Step 5 is the final step in the User Access Review Best Practices series. The goal of this step is to focus on increasing standardization to develop a more mature and routine approach to user access reviews by focusing on three key areas.
- Roles and baseline permissions
- Standardized onboarding processes
- Procedures to track and account for changes and exceptions.
Step Five: Increase Maturity
In the previous steps, you inventoried and mapped your systems, identified the relative risk of the different systems, rated system risk, and identified those with higher risk. From there, you learned to review the roles, identify the system access each role needs, and how to properly address new and terminated accounts.
Now, it’s time to take what you’ve learned and build a streamlined process that keeps your institution safer while making your job simpler.
Use Security Groups
You should develop a comprehensive list of the baseline permissions per system for each job role or function, making sure the access to be granted is consistent with the standard of least privilege. This is also where you need to identify the privileged access requirements. It may even make sense to create a special group for these elevated rights for ease of management. Be on guard for permission creep and red flags, such as a single user being able to make and approve their own change in a system. Your diligence in this process is a good way for you to reduce overall risk.
Once completed, create security groups to match the job roles or functions you've defined. By using group permissions, you can easily add and remove accounts and know what permissions are being altered.
Where do I start?
The path to easy permissions management begins with a Role & Access Matrix that consists of the following items:
- The primary function of the role
- Systems & permissions the role requires
- Security Groups required for the role
Using this matrix, you can establish the procedures needed to maintain accurate and verifiable permission provisioning for your accounts.
Establish standard onboarding procedures
By utilizing security groups for each job role or function, you can standardize your onboarding process, making it easier, reducing follow-up helpdesk requests for permissions that were overlooked, and setting your new employees up for success.
Work with your HR team, so that job roles and functions are standardized allowing for a smooth process for provisioning new users. For example, HR notifies IT that a new teller is starting on a certain day. IT can then provision that account at the right time and add the user to the teller security groups confidently knowing that they will have all the access they need.
Establish job change and termination procedures
Utilizing the Role & Access Matrix and your security groups benefits your job change and termination procedures, as well. For terminations, you’ll have confidence in knowing what systems to remove the user from and not miss one. For job changes, you can add them to their new security groups and remove them from the security groups and systems no longer needed. This ensures you don’t leave leftover excess permissions along the way.
What about one-offs?
A more complex change case is when an employee, for whatever reason, must be given temporary access to one or more systems. There must be a process in place to manage and handle these temporary situations, so they aren’t forgotten and become permanent.
One way to track these is by using a user variance management process. This can be a separate log or built into your change management program. Be sure that every temporary access request has a defined end date. Then, set reminders to remove the access at the appropriate time. A review of the user access variance log should be completed routinely to ensure that a temporary elevation in permissions doesn’t become an accidental permanent change.
Want more information?
This is the final step of a five-step improved UAR process. If you would like, you can review the previous blogs here:
- Step 1: Building the Foundation
- Step 2: Start With the Most Important
- Step 3: Risk Rate Systems & Access
- Step 4: Review System Access and Permissions
Or, if you’re already tired of outdated processes to complete user access reviews, you should contact FINOSEC today. We’d love to work alongside you to simplify your user access review process and make them easier than ever!