Indent for Compliance: User Access Reviews

2 years ago
Written by
Fouad Matin
Elsie Phillips

There is no off season for compliance work.

Even with an annual reporting period, SOC 2 and other major regulatory frameworks require periodic access reviews for sensitive systems. For many growing teams, this can eat up a handful of precious days of each quarter.

At Indent, we create workflows that simplify access controls, without adding friction for end users. With on-demand access, you’ll spend less time reviewing access requests. Due to the time-bounded nature, it also reduces the surface area of your periodic user access reviews.

To perform periodic access reviews while simultaneously gathering audit evidence, today we’re launching user access reviews and exportable access reports.

Within the Indent dashboard you’ll now have a complete workflow to document change management for your access controls.

Access Reviews and Audit Evidence with Indent

Let’s take a look at the workflow!

First, Indent continuously logs every access request. This documents:

  • Access request details such as: who requested, business reason, which system or permission, and for how long
  • Reviewer details such as: who, when, and if necessary, remedial actions taken

So, now that the quarter is over, you need to review all the production access that was granted within a specific timeframe (e.g. 90 days). If an end user is identified as having unauthorized access, that access needs to be revoked.

To perform an access review, you can use filters to review access on a per-system or per-user basis. You can offboard terminated employees and revoke all their access in just two clicks.

View the user's existing access and offboard in two clicksView the user's existing access and offboard in two clicks

Once you’ve completed the access review, navigate to the Access Control Report. There you can easily configure your audit period and download CSV/XLS export of your evidence:

Generate audit evidence with the Indent Access Control ReportGenerate audit evidence with the Indent Access Control Report

Finally, upload the export into your compliance platform to centralize your audit evidence. Some auditors will ask for screenshots of the export parameters or follow-up with requests for sample selection, all of which you can do easily in the Indent dashboard.

Stay tuned for automated scheduled reviews coming in the next few months. Based on the compliance framework(s) that you’ve chosen, Indent will be able to automatically identify and surface access to be reviewed based on your compliance requirements.

Here’s a sneak peek:

Continuously manage access with quarterly reviewsContinuously manage access with quarterly reviews

By granting time-bound access that’s reviewed upon request, you’ll be able to strengthen your security practices and avoid audit exceptions. Win-Win.

Stay compliant with Indent

Indent can help you satisfy your compliance initiatives and requirements for frameworks such as SOC 2, SOX, HIPAA, and FINRA. Here’s how Indent supports access controls:

Sample Controls
(Access Control and Change Management)
Production cloud infrastructure is restricted to only team members.• Time-bound, on-demand production access
• Instant on-call access escalation
Administrative access to production servers and databases are restricted to the Engineering team and Senior Management.• Time-bound, on-demand production access
• Access approval routing via defined policies
Users are provisioned access to systems based on the principle of least privilege. The Engineering team approves any access to production systems.• Time-bound, on-demand production access
• Password vault access provisioning based on role type and responsibilities
• Access approval routing via defined policies
Upon termination of personnel or when internal users no longer require access, infrastructure and application access is removed within one business day.• Time-bound, on-demand production access
• Bulk persistent access revocations through access reviews page or password vaults
System owners conduct quarterly user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities. Identified access changes are tracked to remediation.• Access reviews page
• Access Control Report
Code merge requests are independently peer reviewed prior to integrating the code change into the master branch.• Time-bound, on-demand production access
System users who make changes to the development system are unable to deploy their changes to production without independent approval.• Time-bound, on-demand production access

For users, admins, and compliance DRIs, Indent has the workflows that make getting, approving, and reviewing access a compliant breeze. The evidence generated in the Indent Access Control Report is tailored to exactly what auditors want. With a single click you can export that evidence as a CSV, upload it, and move on to the next thing on your to-do list.

Get Started

To learn more about how Indent can help you solve access control and provide audit evidence, talk to our team for a 1:1 demo and walkthrough of your use cases:

Try Indent for free.