Quarterly reviews are conducted by main administrators and user administrators in IAMconnected and are intended as an additional tool to ensure the correct access.
Why Quarterly Reviews?
Data in PCS (and other systems) should only be accessible to users who are authorised. In practice, it happens that users who have left the company are not deleted. As a result, they can still perform actions on behalf of the company and view, modify, or delete sensitive data. Quarterly reviews are a tool to periodically check this. Because it also involves data from other community members, we as a community have decided to make this review mandatory for all organisations.
Who and When?
The Quarterly Reviews are conducted by the main administrator, possibly in collaboration with the user administrators. A quarterly review is not necessary if there are no other employees registered besides the main administrator.
The review must be conducted each quarter within two weeks. Both the main administrator and the user administrator(s) receive an email at the beginning of the new quarter.
In the article Conducting Quarterly Reviews in IAMconnected as Main Administrator, you will find the steps you need to follow to conduct the quarterly reviews, for both individual users and a large group of users.
Policy Regarding Unverified Employees
Administrators have two weeks from the start of the quarter to conduct the review. After two weeks, you will receive a reminder. If no action is taken, employees who have not logged in for more than 6 months will be suspended. This measure is intended to enhance security by blocking inactive accounts that could potentially be misused. This occurs when the quarterly review is not completed within four weeks. See also articles 7.3 and 7.5 of the general terms and conditions of Portbase.
Main administrators and user administrators will never be automatically suspended.
Overview of Previous Reviews
Here you can see for past quarters:
- whether a quarterly review has been conducted
- who conducted a quarterly review
- when a quarterly review was conducted.
This overview is useful if there are multiple user administrators. The information can also be shown upon request to an (internal/external) auditor or the CISO.
Points of Attention
- Only the main administrator can verify user administrators. User administrators cannot verify themselves or each other.
- The main administrator does not need to verify themselves.
Tips
- You can delete employees in the future by entering an end date. On this end date, the employee will be automatically deleted.
- Quarterly reviews are an extra lock on the door. Do you still find an employee who has already left? Then also ask yourself why they have not been deleted from your own regular process.
- As a responsible manager, use a checklist with the authorisations that (possibly) need to be revoked when someone leaves.
- Have HR send an email to the main administrators or user administrators upon departure so that the user is deleted in a timely manner.
Related Articles
Related to