LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Content-Type:	text/plain; charset="UTF-8"
Sender:	Records Management Program <[log in to unmask]>
Subject:	Re: Computer access to employees when changing positions
From:	Patrick Cunningham <[log in to unmask]>
Date:	Mon, 5 Feb 2018 13:09:07 -0600
In-Reply-To:	<[log in to unmask]>
MIME-Version:	1.0
Reply-To:	Records Management Program <[log in to unmask]>
Parts/Attachments:	text/plain (46 lines)

As Pilar noted, managing by group permissions is one way to handle this
issue, and is usually effective in a smaller organization or with systems
that have large buckets associated with user roles that are directly tied
to an employee's job code or department.

Another approach is to tie the organization's HR Management system to the
Identity and Access Management system. In this way, when the role, manager,
or department for an employee changes, an automated task can be created
that requests the current manager to "recertify " the access associated
with his or her employee. With an automated system, the manager can select
which access roles are no longer needed or verify the ones that are needed.
This is very common practice and is generally part of a larger access
recertification process. For many organizations, access recertification is
an IT Security control that is required at varying intervals based upon the
organization's risk tolerance. Roles with higher level access privileges
will tend to be recertified more frequently (typically quarterly); while
privileges that are relatively common are recertified annually. Employee
role or manager changes cause recertification to happen in association with
those events.

Part of the process also includs removal of access for terminated employees
/ contractors and a control will specify how quickly this occurs. For
organizations that have SOx (Sarbanes-Oxley) compliance requirements, this
will be among the key IT General Controls that are tested against
SOx-compliant systems. For other systems, the controls are typically
required for systems with more sensitive data or other regulatory
requirements. However, it is simply good practice.

In terms of the time frames, a lot depends upon the risk appetite of the
organization and the sensitivity of the data, as well as the need for
transition assistance from the employee who is changing roles. After all,
while the employee's role may have changed, the employee is still bound by
non-disclosure and confidentiality agreements. Thirty days is a typical
time frame for access to be extended upon job change, but this can be
shortened to less than a week or as much as six months, depending on the
sensitivity of the information and business requirements. In any event, the
time frames should be established as controls within policy and
periodically tested.

Patrick Cunningham, CISM, FAI

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.IGGURU.US