Ask the Expert

How to conduct an efficient and thorough employee access review

What is the most efficient way to conduct an employee access review for all employees and systems? Are there any good templates or tools available to streamline this activity?

    Requires Free Membership to View

Reviewing access for all employees is not only an IT security best practice; it may also be required for compliance with regulations such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA).

Without such a review, employees who have long left the company, voluntary or otherwise, may still have access to key systems, which is a serious security risk. In addition, as existing employees move around the company, changing job roles, their access requirements should change as well. Specifically, they need to be denied access to systems they no longer need.

Regular auditing of user access can also prevent "access creep," which is when employees accrue more access than they need as they change jobs.

The first rule for an access review is to have a centralized access management system. Standard directory services, like Active Directory (AD) for Windows and LDAP for Unix, are used in most companies. Though these services offer a lot of features, and can do some reporting, they may not be sufficient. If a corporation needs to produce regular reports for auditors and regulators, it will need something with more features.

There are a lot of high-quality identity management products on the market that augment traditional access management and provisioning with reporting and auditing capabilities. BMC Software has a suite of identity management products, such as its BMC Audit and Compliance Management and BMC Identity Compliance Manager 5.5 products. These two products provide customized reporting capabilities for compliance purposes and can demonstrate not only who has access to what, and at what level, but also that their access privlidges match corporate IT security policies.

Other products offering similar reporting and auditing capabilities include CA Inc.'s Identity Manager and Entrust Authority Security Manager. There are many companies offering identity management products. Whichever you choose, make sure it has centralized auditing and reporting capabilities.

More information:

This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: