- Image via Wikipedia
You’re a busy IT operations manager. You run a tight ship, including security operations. But are some of your basic controls as consistent as you think?
It’s worth figuring that out before the compliance auditors arrive — or ahead of an ugly security breach that lands your company in the headlines and compromises your clients or your company’s future.
Terminating access includes more challenges and complexities than you might assume for this seemingly simple task. It’s one of your control basics, like the fundamentals for a stroke in your squash or tennis game. Are your compliance fundamentals solid?
For basic access control, you depend on HR to provide lists of terminated employees. If their information is not complete, accurate or timely, will people say, “HR has a hole in security?” Or will it reflect squarely on you?
You probably already know the answer to that question! So help them out: review their workflow and report preparation procedures and capabilities.
When you take a closer look at that HR report, check to see if it includes three commonly overlooked categories: consultants, part-time workers or employees transferred but not terminated.
Without these, you cannot do your job properly. And sooner or later, a breach will develop from one of these categories that can put your whole company at risk.
That’s not the only gap you need to review, unfortunately, as HR often overlooks two other reports: all terminated employees (prior 12 months) and off-cycle terminations.
So HR does terminations Wednesday morning to catch people by surprise. What about the one they did over the weekend because the person was on vacation? If someone is terminated on Friday night at 6 p.m., your staff will likely not get a report about this until Monday evening at the earliest — probably Thursday, more likely, when the regular weekly report comes in.
Sure, security operations staff terminates access every day in a large organization. But have you double-checked that no one fell through the cracks? Your staff, after all, are human. It’s easy to skip a line or overlook a report. Unless you are running this reconciliation regularly, you may be in for some surprises.
Surprise yourself and find these mistakes independently, rather than letting the compliance auditors find them.
Believe me, they will.
Take care of these complexities, and your compliance “game fundamentals” will be tight for the big match when the auditors come around to play.