User Access Review Best Practices

Taking regular inventories of your users and their needs helps keep the information, and your company, safe and secure. In discussing user access Deloitte Review Issue 19, Irfan Saif, Mike Wyatt, David Mapgaonkar note:

Humans can still be bugged or tricked into revealing their passwords. There is a malware or malicious software installed on computers; there is phishing, in which cyber crooks grab login, credit card, and other data in the guise of legitimate-seeming websites or apps; and there are even “zero-day” attacks, in which hackers exploit overlooked software vulnerabilities. And of course, old-fashioned human attacks persist, including shoulder-surfing to observe users typing in their passwords, dumpster-diving to find discarded password information, impersonating authority figures to extract passwords from subordinates, discerning information about the individual from social media sources to change their password, and employees selling corporate passwords.

When the media approaches information security, passwords get the most coverage. Password stealing is interesting and sexy. However, when it comes to information security threats, password safety is the lowest risk of all. User access reviews assess more vulnerable areas: how much information an employee needs to do their job.

Internally monitoring your company’s user access is one way to protect information from both human and electronic risks. A lot can change in six to twelve months, and data needs evolve throughout the user access lifecycle. Particularly in larger corporations, employees enter and exit their workforce on a rotating basis. Further, they change positions within your organization.

An employee may have shifted departments, changing their user access needs and potentially posing a serious security threat Or, if a system administrator misses an employment termination email, former employees may have access for far longer than they should. Employees with outdated access can compromise internal assets.

Therefore, periodically assessing user access is a critical step to ensure compliance and security.

To ensure that user access reviews are implemented successfully, you may want to consider some of the following tips.

How To Make User Access Reviews Effective

Assess User Access Risks

Risks are inherent in user access simply because it is the human element in a system, and people make mistakes, can be fooled, and sometimes act maliciously. When reviewing the risks to your organization, consider who has the most open access to most systems. Often, developers and information Image: Reciprocitytechnology professionals pose the greatest risk. Although they are less likely to accidentally intrude upon your systems, their work requires access to more of your sensitive information. This group requires more frequent reviews because their actions can cause the most business and system damage.

The second high-risk group to assess is third party vendors. This group temporarily has access to your systems and information. Often, their use ranges from a few weeks to a few months. With this group, the risk lies in forgetting that they have access when the contractual relationship ends.

The category to review with the broadest risk exposure is your employees. New employees pose an initial risk upon entry, as managers often tell their IT department to add the person at the same level of access as a current employee. Even though people may work in the same department, they do not necessarily need the same system access. Similarly, employees who transfer from one area to another without adequate review of their access needs may inadvertently take business intelligence or system access beyond the units that need them. Inappropriate access assignments can violate segregation of duties controls, jeopardize sensitive material, and needlessly expand risk exposure.

For those individuals whose employment has ended, timing of access termination becomes another level of risk. Neglecting to curtail access for former employees means continuing to share internal information with now-outside actors.  Premature, involuntary termination can cause people to act maliciously. This means that termination of access should be as close as possible to termination of employment.

Many companies perform risk reviews, but treat them as perfunctory—ignored or merely glanced at before being approved.

To truly determine the risks posed to a business, annual or semi-annual risk reviews need to do more than simply restate the previous year’s risk. To keep pace with evolving risks, user security roles need to match organizational changes. Revising privileges or changing roles can meaningfully reduce risk exposure.

Create Risk Appropriate Policies and Procedures

Once the organization has identified its risks, it can begin to review the ways in which those risks will be mitigated. Two approaches underpin many policies and procedures.

Under the Deny All approach, no one gets access unless they specifically need it.  With this mindset, IT reviews incoming requests, determining additional access on a need-to-have, case-by-case basis.

With the Allow All approach, everyone is granted access until they have proven their untrustworthiness.

Traditionally, the Deny All approach minimizes risk exposure; however, for smaller organizations where jobs overlap, Allow All might be best. Another option blends these approaches by establishing different access right strategies across departments and jobs.

Regardless of which method an organization chooses, consider business needs. Designing policies and procedures around workflows bolster the effectiveness of your compliance program.

Most security lies in action and row security. Action security means securing users from executing actions: what steps that user can perform. For example, some employees may only require read-only rights, while others need an update to information rights, and still, others may need to add and delete information.

Row security relates to the type of information or records users can access. For example, certain groups may need to access all customers but not all vendors. Limiting access to information enhances security for the organization. Organizations can determine for themselves what, within these spectrums of access, is most suitable, but they must do so thoughtfully.

Train Staff

Many managers assume that user access review is solely the IT department’s responsibility. When asked to do their own reviews, they look at stacks of sheets, add the required signatures, and submit the forms. Doing this meets the requirement but not the function of user access reviews.

