How to conduct a periodic user access review for account privileges

BROWSE BY TAG Expert Archive: Identity Management and Access Control,   Enterprise User Provisioning Tools,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Password Management and Policy,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group Pre-boot biometric user authentication tools and strategies Enterprise User Provisioning Tools Content-aware IAM: Uniting user access and data rights Is Identity Management as a Service (IDaaS) a good idea? Top tactics for endpoint security How to edit group policy objects to give a user local admin rights Privileged account management critical to data security Making the case for enterprise IAM centralized access control Lesson 3: How to implement secure access Best practices for a privileged access policy to secure user accounts Risk management must include physical-logical security convergence PCI compliance requirement 7: Restrict access Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AAA server  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) federated identity management  (SearchSecurity.com) logon  (SearchSecurity.com) password synchronization  (SearchSecurity.com) RADIUS  (SearchSecurity.com) role mining  (SearchSecurity.com) user profile  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

I'm happy to share the high-level overview of my periodic user access review standard:

1. Identify the business owners of every application.
2. Instruct business owners to classify the data in their applications. Corporate policy should define the different classifications.
3. If there is no policy on periodicity of access reviews based on the data classification, create one. I would suggest access to high-risk applications should be reviewed quarterly and every application should have a review conducted at least on an annual basis.
4. The business owner should identify the departments that use its application(s) and approve or reject them. I recommend this approach because the business owner may not know what individuals should have access to the application, but they should know what departments are and what level of access is appropriate for those departments. At the end of this step there should be two lists: Approved departments and rejected departments.
5. Notify the managers of the rejected departments that all of the people in their department will have their access removed from the application(s). I would give the managers two weeks to negotiate with the business owner before removal.
6. Send the managers of the approved departments a list of all their employees with access to the applications and give them two weeks to approve each individual. There should be two new lists at the end of this step: the approved individuals and the rejected individuals.
7. Remove access of the rejected individuals.
8. Make sure that all of the approval transactions are recorded in an auditable manner.

Also, a separate but important best practice is to make sure separation of duties among developers, data custodians and IT administration is well defined and documented.

There are some great products on the market that can help with this process. They are auditable, provide workflow engines, and some even interface with automated provisioning solutions. SailPoint Technologies Inc.'s Identity IQ and CA Inc.'s Eurekify's Sage are products worth investigating.

For more information:

• Learn best practices for implementing and maintaining enterprise user roles.
• Privileged account management implementation made simple: Check out these steps.