Educause Security Discussion mailing list archives
Re: Access Certification / Review
From: Chris Green <chrisgreen () GSU EDU>
Date: Tue, 27 May 2014 11:45:26 +0000
Peter: You’ve hit the nail on the head that problem is is the IAM space. You can get by with the spreadsheet review process but it’s often incomplete. You also get approval fatigue (how many systems X managers X admin processes coded per app). For most people, maintain access is the right answer. The exceptions are terminations, job transfers, or departmental responsibility changes. In some sectors such as EDU where people are often shared between departments, you can also include the system owner/steward in the review cycles. Generally, they know what data is there and often the best at identifying what is going on. Without it, you generally miss part of reviews (e.g. you may get the ERP application right but might forget the underlying DB or Unix System OR Backup System OR Systems Management System). I think the process tool is much more important than the automated integration. The automated integration can be measured on a cost of connector/etc. Measure time of the spreadsheet processes and identify gaps. You’ll be well on your way to helping justify a tool. On May 23, 2014, at 3:19 PM, Peter Lundstedt <peter.lundstedt () DRAKE EDU<mailto:peter.lundstedt () DRAKE EDU>> wrote: Hello everyone, We are working on an audit finding related to access certifications performed by our data custodians, as well as access certifications of the data custodians. The consensus is that we should not be relying on email and spreadsheets to complete these reviews, however most of the systems I’ve seen are tied to Identity Management systems – we are close to starting an IAM project that would probably include access review but are not there yet. On top of this, the systems I’ve worked with in the past simply presented the access to the reviewer, in most cases a superior who has no idea what the information means, mostly just clicking “Maintain”. I’m interested in hearing what others have done for certifications – is an app required, have you built something internally, are you relying on the email/spreadsheet type of system that I mentioned above, how do you complete the review in a meaningful way? Vendors may contact me on this – I’m in need of ideas. Peter Lundstedt SECURITY ANALYST 2, INFRASTRUCTURE & SECURITY SERVICES <image001.png>
Current thread:
- Access Certification / Review Peter Lundstedt (May 23)
- Re: Access Certification / Review Chris Green (May 27)