在审查用户访问时,有哪些重要的考虑因素?
Organizations not performing regular user access reviews can expose themselves to a multitude of risks, 从数据泄露到合规性缺陷. 然而, 在他们开始执行评审之前, companies must first develop an access review policy to define the process.
The access review policy should consider items such as maintenance of asset owners, 检讨频率, 角色和访问级别, 政策的例外情况, 等.
审查用户访问时的关键考虑事项
角色/权限:审查用户访问时, it is essential to consider the role and/or permissions that the users may have as well as who has the ability to grant or revoke user access within the system. 这里的目标是实现最小特权原则, so that users are granted only the roles/permissions necessary to fulfill the duties of their job, 在不损害或妨碍业务运作的情况下. 另外, because many employees transfer roles, the level of access they require may change.
不活跃的账户: Inactive stale accounts without a UAR process may stay in the system indefinitely. Consider reviewing the last logon date for the user accounts and remove accounts with no activity within a predetermined period (refer to your organization’s Access Review Policy). 另外, disabled accounts that have been inactive should be considered for removal as well.
查阅敏感资料:在审查访问权限时,数据敏感性是需要考虑的重要因素. Applications/users with access to sensitive data may need to be reviewed on a more frequent basis. 问自己这些问题:我的组织是否接受, 传输和/或处理任何敏感数据? 这些数据驻留在哪里? (哪些应用程序/bet9平台游戏器/工作站等.)
回顾过程: When you determine that a user has improper access; either since the review or longer, 回顾程序过程是必不可少的. This procedure involves looking back at the actions of the user in question over the period in which the user had inappropriate access and determining if unauthorized changes have been made.
考虑第三方访问/系统帐户/bet9平台游戏帐户: It is key to determine if your company can reduce third party access to organizational applications or environments by removing this access or implementing compensating controls. The access may be for third parties that you no longer have contracts or agreements with. 另外, 审核系统账户和bet9平台游戏账户时, 考虑存储密码的位置. 如果它们存储在密码库中, 考虑一下谁有权访问保险库里的账户.
使评审可审计: User access reviews are typically a key control in most IT related audits; therefore, 确保用户访问审查是可审计的是至关重要的. The review should be documented so that an auditor could reperform the review. 导出用户清单时, include completeness and accuracy (a screenshot of how the list was generated), 创建审核记录, 哪些改变是必要的, 对有这些更改的票证的引用, 回顾程序, 批准, 供审查的用户列表, 审查后的用户列表(以确认所做的更改), 等. 另外, consider creating a template within which business owners can document the reviews. 这些模板可能包含:
- An initial user access listing (evidence of how the listing was generated)
- 检讨结果
- 职责划分评估
- 审稿人的签字和日期
- 显示更改的文件(票证证据)
- Updated user listing to show access was updated (evidence of how the listing was generated)
- Risk assessment for any inappropriate access that was detected (look-back procedures)
特权访问/管理用户: Users with privileged access to systems pose a higher risk than regular users do, 让这些评论更加关键. Consider reviewing privileged access accounts on a more frequent basis.
独立评论员:当审查对系统的访问时, 审稿人不应该审查和批准他们自己的访问权限. A secondary independent reviewer should review the initial reviewer’s access to the application/database, 确保初始审稿人的适当访问.
We recommend performing user access reviews on a regular basis (quarterly, 每半年一次, 每年, 等.). When selecting a review frequency, consider any compliance standards, laws, regulations, 等. 这可能适用于你的组织, as well as the risk associated with the application/data in-scope for review.
另外, 如果你的组织有资源, there are tools and software to promote efficiency in the review process.
关于施耐德唐斯风险咨询
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
探索我们的全部 风险咨询bet9平台游戏 提供或与团队联系 contactsd@hadeslo.com.