BlogSecurity
September 21, 2023

How to perform effective user access reviews

Written by
Bart Tissue
Sr. Systems Engineer
Jess Chang
Senior Technical Program Manager, Security & Enterprise Engineering
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

In this series, you’ll hear directly from Vanta’s own Security, Enterprise Engineering, and Privacy, Risk, & Compliance Teams to learn about the teams’ approaches to keeping the Vanta organization secure. We’ll also share some guidance for teams of all sizes — whether you’re just getting started or looking to uplevel your operations. 

In this post, you’ll hear from Bart Tissue, Senior Systems Engineer on our Enterprise Engineering team, and Jess Chang, Staff Technical Program Manager on our Security team.

Why access reviews matter 

In a nutshell, performing regular user access reviews help ensure that current employees have access to the right tools (and no more privileges than they need), offboarded users no longer have access, and anyone who’s transferred roles internally no longer has access to tools they don’t need. 

User access risk scenarios

When conducting user access reviews, here are a few common scenarios you might encounter:

  • User leaves the company, but still retains access to apps and tools.
  • User leaves the company and no longer has access, but retains a user license.
  • User changes roles or teams internally and retains access to apps and tools that aren’t needed for their new role or team.
  • User has elevated access (e.g. admin) that is not required for their existing role.

These are specific risk scenarios that our Enterprise Engineering team looks for when performing our access reviews. We also structure this into our process so that system owners who own applications or infrastructure and are asked to review access on a periodic basis also understand how to identify and address access privileges in each of these cases.

{{cta_withimage9="/cta-modules"}}

Cadence of user access reviews

While the cadence of user access reviews may depend on a company’s risk profile, they’re typically conducted on a monthly or quarterly basis. 

It’s important to maintain a calendar to mark and initiate your reviews — or ensure this cadence is reflected in any automated reminders and tooling you’re working within. At Vanta, we rely on an automated reminder within Vanta’s Access Reviews product as well as on our Enterprise Engineering team’s calendar to kick off our reviews.

How Vanta performs user access reviews

At Vanta, our user access reviews are performed on a quarterly basis by our Enterprise Engineering team in partnership with our Security and Privacy, Risk, and Compliance teams. We maintain a playbook as our source of truth, with step-by-step instructions and a list of systems and applications in scope. 

We start by reviewing the list of systems and applications in scope collectively and making any changes needed. For instance, we’ll add any new, high-risk applications that are in scope from a security or compliance perspective. We’ll also remove any tools that have been moved behind SSO since our last user access review and review our list of system owners to make sure it’s up-to-date. Since this list is maintained and used for future user access reviews, we make these changes directly in our playbook.

Next, we’ll send out a reminder to system owners. This reminder provides them with an overview of their responsibilities for reviewing user access on a periodic basis, as well as steps and guidance for reviewing user access based on risk. We’ll also provide them with a list of offboarded users during the relevant time period to ensure these individuals no longer have access.

For any systems that are owned by our Enterprise Engineering team, we manage these user access reviews ourselves. In addition to what we look for as reviewers, we also look for ways to eliminate manual processes, such as opportunities to move any outstanding tools behind SSO. If any systemic issues are uncovered, we also work with our partner teams to address these and reduce the likelihood of future occurrences. 

Finally, we work with our system owners to ensure they’re able to complete the reviews within the timeline allocated. We help answer any questions they may have along the way and most importantly — thank them for thoroughly reviewing the systems and infrastructure in scope to help keep Vanta secure.

How Vanta helps

In addition to the processes covered above, we use Access Reviews in Vanta to help manage our quarterly user access reviews. Using Access Reviews in Vanta has helped streamline our reviews by eliminating manual effort while integrating directly with relevant applications in scope.

Some of Vanta’s Access Reviews features we particularly find useful include:

  • Centralized hub for access reviews alongside security monitoring.
  • Sends out notifications to system owners and provides them with instructions.
  • Automated and customized reminders for system owners.
  • Ability to directly pull user lists for integrated apps, or to upload if needed.
  • Keeps track of next access review with automated cadence and reminders.
  • Automatically flags any offboarded user accounts that still have access. 

