2. Can you trace all access rights?
Every manager has heard the following question: “Since when and why does John Doe have access to my project data?!“. Of course, it is impossible to answer this question without having continuous documentation at hand; but creating and also maintaining this kind of documentation is very difficult and time-consuming. It does not allow for mistakes and if important information is missed or excluded, it can be detrimental to the entire company.
Usually, workflow documentation is achieved (or, rather, not achieved) by using entirely unsuited solutions: ticket or helpdesk applications or – worse yet – a shared Exchange mailbox where all requests are stored. This leaves no room for any form of proper reporting, which in turn will most definitely become apparent during the next IT audit.
3. Are you wasting time on access management?
If you believe your IT department is spending too much time setting and adjusting user access rights or trying to represent the life cycles of your employees in the form of IT accounts, then simply take a step back. Consider how much time and expenditures your company is currently investing in the following processes:
- Employees who need specific access rights must request these via e-mail or using other, poorly suited, tools.
- The IT department must then find out who is responsible for the data for which the request has been made.
- The relevant data owner must then be contacted and a workflow must be undergone. As explained earlier, the storage and reporting options here are unsuitable for this purpose.
- After approval from the data owner, the IT department must assign the access rights in the corresponding system
- Subsequently, both the data owner and user must be informed that access has been granted.
From this we can conclude:
- Each request involves several people
- Task management is complex as each task must usually be carried out manually by an IT person.
- The IT tools used for carrying out the tasks are not well suited to the purpose
Remember: all of these processes are becoming more and more complex. Cloud applications, for instance, are often managed remotely, which makes it even harder to implement workflows here.
4. Is your data exposed to theft and abuse?
Let’s be honest: most managers are aware that assigning access rights incorrectly will grant a significant number of people access to data and systems which they don’t actually need for their specific jobs.
This seems to be a recurring pattern across companies – but why? Allow me to elaborate:
Users are constantly collecting new permissions as they go along. It is inevitable. Each new task involves one new access right. However, the reverse process, i.e. withdrawing permissions, is rarely done. The reason for this is, again, a lack of suitable tools. A suitable tool would be able to reproduce transition or expiration periods for access rights.
It would also be able to revoke access rights once they are no longer needed – and, ideally, it would do so automatically. Furthermore, it would allow data owners or managers to check on their access rights regularly and remove those which are no longer needed. The tool would also keep this task extra simple. Read up on one tragic case involving a healthcare facility in Europe which illustrates the possible consequences for lax handling of access rights.
5. Are you able to meet all legal requirements?
Are you aware of the rules your company must adhere to when processing data or operating in particular regions of the world? Here are just a few of these rules:
- If your company processes any type of data of EU citizens, you are bound by the rules of the General Data Protection Regulation (GDPR), regardless of where your company is based. To learn more about this topic, please read our whitepaper.
- If your company is listed with an American stock exchange, you must comply with the accounting transparency requirements of the Sarbanes-Oxley Act (SOX).
- If your company processes credit card information, you are required to comply with some important data security guidelines stipulated by PCI-DSS.
- Is your company certified according to ISO-27001 or are you planning to get it certified? Then you should become familiar with the ISO-27002 regulations as soon as possible. Please also read our whitepaper for more information.
According to these rules, any crucial data (personal data, credit card data, accounting data, etc.) must be protected effectively from unauthorized access. By now, however, it is widely accepted that this cannot be achieved using the available standard tools.
Either way, all efforts to achieve compliance are worthless if your company is unable to prove said compliance during an audit. If consistent and reliable traceability cannot be achieved, prospects are dim.
So what’s the conclusion?
If you can tick off all of the points mentioned previously, you are well prepared – congratulations! Check the measures you have placed regularly and ensure that they are still in line with demands.
If you can not tick off the list positively, you should definitely act now – in your company’s best interest.
We will gladly assist you in the implementation of a future-oriented user and access rights management solution.