Ok, so I’m terrible at sports analogies. Forgive me. But with the ever-increasing business risks that come with plugging a computer into a network it often feels as though you’re leading your organization down the gauntlet. I picture American Gladiators circa 1990 with Nitro shooting a tennis ball cannon at us while we try to hit a target from 75 feet away using a random collection of foam assault weapons. No small task. (Again, weak on the sports analogies).
One area that should be closely controlled management of user accounts. Many organizations have a defined process for adding users to the network (through Active Directory), and key financial and HR applications. If a new employee arrives to work on day 1 and can’t access the network, someone hears about it.
However, proper user management becomes increasingly challenging because so many applications are moving into web-based delivery models which do not always provide strong central management of users. To that end, as your company evaluates new applications or considers moving existing applications to the cloud, user management should be of top concern when evaluating the move. The ability to have visualization into the users accessing your data in a cloud based or hosted environment is one of the most basic, yet valuable, controls around user management.
It is also good practice to consolidate the user management process into a workflow which captures and keeps record of all systems a user accesses. Consider the number of applications used in your production environment. Can you even name all the applications used in your production environment- both internal and web based? For example: an employee is corresponding with a business partner who leverages a secure email solution to send and receive documents for an ongoing project. Your employee establishes a user account on the business partner’s secure mail system. They can enroll with any email address, even a personal one. So your employee is now transacting company business through a portal that you don’t control and that you do not have the capability or authority to disable. Eek.
The process of adding and removing user accounts is critical to ensuring good cybersecurity hygiene, but it’s also important to have a controlled way to change a user’s access levels. When an employee shifts job functions, their user access shifts as well. Changing roles is the primary cause of creeping access levels that could result in separation of duties conflicts. Access approvers should most definitely be willing to push back on a user change request to ask, “why do you need that access?” or “does the new access present any potential separation of duties conflicts?”.
When actually defining and assigning access, (I hope that, especially for our IT audit clients, this is second nature) you should only be assigning access that is required for a user’s job function. We call that the ‘theory of least privilege access’ and it says that a person (or, frankly any account that is set up) is only given access to the data and resources they need for their job function. Although we’re talking about system access, this idea is much older. It’s basically the same as requiring two signatures on a check or sending bank statements to someone who cannot write checks. Least privilege access is the systematic implementation of separation of duties.
Much more can be said of user management. It’s a sticky subject with few good answers, but protecting your customers, employees, and organization from the bad guys begins with a solid process for provisioning, amending, and decommissioning user accounts. As management, give yourself the ability to see what users can access. Exercise that ability through an annual review of access levels for all employees. Finally, confirm the processes to know to that if an employee leaves, all of their access can be revoked or reassigned.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.
