This week’s control is on access control. Jose Costa (CISO at Tugboat Logic) and Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic) explain why access control is important and how you can implement it for your audits.
While granting access can seem harmless enough at first, know that it can “trickle down” to other roles. For example, your security officer can grant full access to your head of marketing to access a tool. The head of marketing assumes that any one of their marketers can also have access. Without understanding what full access entails, the entire marketing team suddenly has full access and can potentially access data or tools they never should have been able to, merely because no access plan or documentation existed.
Coming up with a plan in advance and approving access with internal teams before it’s granted will help to manage who has specific types of access, granting and revoking access during on/offboarding, and ensuring that client access is documented and updated.
The first step is to establish who has ownership over control. Make sure that whoever is granting access, understands it in advance. Giving sweeping access to a program or software might seem like a fantastic idea in terms of making your life easier in the short-term, but that software has personal information stored in it that people in your org shouldn’t have access to.As an organization grows and involves more employees, clients, and vendors, the process becomes more complicated. So, remember this key practice: You need to grant approval before you grant access . It's so important that it bears repeating: You need to grant approval before you grant access .
A two-way system will help reduce mistakes and halt that trickle-down effect. This system can involve simple documentation and policies:
And, consider every type of access: