Problem solve Get help with specific problems with your technologies, process and projects.

How to conduct an efficient and thorough employee access review

In order to meet HIPAA and SOX compliance requirements, an employee access review is necessary.

What is the most efficient way to conduct an employee access review for all employees and systems? Are there any good templates or tools available to streamline this activity?
Reviewing access for all employees is not only an IT security best practice; it may also be required for compliance with regulations such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA).

Without such a review, employees who have long left the company, voluntary or otherwise, may still have access...

to key systems, which is a serious security risk. In addition, as existing employees move around the company, changing job roles, their access requirements should change as well. Specifically, they need to be denied access to systems they no longer need.

Regular auditing of user access can also prevent "access creep," which is when employees accrue more access than they need as they change jobs.

The first rule for an access review is to have a centralized access management system. Standard directory services, like Active Directory (AD) for Windows and LDAP for Unix, are used in most companies. Though these services offer a lot of features, and can do some reporting, they may not be sufficient. If a corporation needs to produce regular reports for auditors and regulators, it will need something with more features.

There are a lot of high-quality identity management products on the market that augment traditional access management and provisioning with reporting and auditing capabilities. BMC Software has a suite of identity management products, such as its BMC Audit and Compliance Management and BMC Identity Compliance Manager 5.5 products. These two products provide customized reporting capabilities for compliance purposes and can demonstrate not only who has access to what, and at what level, but also that their access privlidges match corporate IT security policies.

Other products offering similar reporting and auditing capabilities include CA Inc.'s Identity Manager and Entrust Authority Security Manager. There are many companies offering identity management products. Whichever you choose, make sure it has centralized auditing and reporting capabilities.

More information:

This was last published in January 2008

Dig Deeper on Privileged access management