For any organization, maintaining strict information security is an essential part of cybersecurity – following best practices for user access reviews are a big part of this process.
For employees to complete their duties, access to sensitive information is often required. However, this necessary ability to access secure information can create vulnerabilities that can be used by hackers and cybercriminals, which makes access reviews a critical line of defense in cybersecurity.
Organizations face an array of threats that can be mitigated by access reviews, such as privilege creep, excess privileges, insider threats, access misuse, and employee mistakes. By following best practices for conducting access review, organizations can reduce the potential of these threats and strengthen their security posture.
First, organizations can begin by creating and updating an access management policy. This policy should be comprehensive, including a list of resources that need to be protected, a list of all users and their access types, procedures for granting and revoking access, and controls necessary to prevent cybersecurity threats. While this only needs to be done once, the policy should get updated as changes within the organization occur.
Once an access management policy is in place, organizations should create a separate access review policy to ensure that access reviews are both scheduled and conducted on a regular basis. The NIST recommends that access reviews get completed at least semiannually, during which inappropriate access privileges should be revoked or changed.
Ekran System recommends that organizations should implement role-based access control (RBAC). With RBAC, user privileges are granted corresponding to roles rather than each individual account. Roles are assigned a set of privileges that can be reviewed more efficiently than reviewing each account’s access permissions. YouAttest has RBAC as part of YouAttest 2.0.
In another recommendation from the NIST, they suggest that organizations should implement the principle of least privilege (NIST PR.AC-6). Least privilege means that when it comes to access permissions, accounts are granted the minimum access required for that employee to carry out their duties. This reduces the potential that hackers gain access to sensitive information through these accounts. YouAttest delivers on the Principle of Least Privilege by enabling key personnel to be alerted to changes in key roles/permissions and to enforce an auto-attestation of the IAM event.
For effective access reviews, ISACA recommends that access reviews occur when a new user joins the team, when a current user changes roles, when a current user leaves the team, and when any changes to the application business owner are made. ISACA always recommends that the reviewer identify the (2) types of users: Business Users and System/IT users. Business users are the actual consumer of the application, System Users are the users/accounts that perform maintenance and service to the application. Both of these users must be reviewed for proper permissions.
User Changes and Best Practices for User Access Reviews
ISACA also recommends that the following types of user changes are recognized and quantified in your review as roles that should be diminished:
- User leave a team, but still retain legacy permissions
- User change roles, but still retail legacy role privilges
- User leave the enterprise, but still retain a valid identity and/or access to resources
- User’s approving manager migrates to another team but still has validation/approval powers over legacy users
When implementing an access review policy, it should incorporate the recommendations discussed above to ensure that it effectively protects sensitive information from unauthorized access. Data breaches can have a damaging effect on an organization’s reputation or finances, which makes preventing them a critical concern.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. Register for the December 9th YouAttest webinar on SOX 404B mandates for User Access Reviews.