Sprinto Dashboard

Critical System Access Reviews

Conduct and upload periodic access reviews of critical systems like AWS, GitHub, and Okta to satisfy Sprinto’s workflow monitoring requirements.

Sprinto monitors whether your organisation periodically reviews access to critical systems. This ensures that only authorised personnel retain access to sensitive environments and helps prevent privilege creep and unauthorised access.

This article explains what constitutes a critical system access review, how Sprinto tracks compliance, and how to complete and resolve these workflow checks.

What is a Critical System Access Review?

An access review involves:

  • Listing all users who currently have access to a critical system

  • Validating whether each user still requires that access

  • Documenting the review, including any access removals or adjustments

Sprinto treats this as a manual workflow check, requiring uploaded evidence that a formal review was completed for each system.

Examples of Critical Systems

  • Infrastructure: AWS Console, Azure Portal, GCP Console

  • Source Control: GitHub, GitLab, Bitbucket

  • Identity Providers: Okta, OneLogin, Azure AD

  • SaaS Platforms: Jira, Notion, Slack (admin access only)

  • Endpoint Tools: MDM, EDR, or monitoring tools used in production

When is a Review Required?

Access reviews are typically expected:

  • Quarterly or Biannually (based on your compliance framework)

  • After major organisational changes, such as team restructures

  • During audit preparation or internal infosec reviews

Sprinto will flag this workflow check as Failing or Pending Evidence until valid artefacts are uploaded.

How to Complete the Review

  1. Export User List from the Target System

    • Use the platform’s admin console or access logs

    • Ensure the export includes:

      • Username or email

      • Assigned roles or access levels

      • Last login (if available)

  2. Perform the Review

    • Identify users who no longer require access

    • Flag accounts for removal, privilege downgrade, or further review

    • Document the action taken and reviewer comments

  3. Prepare Evidence

    • Use an internal spreadsheet or access review template

    • Include reviewer name, date of review, and actions taken

    • Alternatively, export the access review report from your access governance tool (if applicable)

Uploading to Sprinto

  1. Go to Monitoring > Check History

  2. Locate the Critical System Access Review workflow check

  3. Click Upload Evidence

    • Attach the review artefact (spreadsheet, PDF, export, screenshot)

    • Add a brief comment summarising:

      • Review date

      • Reviewer name

      • System reviewed

      • Result (e.g., 2 users removed, 1 privilege downgraded)

  4. Click Mark as Resolved

Best Practices

  • Use a recurring calendar reminder for quarterly access reviews

  • Involve system owners in the review process

  • Remove or restrict dormant accounts

  • Maintain versioned logs of all reviews for audit support

PreviousChange Management & Disaster RecoveryNextStaff Onboarding & Access Reviews

Last updated