The first step in setting up a good system access request process is to define the organization's application and data owners. This requires applications and data to be sorted into categories, and assigned an owner. For example, the director of finance may own accounting and payroll data, and sales data may be owned by the director of sales. Once these application and data owners have been defined, it's time to create an updated form.
It's best if you can create a Web-based form or custom email form that can be kept online and restricted to a defined group of users who are authorized to request access for employees. If you don't allow hardcopies of the request form to be submitted, you can always ensure that only authorized people are using the most updated form. An added benefit of using Web-based forms is that you can potentially capture the user's user ID and IP address for further proof that the request came from an authorized employee. The forms should require
Once you've created your forms, it's time to restrict them to authorized personnel and create some instructions for users to follow. The instructions should be stored in the same location as the forms. A flowchart should also be created to document the IT department's internal processes for fulfilling the requests.
It's best to designate one person to maintain the forms. This makes it easier to have forms designed and modified with a consistent theme. With a little creativity, these same access request forms and processes can be used to handle employee terminations. Once you've set up a sound process and easy-to-use forms, you'll have a much happier staff and your auditors will be pleased. Just make sure you have an access request form for each person who is granted access to an application or data set!
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
HACKER ATTACK TECHNIQUES AND TACTICS
Introduction: Hacker attack tactics
How to stop hacker theft
Hacker system fingerprinting, probing
Using network intrusion detection tools
Authentication system security weaknesses
Improve your access request process
Social engineering hacker attack tactics
Secure remote access points
Securing your Web sever
Wireless security basics
How to tell if you've been hacked
This was first published in February 2005