Control of the Week #4: User Access
This week’s control is on user access review. Jose Costa (CISO at Tugboat Logic) and Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic) explain why user access review is important and how you can implement it for your audits.
Why this control is important " AC3.7 - User Account Reviews - Management performs a quarterly user access review for in-scope system components to ensure that access is restricted appropriately. Access is modified or removed in a timely manner based on the results of the review. " Much like the "Control of the Week" on access control we covered, this control is another gatekeeper for your data. Through careful documentation and ownership over the systems that grant or deny access, User Account Reviews is a preventative control designed to stop potential risks to your data. It’s also another control that many fail in an audit because it’s easy to overlook .
As your organization grows, more users are going to have access to your data, making it difficult to manage who should and should not have access. Ideally, these users would be managed with an on/offboarding process, but organizations sometimes overlook that documentation process.
How to implement this control for your audits
Follow these three steps to set up a process to check who has access and whether or not they should have access:
Step 1: Have your "Security Czar" (or someone on the security and or eng team) get a list of all the users, their roles, system accounts, administrators, and other relevant information. Then send it to the application owner, and then request it back to verify that the accounts are correct. Step 2: Send the list to all of the application owners (i.e. the admins) to verify that the accounts are correct. Have the application owners send their verification back. Step 3: Set a reminder to conduct user access reviews every quarter (or month, if you want to be more stringent in your security). Note that whomever performs the review must remind application owners to clear the review.
Other things to keep in mind for this control
Once you get this process in place, you have to make sure sure that all requests for access are documented, especially requests made in “last-minute” situations. If someone other than your "Security Czar" conducts the user access review process, then make sure that s/he adheres to every step. Last, but certainly not least: always review your system accounts! As always, give us a shout if you have any questions about the controls and how to implement them.