System Access Reviews are Critical for Strong Internal Controls
Periodic reviews of system access are critical for service organizations who wish to maintain strong internal control around information security. Access privileges to systems or physical locations that impact the customer’s business environment should be commensurate with the requirements of the services provided. These privileges should also facilitate segregation of incompatible duties. For example, in order to segregate incompatible duties, a system developer generally should not also have access to migrate changes to the production environment.
Similarly, a service would almost never require a billing clerk to have access to a proprietary data center. As a general rule, restriction of access privileges should be considered for the following:
- Production data centers or server rooms
- Office buildings
- Production networks
- Production server operating systems
- Production databases
- Production applications
- Ancillary applications that could allow indirect access to the above environments (e.g., password safes or badge access systems)
In order to ensure that systems are both physically and logically secure, a service organization should first design and implement strong preventive controls around user provisioning and de-provisioning. These controls commonly include creation of access change requests within a ticketing system, approval from a user’s manager prior to granting access, and assignment of responsibility for executing the approved changes.
However, as human and technological errors are almost certain to occur throughout these processes, detective and corrective controls are also needed to ensure that access is appropriately restricted. A properly designed and implemented user access review should act as both a detective and corrective control. Below are a few key steps to help ensure that a user access review is performed completely, accurately and in a timely matter.
Planning the Review
- Assign responsibility for facilitating the access review.
Whether this review is automated or performed manually by human resources or IT, a person or group should be responsible for ensuring the review is completed. This person or group does not necessarily perform the review, but rather ensures the review is completed by the appropriate personnel (Note: The access review should generally be performed as a function of the business, and not by an independent internal audit function). - Ensure that logical and physical access listings for all systems relevant to the service are considered as part of the review.
The bulleted list above is a solid place to start when determining the scope of an access review. It may also be beneficial to assign responsibility to a manager or administrator for each system. - Determine a frequency for the access review.
A quarterly review aligns with best practices and is even required by certain compliance standards. However, more or less frequent reviews may be required, depending on the organization. At a minimum, these reviews should occur annually. - Although not required, a ticketing system can be a valuable tool in performing an access review.
A ticketing system is an easy way to disseminate access listings, assign responsibility, and track the progress of the review. - Document the user access review process within a policy or procedural document.
The access review procedures should be documented in detail to guide relevant personnel in the performance of the review.
Performing the Review:
- Obtain full user access listings with privileges for all systems in scope for the review. Examples include application or database user privilege listings, server operating system group listings, network domain group listings and badge access listings with zone definitions.
- Request that system administrators review privileged user access. “Privileged users” can be loosely defined as those users with the ability to modify user access or make changes to systems. In the case of physical access, this includes users with access to proprietary data centers as well as administrative access to badge access systems. Of course, the service organization should make a determination based on its environment as to which privileges must be periodically reviewed. Each review should be performed shortly after the user access listings are extracted to ensure that relevant information is being reviewed.
- Execute corrective changes based on management’s review. Once a review of each privileged user has been performed, any changes noted in the review should be made by system administrators in order to ensure that access is appropriate.
- Retain detailed documentation of the user access review. Key elements from each access review should be retained in an internal repository or folder as evidence of the review. If a ticketing system is utilized for the review, any attachments or approvals will be inherently maintained within the system. However, any e-mail approvals or other communications outside the ticketing system should be retained as well. No matter what retention system is used, the following information should be retained:a. The date the user listing was extracted
b. The date the manager or administrator performed the review
c. The name of each manager or administrator performing the review
d. Approvals and names of users deemed to have inappropriate access
Much of the access review process seems relatively basic, but when done right, it can make up for a multitude of information security mistakes. With proper design, documentation and assignment of responsibility, this can be an effective tool for service organizations in achieving their security and compliance goals.