Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.7 User Security Controls
Management should mitigate the
risks posed by users by doing the following:
Users should be granted access to systems, applications, and
databases based on their job responsibilities. Access rights should
be granted in accordance with the institution's physical and
logical access control policies. Authorized users with elevated or
administrator privileges can pose a potential threat to systems and
data. Employees, contractors, or third-party service providers can
exploit their legitimate computer access for unauthorized purposes.
Additionally, the degree of internal access granted to some users
increases the risk of damage or loss of information and systems.
Risk exposures from internal users include the following:
Management should understand
the risks to the institution's information-processing environment
and establish appropriate user access controls to mitigate these
and other potential risks to the institution's assets. Users should
understand and confirm their understanding of their roles and
responsibilities in maintaining a sound security environment, which
includes both physical and logical areas.