User Access Review Best Practices
Taking regular inventories of your users and their needs helps keep information, and your company, safe and secure. In discussing user access Deloitte Review Issue 19, Irfan Saif, Mike Wyatt, David Mapgaonkar note:
Humans can still be bugged or tricked into revealing their passwords. There is malware, or malicious software installed on computers; there is phishing, in which cyber crooks grab login, credit card, and other data in the guise of legitimate-seeming websites or apps; and there are even “zero day” attacks, in which hackers exploit overlooked software vulnerabilities. And of course, old-fashioned human attacks persist, including shoulder-surfing to observe users typing in their passwords, dumpster-diving to find discarded password information, impersonating authority figures to extract passwords from subordinates, discerning information about the individual from social media sources to change their password, and employees selling corporate passwords.
When media approaches information security, passwords get the most lines. Password stealing is interesting and sexy. However, when it comes to user access reviews, password safety is the lowest risk of all. Reviewing user access is less about reviewing password safety and more about reviewing how much information an employee needs to do their job.
With the human and electronic risks, internally monitoring your company’s user access is one way to protect information. Six to twelve months is a long time in the user access lifecycle. Particularly in larger corporations, employees enter and exit your workforce on a rotating basis. Further, they change positions within your organization.
Often, former employees have access for far longer than they’re supposed to have it if a system administrator misses an employment termination email. An employee may have shifted departments, changing their user access needs and potentially posing a serious security threat. Internal assets can be compromised by employees who have outdated access.
Therefore, reviewing a variety of different reports to ensure compliance and security matters.
When trying to ensure that user access reviews are implemented successfully, you may want to consider some of the following tips.
How To Make User Access Reviews Effective
Assess User Access Risks
Risks are inherent in user access simply because people can be malicious or can make mistakes. When looking to review the risks to your organization, you want to assess greatest risk in terms of who has the most open access to the most systems. In this case, developers and information technology professionals are your largest risk. Their access gives them a higher risk rating, although they are less likely to accidentally intrude upon your systems. This group requires more frequent review because their actions can cause the most business and system damage.
The second most risky group would be third party vendors. This group has access to your systems and information. Often, their uses range from a few weeks to a few months. With this group, the risk lies in forgetting that they have access upon discontinuation of the contractual relationship.
The final category of review involves employees. New employees pose an initial risk. Often, managers simply tell their IT department to add the person at the same level of access as a current employee.
Unfortunately, even though people work in the same department, they do not necessarily need the same system access. Inappropriate access assignation can result in violations of proper segregations of duties.
For those individuals whose employment has terminated, timeliness of access termination becomes another level of risk as involuntary termination can cause people to act maliciously. This means that termination of access should be as close to termination of employment. A final level of risk exists in those employees who transfer from one area to another without adequate review of their access needs. For many companies, the risk reviews are done annually but only glanced at while doing business before being approved.
To truly determine the risks posed to a business, the annual risk reviews need to do more than simply repeat the previous year’s risk. As a business evolves, its risks evolve, and to keep pace with this, user security roles need to match these organizational changes. Revoking privileges or changing roles can meaningfully improve fraud prevention.
Create Risk Appropriate Policies and Procedures
As with any compliance concern, risk-based policies and procedures form the foundation of the program. Once the organization has determined its risks, it can begin to review the ways in which those risks will be mitigated. Two generalized approaches to policies and procedures exist.
With the Deny All approach, no one gets access unless they specifically need it.
With this mindset, IT reviews ongoing requests, determining additional access on a need-to-have, case-by-case basis.
With the Allow All approach, everyone is granted access until they have proven their untrustworthiness.
Traditionally, the Deny All approach is considered the safest; however, for smaller organizations where jobs overlap, the Allow All might be best. Compliance concerns such as segregation of duties need to be reviewed regardless of which method an organization chooses.
To account for these types of compliance issues, different access rights across departments and jobs should also be considered.
Most security lies in action and row security. Action security means securing users from executing actions: for example, some employees may only require read only rights. Others may need update to information rights. Still others may need to be able to add and delete information. Row security relates to the type of information or records users can access.
For example, certain group may need to access all customers but not all vendors. Limiting the access to information adds security to the organization. Organizations can make any determination for themselves within these spectrums of access, but they must do so thoughtfully.
Most managers assume that user access review responsibility is solely within the purview of the IT department. When asked to do their own reviews, they look at stacks of sheets, add the required signatures, and submit the forms. Doing this meets the requirement but not the function of user access reviews.
For an organization to be secure, everyone from managers to IT to HR need to understand their role in the process.
For example, if managers are not thinking about providing employees with appropriate access and simply adding access without clear purpose, security administration becomes unwieldy due to too many users touching too many assets. This, in turn, makes the managers’ stack of review items larger which makes them less likely to clearly understand what they are reviewing.
