Access Governance - a step towards better information security

Could your documents have turned up on WikiLeaks? If you do not have complete control over user access rights, the answer is YES.

With just 500 users, 100 systems and 100 folders there are potentially a quarter million user access rights to keep track of.
  • Do you know which of these rights provide access to critical information?

  • Do you know who authorized the individual rights?

  • Will irrelevant rights be removed when an employee changes responsibilities?

  • Will new employees get all relevant rights without undue delay?

  • Much of the WikiLeaks documents were published by a dissatisfied employee with access to unnecessary amounts of very critical information.

    The most frequent source of information security breaches is employees (perhaps unconscious) misuse of information and rights and not external hackers or phishing.

    To effectively manage all these rights, it is necessary to move towards role based access control.

    The dream is a fully automated rights management, but that is very far away in most companies.

    I will describe the most important steps towards fulfilling the dream.

Get in control

To get in control of the current situation, I propose the following steps:
  1. Document who has which rights.
  2. Find patterns of rights - some rights may not be related to the individual but to their organizational affiliation, position in the leadership hierarchy, physical location, project-related or otherwise.
  3. Have line management approve the clustered rights that came out of step 2

If you turn steps 1-3 into a standard procedure, you have Access Control.

Improvement

When you are in control of the current situation, it is time to improve the situation.
I suggest the following process:
  1. Find the critical rights from security policies, accounting rules and other sources
  2. Describe the rules for provisioning these rights based on electronically available information, for example the HR system.
  3. Find violations of the rules described.
  4. Eliminate violations by removing the rights or modifying the rules.

Next steps

The main task is to get steps 3-4 above in place as a standard procedure to stay in control of access rights. With this procedure in place you have Access Governance.

The foundation is now in place to consider automatic provisioning of critical rights. It should also be considered to automate general access rights that every employee need to have, eg. based on organizational affiliation. While all the above should be implemented under all circumstances, automation using an Identity Management System or Access Governance System requires a positive business case.

Erik Haahr founded ErikHaahr Consult to help companies get Better IT at a lower costErik Haahr
ErikHaahr Consult
Better IT at a lower cost

email | web | profile | twitter | blog | Skype Skype

Erik Haahr

erikhaahr-88529

Access Governance - a step towards better information security

Thanks for your comment Eric It can be hard to get management approval for the budget, but the process itself should be very much in line with management wishes. The trick is to start by demonstrating all the "errors" e.g. orphaned user accounts. Secondly the first three steps "Get in control" can be performed without investment in fancy tools i.e. cheap... After this it could be possible to produce a business case for going further - And if not - Then don't Erik HaahrErikHaahr ConsultBetter IT at a lower costemail | web | profile | twitter | blog | Skype

0 comments

Eric Sutherland

ericsutherland1-131530

Access Governance - a step towards better information security

Hi Erik, I agree with your process steps and can see the logic in them. The hard part would be getting Management approval. Regards Eric Sutherland T/A Trog Associates Ltd View Storefront View 20% of each book Business Networking on ecademy Marketplace Author and Publisher Services Q & A on my Blog Skype Id: eric.sutherland1 Know Me for the knowledge I have in doing Business Process Analysis and Business and Technical Writing Like Me because I am willing to share my knowledge Follow Me so I can help you to be better at using my knowledge

0 comments