- BlogInfoSec.com - https://www.bloginfosec.com -

Building an Access Review Compliance Framework

One of the major selling points for IDM vendors is that their tools will simplify your access review process. In my experience and from what I have seen offered by several of the major IDM vendors, the significant investment you would make in IDM technology, you might likely do nothing more than automate bad processes. The result is that you end up only reviewing your primary directory and comforting yourself with “closing the doors” while hoping to get to a more thorough access housekeeping at some point. You now face a danger not so much from the terminated associate as from current staff that could use that old account to effectively undermine the integrity of your data and the non-repudiation of your transactions.

Several key components are required for an effective compliance framework. While technology solutions can assist in scaling access reviews for a large or complex organization, your foundation must rest on a solid and consistent set of policies, standards and procedures. Technology security policy, provided by your CISO, approved by senior management, and universally available to staff provides a platform for communicating the criticality of each actor’s role in access reviews, and affirms to all staff the unacceptability of using shared or generic accounts or the id of another current or former associate. Standards, then must at least define how source systems, such as Staffing, HR, and Contractor Management tools; directories, like AD and LDAP; provisioning systems or access containers throughout the organization should manage identity, authentication, authorization, and access reviews. Finally, procedures would define the access lifecycle. Without this foundation, you can never measure the effectiveness of your access compliance and control because there will be too many exceptions to set an accurate baseline. Your audit findings will be deficient and you will be assuming known but unquantifiable risk.

Once the policies, standards, and procedures are defined, there are several specific components to include in your framework:

We will have a chance to examine each of the components of an access review compliance framework in more detail over the coming weeks. I welcome your comments and feedback and I will attempt to answer in future articles your questions, particularly on the practical implementation of what I have described.