AC-2(1) / A.8.2 / CIS-5.3 NIST SP 800-53 Rev 5

PII access reviewed quarterly

Demonstrate that access to PII-containing systems is reviewed at least quarterly, that reviews identify and remediate inappropriate access, and that the process is documented with evidence of timely corrective action.

Description

What this control does

This control mandates a formal quarterly review of all user access rights to systems, applications, and databases containing personally identifiable information (PII). The review verifies that only authorized individuals retain access based on current job responsibilities and business justification. Quarterly cadence ensures timely detection and revocation of orphaned accounts, excessive privileges, or access no longer aligned with the principle of least privilege, reducing the window of exposure for unauthorized PII disclosure.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Former employees or contractors retain access to PII after separation, enabling data exfiltration or sabotage
Users accumulate excessive PII access privileges over time due to role changes without corresponding access revocation
Unauthorized lateral movement by attackers leveraging dormant or unmonitored accounts with PII access
Insider threats exploit unreviewed access to PII for identity theft, financial fraud, or sale on dark web markets
Regulatory noncompliance penalties (GDPR, CCPA, HIPAA) due to failure to demonstrate periodic access governance
Data breach notification obligations triggered by inability to demonstrate who had legitimate access to compromised PII
Loss of customer trust and brand damage following disclosure of preventable PII exposure from stale account access

Testing procedure

How an auditor verifies this control

Obtain the organization's PII access review policy and procedure documentation, noting required review frequency, roles, and responsibilities.
Generate or request an inventory of all systems, applications, databases, and repositories classified as containing PII.
For each PII-containing system, request access review records (sign-off sheets, ticketing system records, email approvals) for the past twelve months.
Verify that reviews occurred at intervals not exceeding 93 days for each PII system during the audit period.
Select a representative sample of at least three PII systems and examine the most recent quarterly review documentation for completeness, including reviewer identity, review date, user lists, and approval signatures.
Identify instances where reviews flagged inappropriate access and trace remediation actions to completion, including deprovisioning tickets, identity management system logs, or change records.
Cross-reference current active user lists from PII systems against the most recent quarterly review documentation to detect accounts added since the last review that await the next cycle.
Interview system owners or data stewards responsible for PII access reviews to confirm understanding of review procedures, escalation paths, and criteria for access approval or revocation.

Evidence required Auditors collect quarterly access review reports or attestations for each PII system covering the past twelve months, including dated reviewer sign-offs, user access listings with role justifications, and exception or remediation tracking records. Supporting evidence includes identity and access management (IAM) system exports showing user-to-PII-system entitlements, ticketing system records documenting access removal actions, and policy documents defining review schedules and responsibilities.

Pass criteria All systems containing PII have documented access reviews conducted at intervals not exceeding 93 days during the audit period, with evidence of timely remediation for identified access discrepancies and formal approvals from designated data stewards or system owners.

Where this control is tested

Audit programs including this control

PII Data Discovery

You cannot protect what you cannot find. Quick check of PII discovery, mapping and minimisation.