Welcome » IT Booklets » Information Security » Security Controls Implementation » Access Control » Access Rights Administration
Financial institutions should have an effective process to
administer access rights. The process should include:
System devices, programs, and data are system resources.
Each system resource may need to be accessed by individuals (users)
in order for work to be performed. Access beyond the minimum
required for work to be performed exposes the institution's systems
and information to a loss of confidentiality, integrity, and
availability. Accordingly, the goal of access rights
administration is to identify and restrict access to any particular
system resource to the minimum required for work to be
performed. The financial institution's security policy should
address access rights to system resources and how those rights are
to be administered.
Management and information system administrators should
critically evaluate information system access privileges and
establish access controls to prevent unwarranted access.
Access rights should be based upon the needs of the applicable user
to carry out legitimate and approved activities on the financial
institution's information systems. Policies, procedures, and
criteria need to be established for both the granting of
appropriate access rights and for the purpose of establishing those
Formal access rights administration for users consists of four
The enrollment process establishes the user's identity and
anticipated business needs for information and systems. New
employees, IT outsourcing relationships, and contractors may also
be identified, and the business need for access determined during
the hiring or contracting process.
During enrollment and thereafter, an authorization process
determines user access rights. In certain circumstances the
assignment of access rights may be performed only after the manager
responsible for each accessed resource approves the assignment and
documents the approval. In other circumstances, the
assignment of rights may be established by the employee's role or
group membership, and managed by pre-established authorizations for
that group. Customers, on the other hand, may be granted
access based on their relationship with the institution.
Authorization for privileged access should be tightly
controlled. Privileged access refers to the ability to
override system or application controls. Good practices for
controlling privileged access include
The access rights process programs the system to allow the users
only the access rights they were granted. Since access rights
do not automatically expire or update, periodic updating and review
of access rights on the system is necessary. Updating should
occur when an individual's business needs for system use
changes. Many job changes can result in an expansion or
reduction of access rights. Job events that would trigger a
removal of access rights include transfers, resignations, and
terminations. When these job events occur, institutions
should take particular care to promptly remove the access rights
for users who have remote access privileges, access to customer
information, and perform administration functions for the
Because updating may not always be accurate, periodic review of
user accounts is a good control to test whether the access right
removal processes are functioning and whether users exist who
should have their rights rescinded or reduced. Financial
institutions should review access rights on a schedule commensurate
with risk.ISO17799, 9.2.4 requires reviews at six month
Access rights to new software and hardware present a unique
problem. Typically, hardware and software are shipped with
default users, with at least one default user having full access
rights. Easily obtainable lists of popular software exist
that identify the default users and passwords, enabling anyone with
access to the system to obtain the default user's access.
Default user accounts should either be disabled, or the
authentication to the account should be changed.
Additionally, access to these default accounts should be monitored
more closely than other accounts.
Sometimes software installs with a default account that allows
anonymous access. Anonymous access is appropriate, for instance,
where the general public accesses an informational Web
server. Systems that allow access to or store sensitive
information, including customer information, should be protected
against anonymous access.
The access rights process also constrains user activities
through an acceptable-use policy (AUP). Users who can access
internal systems typically are required to agree to an AUP before
using a system. An AUP details the permitted system uses and
user activities and the consequences of noncompliance. AUPs
can be created for all categories of system users, from internal
programmers to customers. An AUP is a key control for user
awareness and administrative policing of system activities.
Examples of AUP elements for internal network and stand-alone users
Depending on the risk associated with the access, authorized
internal users should generally receive a copy of the policy and
appropriate training, and signify their understanding and agreement
with the policy before management grants access to the system.
Customers may be provided with a Web site disclosure as their
AUP. Based on the nature of the Web site, the financial
institution may require customers to demonstrate knowledge of and
agreement to abide by the terms of the AUP. That evidence can
be paper based or electronic.
Authorized users may seek to extend their activities beyond what
is allowed in the AUP, and unauthorized users may seek to gain
access to the system and move within the system. Network
security controls provide many of the protections necessary to
guard against those threats.