We recommend the TSA Chief Information Officer direct the selected High Value Asset system owner to require all non-privileged users’ system access requests be reviewed, authorized, and documented before granting system access. In addition, users’ system access should be reviewed periodically and removed if it is no longer needed.