A business unit manager, data owner or system owner should indicate whether a specific user is assigned certain rights to files, applications and network resources. It is best if individual business unit managers (manager of HR, manager of the accounting department, manager of R&D, etc.) are assigned to the data owner roles. This means they are responsible for classifying the data they are responsible for. So when Sally, a new HR employee needs to set up a network account, a request is sent to the HR manager. Once the HR manager approves this access, a request is sent to the data custodian (usually the IT group) with information on the type of account Sally needs with what type of access.
For internal auditing purposes, user accounts on different network systems should be compared to what is in the centralized system. This keeps track of who has approval for specific access types, ensures that there are no orphaned accounts and verifies that users are only receiving the access rights required for their jobs. In my opinion, it is best to implement this procedure every 3-6 months. Please note that this is usually only done on the mission critical systems, however through automated tools, it can be done on all systems.
This was first published in January 2006