Making user access policies work for you

Regardless of a company's size, how it manages employee turnover, staff mobility, and increased use of consultants and contractors are causes for concern by auditors in terms of how user access rights are handled. Despite overburdened IT and human resources departments, companies need to ensure controls are in place to keep their networks secure from current employees, as well as terminated ones.

Whether it's for a Sarbanes-Oxley Act audit or an IT risk assessment, determining access to a corporate network containing digital assets and intellectual property should be a high priority. More often than not, however, user access gets the attention it needs only after a breach or act of fraud. By implementing some solid user access policies and procedures, companies can minimize their exposure to security breaches.

Auditors should start by asking corporate managers to produce lists of current employees, employees terminated since the start of the year and users who have been denied access; policies and procedures that govern the granting of user access and file-sharing privileges; and the process for granting new access rights when employees move to different positions. They also need to know what review process is in place to verify that each user needs his or her current privileges, as well as the company's termination procedure.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Regardless of a company's size, how it manages employee turnover, staff mobility, and increased use of consultants and contractors are causes for concern by auditors in terms of how user access rights are handled. Despite overburdened IT and human resources departments, companies need to ensure controls are in place to keep their networks secure from current employees, as well as terminated ones.

Whether it's for a Sarbanes-Oxley Act audit or an IT risk assessment, determining access to a corporate network containing digital assets and intellectual property should be a high priority. More often than not, however, user access gets the attention it needs only after a breach or act of fraud. By implementing some solid user access policies and procedures, companies can minimize their exposure to security breaches.

Auditors should start by asking corporate managers to produce lists of current employees, employees terminated since the start of the year and users who have been denied access; policies and procedures that govern the granting of user access and file-sharing privileges; and the process for granting new access rights when employees move to different positions. They also need to know what review process is in place to verify that each user needs his or her current privileges, as well as the company's termination procedure.