Access Governance - a step towards better information security
Could your documents have turned up on WikiLeaks? If you do not have complete control over user access rights, the answer is YES.With just 500 users, 100 systems and 100 folders there are potentially a quarter million user access rights to keep track of.
- Do you know which of these rights provide access to critical information?
- Do you know who authorized the individual rights?
- Will irrelevant rights be removed when an employee changes responsibilities?
- Will new employees get all relevant rights without undue delay?
- Much of the WikiLeaks documents were published by a dissatisfied employee with access to unnecessary amounts of very critical information.The most frequent source of information security breaches is employees (perhaps unconscious) misuse of information and rights and not external hackers or phishing.To effectively manage all these rights, it is necessary to move towards role based access control.The dream is a fully automated rights management, but that is very far away in most companies.I will describe the most important steps towards fulfilling the dream.
Get in controlTo get in control of the current situation, I propose the following steps:
- Document who has which rights.
- Find patterns of rights - some rights may not be related to the individual but to their organizational affiliation, position in the leadership hierarchy, physical location, project-related or otherwise.
- Have line management approve the clustered rights that came out of step 2
ImprovementWhen you are in control of the current situation, it is time to improve the situation.I suggest the following process:
- Find the critical rights from security policies, accounting rules and other sources
- Describe the rules for provisioning these rights based on electronically available information, for example the HR system.
- Find violations of the rules described.
- Eliminate violations by removing the rights or modifying the rules.