Skip to Page Content
section image picture

Policies, Standards, and Guidelines

Procedures for Annual User Access Reviews

The Board of Regents established the Information System User Account Management standard in 2013.  This standard states that all System Owners must review accounts of Users who can access sensitive and/or critical information systems and ensure that their ability to access and level of access is appropriate.  The standard also states that this review must be conducted every four months. However, due to UGA established compensating controls, UGA is only required to conduct these access reviews annually for sensitive and/or critical systems.

The procedures listed below are an outline of the minimum effort needed to comply with this guideline.

  1. Produce a record of all system users, including specific levels of access (if applicable)
  2. Review the users to determine if they are still active and if their level of access is appropriate
  3. Remove users who are no longer active and change levels of access if needed
  4. If the system is used by individuals across the University, such as UGAMart, the System Owner may need to work with University Units to determine if users still need access and if their level of access is appropriate
  5. Remove users who are no longer active and change levels of access if needed
  6. Provide a report to the Office of the Vice President for Information Technology
  7. Retain all data and communications produced during the review for Audit documentation purposes

Related Links