Control of Access to Corporate Applications has always been a key part of good governance practice. With the scope and number of systems increasing within organisations, user populations increasing, application related risks becoming more evident, greater remote and mobile working, access being extended beyond employees to sub-contractors, suppliers, partners and customers and the widespread adoption of SaaS and cloud based applications, not to mention the widespread reporting of access control breaches and failures, User Access Control has become an increasing priority for management.
Access Control is the governance discipline that ‘enables the right individuals, to access the right resources, at the right times, for the right reasons’ as defined by IT analyst, Gartner.
Why is this so important? Access Control is a critical function to achieve effective internal control and good governance over business processes and company assets. It ensures that employees, subcontractors, consultants or anyone else with access to any part of a system, only have ‘keys to the doors’ they are meant to be opening in the course of their daily work.
So what are the key risks and considerations in this area of Access Control?;
- Within large corporations, new hires, changing of roles or those leaving can all affect access rights and expose the organization to information security threats. Often there is little to no standard regulations around this process to ensure that the right access is given or revoked at these key points. Individuals can often end up with more access than they are meant to, if they move around the organisation, adding resources and access to their old environment. People who leave the organization should have all their system access revoked immediately. But this process is not usually as well defined or implemented as you might expect.
- Management of Individual User Access Rights:
- User rights must be managed as individuals move around an organisation or use more devices to access information. Typically, their accounts start to gain access to more systems and information which is never revoked. Over an extended period of time, the problem gets exponentially worse with individual users accumulating user access rights like medals after many wartime campaigns! As a result, individuals can see and perform much more than was intended and, should their account be compromised, provide an attacker with a clear target, as they have greater access than might be realised. This accrual of rights can be due to simple negligence or not having the correct practices in place to ensure supervision. Application access must be certified by management on a rolling basis, and companies should look at role-based access control.
- Segregation of Duties (SoD) and Sensitive Access
- These two key components of access control ensure that there is no conflict of interest within key business processes thereby reducing the potential risk of error, waste and fraud. The general premise of SoD is to prevent one person from having both access to assets and responsibility for maintaining the accountability of those assets. For a strong system of internal controls, segregating these incompatible functions is crucial. In general, a policy of least privilege, to give employees the minimum amount of access needed to be productive in their roles is a good way to tighten security. Segregation of Duties is one of the key pillars of financial assurance. The figure below illustrates the helpful four point SoD policy to help in achieving stronger governance:
- Management of Elevated Access ‘Super Users’:
- Administrative or ‘super user’ accounts that have broad and deep access represent a specifically high level of risk within the Access Control policy. Although these user accounts may only be used periodically, their use should be minimized and tightly controlled. The priority is to have as few super users as possible, used only for limited periods with their detailed activity monitored and reported to management.
A well thought out, clearly defined and implemented policy of Access Control is of paramount importance but not simple to achieve.
A key technique and technology for addressing these challenges of User Access Control is Continuous Monitoring which can automate the ‘whistleblower’ function of policy violation in a complex, ever changing environment. Organizations that prioritize good governance employ Continuous Monitoring for User Access.
But as with all technology related initiatives, especially around governance, risk and compliance, there are best practices that are critical to successful outcomes. These best practices relate to the overall management of Access Control as a business programme, rather than as just a technology initiative.
As a result of our research and projects with clients around the world, we have identified the 9 key themes that, taken together, assure success;
- Clarity of Mission and Objectives:
- Stakeholder Management:
- Measuring and communicating progress
- Program Organisation Structure and Governance
- Access Control Process Design
- Access Control Process Placement, Sourcing and Operation
- Automation and Enabling
- Skills and Capability
- Business Service Management
If you want to learn more about this 9 step Success Framework, we discussed it in greater detail in our recent webcast ‘Are You Wrestling with the GRC Jellyfish” which you can access at http://www.consider.biz/are-you-wrestling-with-the-grc-jellyfish/
Alternatively, get in contact at: http://www.consider.biz/#contact
Thanks for reading . . .