Under Annex A control A.9.2.5 Review User Access Rights, organisations are required to conduct user access reviews periodically to ensure that all users with access to the network, systems or applications are authorized. This can be considered a supplementary control to ensure that all access removal controls are operated correctly, and will identify any unauthorized active users on the network.
Recent statistics suggest that up to 59% of disgruntled employees may pose a risk to information security when they quit or are fired.
The purpose of organisations review user access rights is primarily to reduce the risk from disgruntled former employees, contractors or temporary employees. If an account remains active after an employee has left the organisation, there is a significant risk that the former employee can use existing credentials to access the network, applications or information maliciously.
This may result in unauthorized information access or disclosure in the simplest form, or malicious attacks against resources, data leakage or installation of malicious code in the worst case. Legacy accounts are therefore a very real risk for most organisations, so implementation of multiple controls is a must to combat this using a defense in depth approach.
Dependent on the size and complexity of the organisation, review user access rights can take the form of simple dumps from the organisations active directory (or similar directory service) to implementation of sophisticated tool kits and analysis.
How the organisation conduct their reviews is down to them, but some examples are highlighted below:
1. Manual Analysis: This can be achieved by taking a dump from Active Directory and organizing users into groups based on line management or role. By splitting users into groups, group owners can be established to conduct the review and confirm/deny whether a user still requires an active directory account or if the user has left. Similarly, this process could be cross-referenced against known staff leavers identified by Human Resources (HR). Accounts assigned to users that have left the organisation is an indication of breakdown in the staff leaver process so should be investigated further with the relevant departments.
2. Software Tools: There are numerous software packages that can be utilized to support user access reviews. These tools organize groups together and can manage the whole user account life cycle from provision through to deletion. Often tools can interface with other systems such as the HR database to ensure that any users marked as leaver in HR databases have their account removed automatically. For larger organisations this may be a more viable option, but a cost/benefit analysis should be undertaken to determine whether there is a need for tools such as this. Tools such as Manage Engine’s Active Directory Audit offer basic tools out of the box that can allow active directory monitoring, and more advanced tools such as Dell’s Active Roles can be used to group roles together into roles, allowing role-based access controls to be implemented.
Users should be provided with least privilege for their job role or purpose
Whichever approach is taken, the outputs should enable the organisation to identify active users with a genuine business requirement for a network account and accesses to specific resources. As mentioned above, if the outputs indicate that a number of staff leavers network accounts have remained valid post-employment this is a strong indicate that the staff leavers process requires maturing and should be the next focus.
