Manual Access Re-certification to Avoid Risk of Data Breach

Some of the major data breaches have been carried out by internal users. A couple of examples are Sports Direct in 2017 and Sage in 2016. In fact, a research by Intel Security had estimated that around 43% of data breaches happen because of internal users. That makes internal users a big risk in terms of data security. As a direct consequence, access of employees to information assets within an organization is a major security control. The biggest challenge in managing access risk is how to have the correct access levels for different employees in different functions and at different roles. Too restrictive access policies can impact the efficiency of business operations, while very open access controls can substantially raise the risk of data breach – by employees intentionally or unintentionally.
 
One of the most important activities to ensure access controls are adequately scrutinized is to have periodic access reviews. This ensures that access to data assets for employees are authorized and kept at the minimum level required for them to perform their job effectively and efficiently. The following section presents a high-level workflow to perform access recertification. One of the most important concerns not to miss out on is that access should be reflective of the organization’s hierarchy. Even if an organization might not have fully mature role based access controls, any review of access controls has to use the organization tree to perform recertification of access. In most cases, the organization tree can be received from the HR department.

Access recertification of Applications/ Databases

  • Collate list of users with access
     
  • Identify generic accounts
     
  • Identify Leavers and Movers from the named accounts based on HR extract
     
  • Identify account owners based on (one or more of following):
  1. Owner of the application supported by the account
  2. Supervisor of the account holder
  3. Account ownership has to be performed for both generic and named accounts
  • Get all accounts attested/ reviewed
     
  • There has to be a detailed access review of accounts which are attested. The review must ensure that:
  1. Accounts have the minimum level of privilege required to support activity(ies) performed by the account
  2. Any permissions identified as additional to what is required to perform expected activity(ies) must be revoked
  • Create a request for de-provisioning of accounts which are:
  1. Leavers
  2. Movers
  3. Dormant beyond agreed access policy of the organization
  4. Found not required for supporting business
Rate this article: 
0
No votes yet
Article category: