Problem solve Get help with specific problems with your technologies, process and projects.

Improving your access request process with system authorization

This installment in our series on hacker techniques and tactics focuses on streamlining inefficient application and data access requests with system authorization.

Many companies deal with their fair share of vaguely defined, outdated, cumbersome, inefficient or non-secure access...

request processes for handling application, data and system access requests. Often, there's an old, outdated hardcopy form used by everyone that has been duplicated so many times it's barely legible. Even worse, it often doesn't require the proper sign-offs or data and system authorization for access. If you plan on passing a serious audit and want to improve your access request process, read on!

The first step in setting up a good system access request process is to define the organization's application and data owners. This requires applications and data to be sorted into categories, and assigned an owner. For example, the director of finance may own accounting and payroll data, and sales data may be owned by the director of sales. Once these application and data owners have been defined, it's time to create an updated form.

It's best if you can create a Web-based form or custom email form that can be kept online and restricted to a defined group of users who are authorized to request access for employees. If you don't allow hardcopies of the request form to be submitted, you can always ensure that only authorized people are using the most updated form. An added benefit of using Web-based forms is that you can potentially capture the user's user ID and IP address for further proof that the request came from an authorized employee. The forms should require approval by the application or data owner for each area the user needs to access. Depending on the desired level of sophistication, the application or data owner's approval could be electronic, or a printed, signed hardcopy may be required. Usually, it's easy to find someone in IT that has experience creating Web-based or email-based forms.

Once you've created your forms, it's time to restrict them to authorized personnel and create some instructions for users to follow. The instructions should be stored in the same location as the forms. A flowchart should also be created to document the IT department's internal processes for fulfilling the requests.

It's best to designate one person to maintain the forms. This makes it easier to have forms designed and modified with a consistent theme. With a little creativity, these same access request forms and processes can be used to handle employee terminations. Once you've set up a sound process and easy-to-use forms, you'll have a much happier staff and your auditors will be pleased. Just make sure you have an access request form for each person who is granted access to an application or data set!

About the author
Vernon Haberstetzer, president of security seminar and consulting company, has seven years of in-the-trenches security experience in healthcare and retail environments.


  Introduction: Hacker attack tactics
  How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
    Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
  Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked

This was last published in February 2005

Dig Deeper on Hacker tools and techniques: Underground hacking sites