Audit Services

Access Control Review

The security of your organization’s data is important. To make it secure, you need to be aware of the activities performed with the data. The data should be accessible to people who have certain privileges. Otherwise, in the event of any loss or damage, you will be unable to identify the reason that any unauthorized user has wrongfully used their rights to access data.

Access control is a technique to limit the access of resources or information to certain people, for security purpose. For computer security, organizations implement access control to ensure that each entity trying to access resources possess certain rights and permission. In computer systems, there is an access control list which includes the list of permissions required by particular user to access the data. It helps to secure data and define privileges as to regulate who or what can view the information.

img-access-control

Objective of This Assessment

User access review uses a principle of ‘least privileges’. A user access review helps you in monitoring the appropriateness of an entity to view or update the information. A user should be given access to only those resources which are necessary to perform their tasks, while preventing the access to resources which are irrelevant to the user.

The access control method involves three phases to mitigate security risks of information. The three phases are as follows:

Authentication

It confirms the user’s identity and allows him to access resources accordingly. It can include a username, password, or PINs.

Authorization

It allows the authenticated user to access appropriate resources. In other words, it ensures what can be done by an authenticated user.

Auditing

It helps the administrator to track the access abnormalities of information. It reveals the unauthorized access attempts done by a user.

Approach & Methodology

An organization should have a template of a written standard of access control review. It would serve as a guide for security analysts and other people associated with information security. The overview is as follows:

Classify the business owners of every application.
Instruct business owners to organize data in their application. There should be corporate police defined for organizing data.
If policy does not exist, create immediately. The applications of high-risk should be reviewed frequently.
The business owners should create two lists; one for the approved departments and other one for rejected departments. It should be done on the basis of the nature of department using the application.
Inform the people associated with rejected department that their access has been removed from the application. On the other hand, notify the approved department about their confirmation of accessing the resources.
Ensure to obtain a written list of all the tasks performed above.

It is recommended that you should select an access control system which has a robust management interface. Access control review is easier to be performed afterwards.