If managers are not thinking about providing employees with appropriate access and simply adding access without a clear purpose, security administration becomes unwieldy. When too many users touch too many assets, this makes the managers’ stack of reviews larger, which makes them less likely to clearly understand what they are reviewing.

Breaking this cycle requires training and communication between departments. For an organization to be secure, everyone from managers to IT to HR needs to understand their role in the process. Staff must understand the consequences of missed notifications or data breaches.

It’s important to create a culture of security, which means that the CFO, CIO, and VPs should be attending the trainings as well. If those reviewing employee performance do not take security seriously, those tasked with protecting the security will not see its value.

Since employee populations change so quickly, CISOs and CIOs need to focus on keeping reports updated. Current information helps the reviewers, who need up-to-date materials and evidence. For reports run on a regular basis, audit documentation older than 30 days diminishes in relevance. Because reports can take a while to review, scheduling them to all run simultaneously and reviewing them by a given deadline may not be feasible.

Review a Variety of Reports for User Access

Alerts from Monitoring Software

Many user access alerts emphasize rule compliance, not security, although they can be useful for both. Reviewing daily alerts from a monitoring software can help find areas where a user’s access may have been compromised. Lags in rescinding access can lead to gaps in security that undermine security.

The daily monitoring of these reports can help to standardize methods of asset protection. Monitoring alert logs can point to weaknesses in controls or failure of controls. Inconsistent practices highlight where policy or processes are unclear or missing key steps.

User Access Changes

Run monthly, these reports can help you target workflow efficiency. For smaller organizations, reviewing the entire report monthly may be appropriate. For larger organizations, reviewing a random sampling of these reports can help determine whether the users hold appropriate access and whether revocations occur in a timely manner. Discrepancies in the sample should trigger a full verification.

Review Function Access Profiles

Reviewing function access profiles is one of the most important parts of user access reviews. Function access reviews ensure not only that all employees have the access they need, but also that your organization is responsive to what employees don’t need.

If an employee is not using the asset, they shouldn’t have access because it opens a vulnerability. For example, if an employee moves from the development side of the house to the sales side, their access needs to be limited. If the employee looks for information because they “still have access,” they may accidentally change settings due to updates that they did not know were installed. Plugging the holes regularly is important!

Some of the reports that can be used to track access rights are the role listing by functional area, user listing by role, action security by role, row security by role library of applications, and key application reports.

Even if the move is within the organization, updated access protects against employee accidents and malicious employee access. Moreover, continually updated access ensures the least damage is done if the employee’s information is used by someone outside the organization.

Manager Reviews of Employee Profiles

Annual, manager-level reviews of employee access profiles add not only another protective layer of review, but also can provide insight into employee access needs that may not be related to intra-organizational moves or employment terminations. Managers know when special projects that necessitated access have ended, and including them in the review process can close gaps.

Review Employee Termination Procedures

At least annually, it’s important to review the termination procedures set by human resources and ensure that information security steps are appropriately represented. Cross-reference a list of former employees against a list of those who have had their access revoked. No one wants a former employee to have access to their information.

When implemented smoothly, this review should show how well the two departments are communicating. Communication in these cases is just as important as action.

Automate Reviews and Compliance

Whenever possible, use tools available to your organization to perform user access reviews. Ideally, your organization may want to use some type of identity management tool, such as Core Security and SailPoint to automate the removal of terminated employees’ access. These tools provide an essential bridge between HR systems and directory services and can provide valuable transaction data on changes to a user’s employment status or role within the organization.

When trying to organize large scale communication between different departments, compliance management software is one of the most cost-effective tools to help IT professionals coordinate with other departments. The importance of ongoing user access reviews cannot be overstated.

Automation sets the cadence for review so the process can run itself.

Communicate Between Departments

To run a secure business and protect the organization’s assets, constant vigilance is necessary, and consistent communication between IT, managers, and HR must happen. Communication is one of the key assets of automation.  An automation program like ZenGRC engages communication between all parties in two different ways: workflow and audit documentation.

For example, ZenGRC automates information sharing and people taking action. It sends reminders to those who need to complete tasks, creating automated “to do” lists. In ZenGRC, by clicking on the assigned task, the responsible party is brought directly to the instructions and resources that are linked through the corporate Google Drive. This automation process streamlines the activity, making it less burdensome and more likely to be completed in a timely manner.

By connecting the user list and other resources through the automated platform, automation also allows for consistent documentation of these reviews. With inter-departmental communication so vital to the user access review process, automation closes the gaps that lead to compliance issues. Automation shares information across the relationships. This means that, as items are updated across the GRC space, any department can view evidence of the related items and controls.

User access reviews constitute one of the main ways in which a company can protect its information assets. Whether guarding against anger or accidents, user access dictates how available the organization’s data is to employees. To effectively safeguard those assets, program access, and information access need to be restricted based on employee role within the company. From top management down the organizational chain, everyone needs to work to create a culture of security.