Establishing Robust Access Controls is a Team Effort
System access controls are one of the fundamental IT controls to ensure system security and data integrity. There are many facets to consider when implement effective system access controls:
- Ensure that there is support from senior management and board, and there is a top-down drive to establish and communication policies with regard to IT security and access management. The top-down drive sets the direction, goals, and tone of the IT security and access policies and holds users accountable for any action on any of the systems and/or applications involved. Some policy areas to consider are unique identification, need-to-know security basis, authenticate and authorize mechanisms, approval authority, data protection and dissemination, and accountability.
- Ensure that roles and access authorization criteria for assigning user rights are taken into account. Data should be classified (for example, public data, internal data, and restricted data) and data owners assigned. Job roles and responsibilities should be very clearly defined, and ideally, the system security roles are designed by the job roles and responsibilities and taking segregation of duties into consideration. When granting system access, the permission rights are associated with the job function, and the approvals are obtained.
- Ensure that there are defined processes for identifying new users and recording, approving and maintaining access rights. The processes need to ensure, again:
a) the user access rights are in line with business needs,
b) access rights are requested by the user management,
c) the access rights are approval by system/data owners (in many cases, user manager and data owner are not the same person),
d) the user access rights are implemented by the security administrators.
- Establish a method for authenticating and authorizing users to establish responsibility and enforce access rights in line with sensitivity of information and functional application requirements and infrastructure components, and in compliance with applicable laws, regulations, internal policies and contractual agreements.
It is easy to confuse authentication with authorization. While authentication verifies the user’s identity, authorization verifies that the user in question has the correct permissions and rights to access the requested resource. Authentication occurs first, then authorization.
- Ensure that users and their activities on the systems can be uniquely identifiable. The best practice calls for disabling certain default system accounts such as administrator and guest. Make sure that shared user accounts are not used. Shared accounts are used more often for vendor’s access, temporary accounts, and administrator’s account (extremely high risk). Another form of shared accounts is the services. Make sure that services accounts cannot log on to the systems interactively. If it is due to a technical constraint that a service account must be interactively logged on, the request of the account’s creation and approval need to be documented and approved.
- Ensure that there is process in place to report changes in jobs in a timely manner. The purpose of the processes is to ensure a timely granting and removal of system access, and therefore, prevent access permission creep.
- Ensure that there is a process in place to grant, revoke and adapt user access rights in coordination with Human Resources and user departments for new hire and termination.
- Ensure that there is a process in place to periodically review user access by user management and system/data owners. The review includes internal network accounts, external accounts (3rd party), application accounts, and elevated access account (administrator and DBA). Changes of the user access due to the access review need to be documented and implemented in a timely manner.
Access control is an important aspect of IT security. It is also important to remember that security does not only rely on technologies, but also human behavior. Policies, education, and communication are imperative, and it needs strong support from management to successfully implement effective access controls. We have developed a comprehensive checklist you can use to evaluate your own access controls and procedures effectiveness available by clicking the button.
Carrtegra is a Houston, Texas based management consulting firm whose mission is to provide value. Our firm delivers customized business solutions resulting in a high return on your consulting investments. We provide Big 4 expertise, industry experience, and hard work to meet clients’ needs.
We listen to our clients and accept work we know we can do well.
Our team of professionals offers leadership and management skills. Members of our team have held roles as Chief Financial Officers, Controllers, Internal Controls Review Directors and Operational VP’s in both public and private companies. We work with your management team and auditors, external or internal, to provide collaborative solutions that work for everyone.