{{cta_withimage6="/cta-modules"}}

Tips for performing user access reviews

While every company may differ, here are some steps we’ve found to be helpful in performing periodic and effective user access reviews:

  • Maintain a playbook with step-by-step instructions for conducting the user access review and a definitive list of systems and infrastructure in scope. This ensures consistency and can be updated on an as-needed basis.
  • Maintain a calendar or use a tool like Vanta to initiate regular user access reviews based on the cadence you’ve identified for your company or institution.
  • Automate what you can by moving tools behind SSO to streamline the user login experience while also eliminating the manual need for removal during the offboarding process. 
  • Always buffer in additional time before your reviews to prepare any tooling and internal resources needed. This ensures you’re ready to launch your user access reviews on-time.
  • Partnerships are key — be sure to partner closely with your system owners and their teams, and ensure that their responsibilities as system owners are clear and captured. In addition, work with your Security and Compliance teams to ensure that the list of systems in scope is accurate and up-to-date.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE
AWS
Turn security into your startup’s secret sales weapon
Engineering
Built for the agentic era: Meet the Vanta MCP Server
ISO 42001
4 lessons learned during our ISO 42001 audit
Company news
Going beyond the standard: Key takeaways from VantaCon UK 2025
AWS
Turn security into your startup’s secret sales weapon
Engineering
Built for the agentic era: Meet the Vanta MCP Server
ISO 42001
4 lessons learned during our ISO 42001 audit
Company news
Going beyond the standard: Key takeaways from VantaCon UK 2025

Table of contents

No titles!

Share this article

Share this article

Related Resources

The logo for terraform on a black background.
Engineering
Blog

Engineering at Vanta: How we imported our AWS environment into Terraform

Find out how we resolved a host of issues by importing our AWS environment into Terraform.

Vanta in Action: Vendor Risk Management
Security
Events

Vanta in Action: Vendor Risk Management

Vendor security reviews can be manual and time-consuming, draining security teams of precious hours. Vanta’s Vendor Risk Management solution changes that, automating and streamlining security reviews so that you can spend less time on repetitive work and more time strengthening your security posture. Curious to see what it looks like?

Building to $10k in arr before taking a series before a.
Company news
Events

Building to $10MM in ARR (before taking a series A)

CEO Christina Cacioppo shares 5 lessons from Vanta’s journey of achieving hyper-growth without a huge cash surplus.

Compliance
Blog

How to scale your GRC program with automation

Manual GRC processes aren’t sustainable for growing businesses. That’s where GRC automation comes in. Read more.

Related Resources

Security
Blog
How Synthesia Became One of Europe’s Fastest-growing AI Companies | Frameworks for Growth

Hear from Steffen Tjerrild on what it takes to scale an AI company.

Security
Blog
How to implement CPS 234: A 7-step compliance guide

Learn who needs CPS 234 and how the framework affects your organisation.

Security
Blog
Why measuring your security maturity matters (And how we do it at Vanta)

At Vanta, we’ve developed a practical and structured approach to tracking our own maturity using NIST CSF 2.0.

Vanta’s Cybersecurity Maturity Assessment Template cover image
Security
Guide / Report
Vanta’s Cybersecurity Maturity Assessment Template

Evaluate and improve your security posture with Vanta’s Cybersecurity Maturity Assessment Template—based on the NIST CSF 2.0. Track controls, score maturity levels, and build a scalable, resilient security program.

Amjad Masad interview cover
Security
Blog
Amjad Masad of Replit: 10x’ing in a Year and Building the Future of Code | Frameworks for Growth

Amjad breaks down how Replit handled early competition, carved out space as one of the first AI-native dev platforms, and sustained momentum in a crowded, fast-moving market.

Security
Blog
Bret Taylor of Sierra: How to sell to Enterprise Companies as an AI Startup

In this episode of Frameworks for Growth, Vanta CEO Christina Cacioppo sits down with Bret Taylor, Co-founder and CEO of Sierra, to discuss the evolution of technology, from the early days of cloud at Salesforce, to enterprise-ready AI companies.

Security
Blog
Building the Team at Anthropic: Daniela Amodei on Hiring 10x AI Engineers | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Template: Business Continuity Plan cover image
Security
Guide / Report
Template: Business Continuity Plan

Vanta’s Business Continuity Plan Template is designed to help you build a robust, audit-ready business continuity plan with confidence.

Security
Blog
Garry Tan of YC: Why the next unicorns are built by AI | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Security
Blog
5 must-haves in your first security hire + [Job posting Template]

Not sure what you should be looking for when you’re hiring your first cybersecurity professional? Get started with these criteria.

Template: First-security Hire Job Posting cover image
Security
Guide / Report
Template: First-security Hire Job Posting

Use this template to hire your first security lead with key qualifications, skills, and experience needed to scale your security program.

Security
Events
From Insights to Action: Measuring and Advancing Security Maturity

Discover how Vanta’s customizable reporting and dashboarding can help you assess and improve security maturity with real-time insights, better risk visibility, and data-driven decision-making.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products