can delete employees in IAMconnected the future by specifying an end date. When this end date is reached, the employee will be deleted automatically.
As such, quarterly reviews are then an additional security measure. If you nevertheless do find an employee who no longer works for your organisation, ask yourself why they were not deleted as part of your own regular offboarding process.
You can change your permissions via 'customise preferences'.