Breaking this cycle requires training and communication between departments so that everyone understands their roles. When training employees, it’s also important to create a culture of security. This means that the CFO, CIO, and VPs should be attending the trainings as well.
If those reviewing employee performance do not take security seriously, those engaged in protecting the security will not see its value. Schedule Reviews Regularly
Since employee populations change so quickly, CISOs and CIOs need to focus on keeping reports updated to match current moments in time. This helps the auditors, who like to see up-to-date materials and evidence. For reports being run on a regular basis, providing audit documentation that is older than 30 days can sometimes be a problem. Additionally, reports can take a while to review, so scheduling them to all run on the same day and being able to review them by a given deadline may not be feasible.
Review a Variety of Reports for User Access
Alerts from Monitoring Software
Most user access reviews are done for compliance, not security purposes, although that line can be blurry. Although more of a security than a compliance function, reviewing daily alerts from monitoring software can help find areas where a user’s access may have been compromised. Lags in rescinding access can lead to gaps in security that highlight compliance.
Compliance seeks to standardize methods of asset protection:while the daily monitoring of these reports is not related to compliance as such, it is within the purpose of monitoring. Monitoring alert logs can point to weaknesses in controls or failure of controls. Inconsistent deactivation of accounts means that the policy/processes are either unclear or missing key steps.
User Access Changes
Run monthly, these reports can help you target at a high level whether your workflows are efficient. For smaller organizations, reviewing the entire report monthly may be appropriate. For larger organizations, reviewing a random sampling of these reports can help determine whether the users are being granted the appropriate access and whether the revocations are being done in a timely manner. Discrepancies in the sample should trigger a full verification.
Review Function Access Profiles
Reviewing function access profiles is one of the most important parts of user access reviews. Function access reviews not only ensure all employees have the access they need but make sure that your organization is updating what employees don’t need.
If an employee is not using the asset, they shouldn’t have access because it opens a vulnerability.
For example, if an employee moves from the development side of the house to the sales side, their access needs to be limited. If the employee looks for information because they “still have access,” they may accidentally change settings due to updates that they did not know were installed. Some of the key reports that can be used to track access rights are the role listing by functional area, user listing by role, action security by role, row security by role library of applications, and key application reports.
Plugging the holes regularly is important!
Even if the move is within the organization, updated access protects against employee accidents and malicious employee access. Moreover, continually updated access ensures the least damage is done if the employee’s information is used by someone outside the organization.
Manager Reviews of Employee Profiles
Annually asking managers to review the employee access profiles adds not only another protective layer of review but can provide insight into employee access needs that may not be related to intra-organizational moves or employment terminations. Managers know when special projects that added access have ended and including them in the review process annually can close gaps. Equally important to any organization is to make sure that supervisors are trained to understand the consequences of missed notifications.
Review Employee Termination Procedures
At least annually, it’s important to review the termination procedures set by human resources and compare that to a sample list of people who have had their access revoked. No one wants a former employee to have access to their information. More importantly, this review should show how well the two departments are communicating. Communication in these cases is just as important as action.
Automate Reviews and Compliance
Whenever possible, use tools available to your organization to perform user access reviews. Ideally, your organization may want to use some type of identity management tool such as Core Security and SailPoint,to automate the removal of terminated employees’ access. These tools provide an essential bridge between HR systems and directory services and can provide valuable transaction data on changes to a user’s employment status or role within the organization.
When trying to organize large scale communication between different departments, compliance management software is one of the most cost-effective tools to help IT professionals coordinate with other departments. The importance of ongoing user access reviews cannot be overstated.
Communicate Between Departments
To run a secure business and protect the organization’s assets, constant vigilance is necessary and consistent communication between IT, managers, and HR must happen.
Communication is one of the key assets of automation.
Automation sets the cadence for review so the process can run itself.
For example, ZenGRC automates information sharing and people taking action. Platforms send out reminders to those who need to complete tasks, creating automated “to do” lists. In ZenGRC, by clicking on the assigned task the responsible party is brought directly to the instructions and resources that are linked through the corporate Google Drive. This automation process streamlines the activity making it less burdensome and more likely to be completed in a timely manner.
By connecting the user list and other resources through the automated platform, automation also allows for consistent documentation of these reviews. An automation program like ZenGRC engages communication between all parties in two different ways: workflow and audit documentation. With interdepartmental communication being so important to the user access review process, automation closes the gaps that lead to compliance issues. Automation shares the information across the relationships. This means that as items are updated across the GRC space, any department can view evidence of the related items and controls.
Without a doubt, user access reviews constitute one of the main ways in which a company can protect its information assets. Whether guarding against anger or accidents, user access controls how much freedom employees have to the organization’s data. Program access and information access need to be restricted based on employee role within the company to effectively determine the safety of those assets. From top management down the organizational chain, everyone needs to work to create a culture of security.