Access Review

The C2M2 ACCESS-2.E requirement mandates periodic reviews of all user access to IT and operational technology systems. This requirement addresses a fundamental security risk: access creep, where employees accumulate permissions over time that exceed their current job requirements.

Most access-related incidents stem from excessive permissions that were never revoked. Former employees retaining access, contractors with expired engagements, and employees who changed roles but kept old permissions create exploitable attack vectors. The requirement applies to Energy Sector Organizations and Critical Infrastructure Operators implementing C2M2 maturity level 2 (MIL2).

Your access review program must cover both information technology (servers, applications, databases) and operational technology (SCADA, industrial control systems). The framework intentionally leaves frequency "organization-defined" to accommodate different risk profiles and operational contexts.

Regulatory text

The C2M2 v2.1 ACCESS-2.E requirement states: "Access to IT and OT assets is reviewed at an organization-defined frequency to ensure access requirements are still met." ¹

This requirement establishes a continuous verification process for access rights. Organizations must prove that every active account and permission set remains justified by current business needs. The emphasis on "organization-defined frequency" means you must document and defend your chosen review cycles based on risk assessment, not arbitrary timelines.

Who Must Comply

This requirement applies to:

• Energy sector entities adopting C2M2 framework
• Critical infrastructure operators in energy subsectors
• Organizations seeking C2M2 MIL2 certification
• Third-party service providers accessing energy sector IT/OT systems

Within your organization, responsibility typically spans:

• IT Security: Technical implementation and monitoring
• HR: Employee status verification
• Business Unit Managers: Access necessity validation
• Compliance: Program oversight and reporting

Step-by-Step Implementation

Phase 1: Inventory and Classification (Days 1-30)

1. Create System Inventory

   • List all IT applications, databases, and network resources
   • Document OT systems including SCADA, PLCs, and control interfaces
   • Note criticality levels (high/medium/low impact)

2. Map Current Access

   • Export user lists from each system
   • Identify privileged versus standard access
   • Flag service accounts and technical IDs

3. Define Review Frequencies

   • Privileged access: Quarterly minimum
   • Standard user access: Semi-annually or annually
   • Service accounts: Match change control cycles
   • Terminated user verification: Within a defined hours

Phase 2: Process Design (Days 31-60)

4. Establish Review Workflow

   • Reviewer assignment matrix by system/department
   • Decision criteria documentation
   • Escalation paths for disputed access

5. Create Review Forms

   • User name and unique identifier
   • Current access levels
   • Business justification fields
   • Reviewer attestation requirements
   • Action items (maintain/modify/revoke)

6. Set SLA Targets

   • Review completion: a defined days from initiation
   • Revocation execution: 5 business days from decision
   • High-risk findings: 24-hour remediation

Phase 3: Execution and Monitoring (Days 61-90+)

7. Launch Pilot Reviews

   • Start with highest-risk systems
   • Test workflow with cooperative departments
   • Refine based on feedback

8. Full Program Rollout

   • Communicate expectations to all reviewers
   • Provide training on review criteria
   • Monitor completion rates

9. Continuous Improvement

   • Track key metrics monthly
   • Address systematic issues
   • Update frequencies based on findings

Required Evidence and Artifacts

Maintain these documents for audit readiness:

1. Access Review Policy

   • Scope and applicability
   • Frequency requirements by system type
   • Roles and responsibilities
   • Exception handling procedures

2. Review Schedule

   • Annual calendar of planned reviews
   • System-to-reviewer assignments
   • Completion tracking spreadsheet

3. Individual Review Records

   • Reviewer name and date
   • Users reviewed with access levels
   • Decisions made with justifications
   • Action items and completion dates

4. Metrics Reports

   • Review completion rates by department
   • Access revocation statistics
   • Average remediation timeframes
   • Trending analysis quarter-over-quarter

5. Exception Documentation

   • Delayed review justifications
   • Retained access despite job changes
   • Compensating control evidence

Common Audit Questions and Responses

Auditors consistently focus on these areas:

"Show me evidence of your last three access reviews." Have review records organized by date with clear completion evidence. Include the reviewer's attestation and any resulting access changes.

"How do you ensure all systems are included?" Reference your system inventory reconciliation process. Show how new systems get added to the review schedule.

"What happens when someone doesn't complete their review?" Document your escalation process. Show examples of follow-up communications and management notifications.

"How quickly do you remove access after a review flags it?" Provide metrics on revocation timeframes. Have ticket records showing prompt action on review decisions.

Implementation Pitfalls to Avoid

Rubber-Stamp Reviews

Managers approving all access without genuine evaluation undermines the entire program. Combat this by:

• Requiring written justifications for maintained access
• Tracking approval rates by reviewer
• Escalating a meaningful percentage approval rates for investigation

Incomplete System Coverage

Missing systems, especially legacy OT platforms, creates blind spots. Prevent by:

• Annual system inventory reconciliation
• Including system onboarding in change control
• Validating against network scans and asset databases

Delayed Remediation

Identifying inappropriate access means nothing without prompt revocation. Ensure action by:

• Automated ticket creation for revocations
• Daily monitoring of open items
• Escalation for delays exceeding SLA

Poor Reviewer Training

Untrained reviewers make inconsistent decisions. Address through:

• Mandatory training before first review
• Decision criteria job aids
• Sampling reviews for quality assessment

Enforcement Context

While C2M2 is a voluntary framework without direct regulatory penalties, access control failures frequently appear in:

• NERC CIP violation notices for energy sector entities
• Post-incident reviews following security breaches
• Third-party risk assessments for supply chain participants

Organizations with mature access review programs demonstrate lower incident rates and faster recovery from security events.

30/60/90-Day Execution Plan

Immediate Actions (Days 1-30)

• Appoint program owner and core team
• Inventory IT systems and classify by risk
• Document current access management gaps
• Draft initial review frequency matrix

Near-Term Goals (Days 31-60)

• Design review workflow and forms
• Select pilot systems for initial reviews
• Train first wave of reviewers
• Establish metrics and reporting structure

Ongoing Operations (Days 61-90)

• Complete pilot reviews and incorporate lessons learned
• Roll out to all in-scope systems
• Implement monthly metrics reviews
• Plan first quarterly program assessment

Frequently Asked Questions

How often should we review access if the requirement says "organization-defined frequency"?

Base frequency on risk levels: quarterly for administrative/privileged access, semi-annually for critical systems, and annually for standard user access to non-critical systems. Document your rationale in the access review policy.

Do we need to review service accounts and technical IDs?

Yes. Service accounts often have elevated privileges and rarely change, making them attractive targets. Review them at least annually and after any system changes.

What constitutes sufficient documentation for a completed review?

Include the reviewer's name, review date, list of accounts reviewed, access levels verified, business justification for continued access, and any changes made. Electronic attestation satisfies most audit requirements.

Should terminated employees be part of regular reviews or handled separately?

Handle terminations through immediate verification processes, not periodic reviews. However, include a terminated-user check in regular reviews to catch any missed deprovisioning.

How do we handle contractors and third-party access?

Review contractor access more frequently (quarterly) due to higher turnover. Require the vendor relationship owner to attest to continued need. Set expiration dates aligned with contract terms.

Can we automate the entire access review process?

Automate review initiation, tracking, and reporting, but maintain human decision-making for access appropriateness. Pure automation misses context that managers provide about changing job responsibilities.

Footnotes

1. Cybersecurity Capability Maturity Model v2.1