In my previous post, I discussed the second of four steps for limiting Vendor Risk. This month we will review Step 3: Ensure Periodic Access Reviews are Performed.
To ensure security processes are in place and operating effectively, you must perform periodic access reviews in order to detect inaccuracies in provisioned access.
These are “who, what and when” criteria you must consider when setting up and performing periodic access reviews:
Who needs to perform the reviews?
Reviews need to be conducted by two groups of people:
- Reporting Manager – The vendor/contractor must be assigned a reporting manager. The reporting manager must be someone who knows if the vendor/contractor’s access is still required.
- Application Owner – The application owner is responsible for the data/information stored by the application. It is his/her responsibility to know who has access to that information and to ensure it is limited only to those who require it.
What types of applications need to be reviewed?
There are three types of applications that require access reviews:
- Applications that are subject to audit. Such applications can include Sarbanes Oxley (SOX) applications/servers/databases, Payment Card Industry (PCI) related applications/servers/databases and others.
- Applications that contain sensitive information. These applications/servers/databases can store anything from financial data to employee information.
- All other applications. All applications need to be reviewed from time to time to ensure that any terminated vendors/contractors have been properly removed.
When do Access Reviews need to be performed?
- Privileged Accounts – Every 30 days
- Accounts with access to SOX/PCI data – Every 90 days
- All other accounts should be reviewed annually
So how does one go about performing successful and efficient access reviews? The reality is that manual processes are ineffective and extremely time consuming for all parties involved. I recommend using one of the following access governance solutions to ensure a proper review is performed:
- RSA Via Lifecycle and Governance (RSA Via L&G) platform
- Oracle Identity Analytics
- CA Identity and Governance
- Dell Access Certification
Simeio Solutions can assist in setting up and configuring any of the above-mentioned access governance solutions, and delivering it “as a service.” Simeio Solutions is vendor agnostic, supporting any access governance solution that best meets your needs.
In next month’s post, I’ll discuss Step 4 – Ensure Access to Your IT Environment is Protected Using All Means Necessary. Thanks again for taking the time to read. I hope you have enjoyed.
Robert Streets, CBCP, CISA
Project/Service Delivery Manager