Three critical controls are embodied in identity and access management: properly managing new hires, controlling access for users who transfer, and promptly terminating access for users who have left the company. These components are further described in the following subsections.
It is very important to ensure that access is appropriately granted to new users in your organization so that they do not exceed the "least privilege" principle from day one. This principle specifies that a user should only have as much access as minimally needed to perform his or her assigned job functions—nothing more. Initially, as new users are learning the job or in training, it is conceivable that they require even less access than they will ultimately have. Certain unionized functions base privileges on tenure: users must complete a certain number of hours of work to obtain additional authority on the system.
The challenge for most companies with new hires is that there are not adequately defined roles and rules dictating what access the new person should be granted. Some companies also struggle with the concept of authorization and approval. Should a user's manager approve his or her access or should that fall to the data owner?
Controlling access as individuals move through the organization is the most problematic area for most companies; this is where the most violations of segregation of duties occur. Segregation of duties is the concept that a person cannot perform two complementary job functions that could lead to the individual's ability to defraud the company. For example, someone who has functions in accounts payable should not also have functions in accounts receivable. Likewise, on the IT side, a system administrator charged with granting access to a system should not also be the one charged with approving that access.
Over time, a person who moves from position to position within the company could amass permissions that end up violating segregation of duties or the least-privilege principle. An important part of user management to ensure that old access is removed if no longer needed is the verification of access each time an individual transfers from one department to another, gets promoted, or otherwise makes a move within the company.
But how do you know when someone has transferred? Most companies struggle tremendously with this challenge. The problem is that most organizations do not manage job functions at the granularity level that could distinguish differences among all transferees. For example, if in your HR system a user's department is denoted as "Accounting," there is no way to determine from the HR record whether the user is part of the Accounts Payable team or the Accounts Receivable team. If the user transfers from the former to the latter, clearly an access change is needed, but a review of HR department changes will not identify this user as a transferee.
Even if you can identify that someone has transferred, there is the additional problem of identifying what access the individual previously had and what access is now needed. This is similar to the problem described earlier with new hires. Some policy-level decisions also need to be made on overlapping duties for a user who is in transition. Is it acceptable in your organization for someone to violate segregation of duties for a period of time while he or she transfers from the old position to the new one? If not, how will such transitions be handled?
Promptly removing access when a user leaves the company is considered critical to the auditors. If someone is no longer employed, he or she should no longer have access—period. But the process of accurately terminating a user can be daunting if you are unsure when a user leaves the company, if it is unclear what access he or she had in his or her job function, or if you did not have a strong transfer process to help you with access cleanups through the course of that person's career. Additionally, in some scenarios the person's termination date is different from his or her last day of employment. Nevertheless, an audit finding in the area of terminations is more serious than an audit finding in any other area of user management; whereas a small number of exceptions is acceptable in other areas, in the area of terminations it really is not. Therefore, you have two choices: mount a very serious effort to clean up terminations and tighten your processes or implement additional "mitigating" controls.
No comments:
Post a Comment