As the Tugboat Labs team says

Security Controls, Explained: Access Control

Control of the Week #3: Access Control for SOC 2

This week’s control is on access control. Jose Costa (CISO at Tugboat Logic) and Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic) explain why access control is important and how you can implement it for your audits.

Why this control is important

AC3.1 – Manage Account Access – Access to in-scope system components (application(s) and its underlying infrastructure) requires a documented access request and approval from management prior to access provisioning.

This control is one of the literal gatekeepers for your data because it prevents the wrong people from getting a set of keys to the data or tools they don’t own. And while the control seems simple at a glance, it’s one that’s often failed in audits! This doesn’t have to be thieves or hackers, but even members within your own organization who do not have advanced approval to access that data.

While granting access can seem harmless enough at first, know that it can “trickle down” to other roles. For example, your security officer can grant full access to your head of marketing to access a tool. The head of marketing assumes that any one of their marketers can also have access. Without understanding what full access entails, the entire marketing team suddenly has full access and can potentially access data or tools they never should have been able to, merely because no access plan or documentation existed.

Coming up with a plan in advance and approving access with internal teams before it’s granted will help to manage who has specific types of access, granting and revoking access during on/offboarding, and ensuring that client access is documented and updated.

How to implement this control for your audits

The first step is to establish who has ownership over control. Make sure that whoever is granting access, understands it in advance. Giving sweeping access to a program or software might seem like a fantastic idea in terms of making your life easier in the short-term, but that software has personal information stored in it that people in your org shouldn’t have access to.

As an organization grows and involves more employees, clients, and vendors, the process becomes more complicated. So, remember this key practice: You need to grant approval before you grant access.

It’s so important that it bears repeating: You need to grant approval before you grant access.

A two-way system will help reduce mistakes and halt that trickle-down effect. This system can involve simple documentation and policies:

  • Create a template list of apps with a list of access.
  • Implement an on/offboarding process.
  • Ensure everyone in the organization knows who the gatekeeper is.

And, consider every type of access:

  • Administrator Accounts – self-explanatory.
  • Undocumented Accounts – when an owner is granting the access, ensure they have approval to do so.
  • System Accounts – general management accounts that are linked to the organization and not an individual.

Related Articles

Security Awareness Training: Montage Optional

Security Awareness Training: Montage Optional

Creating a plan for Security Awareness Training is only half the battle. Implementing and ensuring that your employees follow that plan regularly is the key to implementing this control. Also, investing in training and security awareness programs is vital for sustainable business growth and success.

read more
Employee Training Plan: Good Plans Go A Long Way

Employee Training Plan: Good Plans Go A Long Way

How you train your employees will largely determine their effectiveness and adherence to company policies. While many practices can be common sense and their skills catered specifically to the job they were hired to perform, a training plan can go a long way to ensure that elements of your organization stay safe, secure and run as smoothly as possible.

read more

0 Comments

Pin It on Pinterest

Share This