Step Four in the FINOSEC user access review best practice series is to ensure users who have access to your systems have legitimate duties that justify not only access but their specific permissions for those systems.
Step Four: Review System Access and Permissions
In Step Three, you assessed your system risks and categorized them as high, medium, or low. This assessment helped you create your annual plan for user access reviews based on risk. Now, it’s time to get a bit more granular. Continuing our theme of starting with the most important, we must look at privileged access permissions first. You need to validate that the users with privileged access to your systems have job duties requiring that level of access. You then need to confirm you are managing all of your users to the principle of least privilege, meaning that users have the least permissions necessary to do their jobs.
Who exactly are “users”?
The term “users” includes employee accounts, contractor accounts, system accounts, service accounts, vendor accounts, and API integrations. The systems and data accessed by these accounts may exist outside your institution's firewall and should be reviewed.
About those vendor accounts…
The access vendors have to your data, such as for managed services providers, should be analyzed in terms of “active or inactive.” For example, do all the vendors currently classified as active need to be active, or should some be classified as inactive?
Where do I start?
Your permissions review should start with the high-risk functions on your highest-risk systems. This lets you focus on perhaps 20-30 of the most crucial privileged permissions. Then you can address the rest of the more typical users at a later time.
You need to review all account changes from previous reviews.
When roles change, ensure the permissions no longer needed have been removed and confirm that the appropriate new permissions have been added. You also have to inspect individual permission changes and permissions that have been added to a security group. If you can structure your review to focus only on what’s changed, it’s a far more efficient process.
Finally, work together!
There are three significant side effects of this effort:
- Onboarding a new employee
When hired for a specific job role, IT will know precisely what permissions to give the user to complete their work resulting in fewer helpdesk tickets.
- Terminating a user
One of the most common IT Security Audit findings is a terminated user with an active account hanging around. By documenting the systems a user has access to, you will know what systems they need to be removed from and can avoid that audit finding.
- Changing Job Roles
If a user is changing jobs, more often than not, they are given the permissions they need for their new role, but the permissions they don’t need are not removed. By documenting the required permissions for each job role, you will know what to add and, most importantly, what to remove.
Want more information?
Are you intrigued by what you’ve read? This is the fourth step of a five-step improved UAR process. There’s one more yet to come. You can review the previous blogs here:
- Step 1: Building the Foundation
- Step 2 : Start With the Most Important
- Step 3: Risk Rate Systems & Access
Or, if your frustration has already spiked because your institution still follows outdated processes to complete your user access reviews, you should contact FINOSEC today. We’d love to work alongside you to simplify your user access review process and make them easier than ever!