TOPIC: Managing Access Rights for New Starters
All too often I visit organizations where a member of staff has either been disciplined or left the business – where it turns out that data was compromised by unauthorised or un-restricted access by a user that did not require this privilege.
When I conduct reviews as to how these breaches occur, I tend to find two common issues: 1) no access rights policy in place and 2) no formal authorization process to ensure that the new starter has the appropriate access congruent with the job-specification.
In most cases the reasons for granting ‘access’ appears un-codified with no tangible rationale as to why employee X got different rights from employee Y.
In many situations, new employees appear to be given ‘un-feted’ access to systems and applications, that appear to have no bearing upon their work-activities.
This makes application of the organization’s disciplinary process all the much harder. If an employee is simply assigned a ‘full suite’ of applications and programmes – from the day they start, then attempting to apply disciplinary procedures for use of the same is somewhat apocryphal. No matter what the future concern may be.
Such data can include; accounts information, contractual, marketing information and personnel data. Once obtained under the auspices of legitimate work then it is hard to build a credible case against an employee for wrong-doing.
So what should be done?
I suggest that an organization sets out a clear ‘access rights policy’ approved by the CEO or similar, this sets the tone as to how access rights will be managed and policed for effectiveness. Secondly, I suggest a pre-prepared access rights table be created that addresses all the key positions within the business and lists the necessary ‘access rights’ for that post. This document should be approved by top-management and communicated to all key members of staff, having a bearing upon new employee start and supervision.
On-going security audits within this area should help to identify and shortcomings or remedial action required. ISO27001 Control of Access rights provides a clear framework for this activityOn-going security audits within this area should help to identify and shortcomings or remedial action required. ISO27001 Control of Access rights provides a clear framework for this activity.