
	Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How to conduct an efficient and thorough employee access review

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to conduct an efficient and thorough employee access review

EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 03 January 2008
What is the most efficient way to conduct an employee access review for all employees and systems? Are there any good templates or tools available to streamline this activity?

Reviewing access for all employees is not only an IT security best practice; it may also be required for compliance with regulations such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA).

Without such a review, employees who have long left the company, voluntary or otherwise, may still have access to key systems, which is a serious security risk. In addition, as existing employees move around the company, changing job roles, their access requirements should change as well. Specifically, they need to be denied access to systems they no longer need.

Regular auditing of user access can also prevent "access creep," which is when employees accrue more access than they need as they change jobs.

The first rule for an access review is to have a centralized access management system. Standard directory services, like Active Directory (AD) for Windows and LDAP for Unix, are used in most companies. Though these services offer a lot of features, and can do some reporting, they may not be sufficient. If a corporation needs to produce regular reports for auditors and regulators, it will need something with more features.

There are a lot of high-quality identity management products on the market that augment traditional access management and provisioning with reporting and auditing capabilities. BMC Software has a suite of identity management products, such as its BMC Audit and Compliance Management and BMC Identity Compliance Manager 5.5 products. These two products provide customized reporting capabilities for compliance purposes and can demonstrate not only who has access to what, and at what level, but also that their access privlidges match corporate IT security policies.

Other products offering similar reporting and auditing capabilities include CA Inc.'s Identity Manager and Entrust Authority Security Manager. There are many companies offering identity management products. Whichever you choose, make sure it has centralized auditing and reporting capabilities.

More information:

Learn more about network access management.
Get advice on how to avoid access management mistakes.

BROWSE BY TAG

Identity Management and Access Control, Enterprise User Provisioning Tools, Enterprise Identity and Access Management, Identity Management Technology and Strategy, Security Audit, Compliance and Standards, Sarbanes-Oxley Act, HIPAA, Expert Archive: Identity Management and Access Control, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Identity Management and Access Control
	Is Identity Management as a Service (IDaaS) a good idea?
	How to log in to multiple servers with federated single sign-on (SSO)
	How to confirm the receipt of an email with security protocols
	Learn about enterprise strategy for server virtualization single sign-on
	Employee information security awareness training for new IAM systems
	Can you combine RFID tag technology with GPS to track stolen goods?
	Is there a free enterprise-caliber password-management tool?
	Cryptosystem attacks that do not involve obtaining the decryption key
	Can any firm or organization get a digital signature certificate?
	Should the CTO have domain administrator access?

Enterprise User Provisioning Tools

Content-aware IAM: Uniting user access and data rights

Is Identity Management as a Service (IDaaS) a good idea?

Top tactics for endpoint security

How to edit group policy objects to give a user local admin rights

Privileged account management critical to data security

Making the case for enterprise IAM centralized access control

Lesson 3: How to implement secure access

Best practices for a privileged access policy to secure user accounts

Risk management must include physical-logical security convergence

PCI compliance requirement 7: Restrict access

Sarbanes-Oxley Act

SOX compliance burdens midmarket security teams

Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management

Information security book excerpts and reviews

Internal audits for Sarbanes Oxley and internal IT support

Internal auditors and CISOs mitigate similar risks

Implement security and compliance in a risk management context

Does password sharing in international branches violate SOX?

Consensus Controls project aims to set benchmarks for compliance

Security visualization helps make log files work

The Little Black Book of Computer Security, 2nd Edition

Sarbanes-Oxley Act Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

AAA server (SearchSecurity.com)

authentication, authorization, and accounting (SearchSecurity.com)

federated identity management (SearchSecurity.com)

logon (SearchSecurity.com)

password synchronization (SearchSecurity.com)

RADIUS (SearchSecurity.com)

role mining (SearchSecurity.com)

user profile (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy