User registration / deregistration

A formal procedure is required for user registration and removal.

User ID should leave an audit trail holding them responsible for their activities. It should allow for periodic identification or disablement of IDs not in use making for an active management policy rather than a reactive one.

Tiers of security should be applied that are consistent with information classification, in addition to specific areas of network segregation for open access (think wifi access for visitors in your lobby) versus an unconnected terminal for highly classified information (think mission impossible)

Access provisioning

Provisioning authorisation should come from the information asset owner, this should be verified that it is appropriate and does not conflict with any other policy (segregation of duties)  before access rights are granted to a user. Rights granted should be recorded. Procedure should include how rights need to be changed for users who change jobs or who have terminated their employment. Review of rights with the information assets owner should form part of the procedure periodically. The frequency of this will vary from company to company and equally differ across asset classifications.

Privileged access rights

These should be restricted and controlled.

Consideration should be given to allocation per information asset, records of this, expiry of rights, segregation of user (separate from general user ID for audit trail). Specific procedures should exist to cover the use of generic administration passwords and IDs – this is one the most significant causes of security breaches in organisations.

Secret authentication information of users

Users should sign a statement to keep authentication details secret (part of terms and conditions of employment is a good place), verification of the user should take place before issuing authentication details. Am I giving this login to the person they say they are? Procedures should specify how this is conducted. Receipt of details from the user should be recorded. You may consider this to be important, so don’t make this automatic or that use itself is accepted and receipt.

Review of user access rights

Review should occur periodically and specifically at the time of change or termination or roles. Consider increasing frequency of review as the classification of information increases. Privileged access rights should be checked to ensure unauthorised access has not occurred and that access is still required – do they actually use this?

Removal / change of access rights

Not much new here that hasn’t already been covered above, but where passwords are known for common systems, these should be changed immediately. Think disgruntled employee. Efforts should be given to ensure current employees are made aware and that no further information is shared at that any group lists / sharing arrangements are adjusted to reflect the new status quo.