Monday, 28 October 2013

Access Management Process Reviews

It seems that only when the topic of audit comes up do we think about the way we review the overall Access Management process. While it is likely that we regularly review the access to systems (quarterly etc.), should we not be thinking in terms of the access lifecycle. In other words, do we really review the way that access is managed?

To take this back a step, IT organizations in simplest terms are managing the way that access is granted to key systems through 3 activities


  • Onboarding – person is starting new position / role and access is granted via a manual process, or automated with tools and may be verified through a “source of truth” authority in either a team (HR) or an application
  • Changes / Modifications – person is modifying position / role and will require either manual intervention through various managers or again automated through a toolset
  • Offboarding – person is leaving position / role in one way or another and the termination process drives the removal of access either manually or through tools

For the most part validating the onboarding and offboarding (joiners and leavers) may be simplest to define. “Gillian is unable to do her work as access has not been granted” (Onboard) “Desmond has quit, remove access” (Offboard).  

It is the “Changes / Modifications” component that may need to be tightened up from a process perspective. The managing of users and roles across the enterprise, especially large and diverse ones, can be quite complex when there is no underpinning process to govern it.

For example, let’s suppose we have an employee who works in Business Unit “A” and is moving to work in Business Unit “B”.


Questions you should be asking already:
  • When people change roles does your Access Management process discontinue all access from role A and then grant access to role B in a seamless way?
  • How is access to roles validated – the dreaded “just mirror John Smith” can create major access issue?
  • Could lingering access from Business Unit A follow this person to the new role?

You really need to ask yourself if your overall Access Management process is checked in a regular time frame (quarterly, annually)?

Automation
I can already hear some people saying, we have an automated tool that handles all of this. Just because it is automated does not mean it is working or still valid. The process governing how the tool works should be validated just like in the situation above

This process impacts a wide variety of stakeholders, not just the service desk and the users. Any improvements to the process should be reviewed with them as well. It might include:
  • Human Resources
  • Audit and Compliance
  • Business Owners
  • Application Owners
  • and Risk Management to name a few

Remember, finding gaps in the process and mitigating risk shouldn’t be something that is discovered as a result of an issue. Regular process checkpoints should allow you and your organization to proactively move on these before they become problematic

 

Feel free to connect with me on Twitter @ryanrogilvie and/or on LinkedIn
If you like these articles please take a few minutes to share on social media or comment
 
 

No comments:

Post a Comment