This week’s control is on risk assessments. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why administrative access is important and how to conduct them in five steps.
To keep up with previous analogies, this control deals with the people who have the master keys to your organization’s data, systems, and other assets. Auditors especially focus on administrator accounts and question the appropriateness of such accounts.
Admin accounts have the potential to do the most damage if they're in the hands of those who shouldn't have access, or are unqualified to use those accounts. Admins typically have the power to grant access to other individuals, which means the risk to your data increases greatly if accounts aren't carefully monitored.
At risk of stating the obvious, admin account access should be granted to users based on their position in the organization. More specifically, you should only give access to those with roles that require it (typically limited to IT teams and specific administrators). And, make sure monitoring is in place to determine who's allowed to access the data, who used the accounts, who logged in, and that each authorized user has a unique account (shared accounts open up additional risk faster than a can of Goya beans!).In short, these accounts should be monitored periodically to verify:
Last, but certainly not least, think about: