The most feared topic an auditor can ask! 5/10

Nowadays, employees can start working usefully at different organizations once they have got the necessary access rights in the system. There are several ways to obtain these:

1. The simplest, and for the smaller companies the most common, is that the manager calls/writes an email to their IT staff and asks them to create a new user, and tells them what rights should be given (typically: it should be the same as XY’s rights). In this case, it is almost impossible to prove what had to be set exactly. At most, if he/she still doesn’t have enough rights, the manager will ask more.

2. If they try to give the appearance of a kind of organization or compliance, then an authorization form is created, which must be signed or approved by email, and the IT administrator will set up the new user account and his/her rights based on this form only. If the form/email is preserved, it will be possible to retrieve it later (although with difficulties) and check what rights were requested and approved (or was there any approval at all) for each employee.

3. A more advanced solution is when an application, approval, setup process is developed through a single, electronic procedure. To a certain degree, this already complies with security compliance standards. In this case, the details of each step are stored, and they can be easily retrieved and verified, so that the steps of the approval process itself can be considered well-managed and traceable.

4. However, it is even better to have a separate system to administer the application process (and the modification, revocation process that has not been discussed yet), to monitor the status, to register the rights required, and to read and compare them from the relevant systems. Moreover, this could even adjust the rights automatically. These are the Identity Management Systems, and they are currently considered the best solution in the access right administration process.

But are the most advanced solutions appropriate for providing real control over the proliferation of rights? If so, then privilege creep among the employees was not a problem any longer in companies that use such a tool.

You can read about it in our next article.

2 min read

Share this post:

Scroll to Top

Live webinar

How to detect the riskiest
users, roles and areas in SAP

🎤 Speaker: Csaba Békési – Risk Consultant at XS Matrix (TheFence)
💡 Moderator: Paulino Calderon – Co-Founder of WebSec
📅 Date: June 19th, 2024

🕒 Time: 10 am (EST)

Duration: 1 hour

📍 Venue: Zoom Meeting