Access control is the most fundamental control in information security. The principle is simple: only authorised individuals should have access to the systems and data they need for their work. In practice, implementing effective access control turns out to be one of the most challenging areas for organisations.
Identity and Access Management (IAM) is the entire set of processes and technologies that organisations use to manage digital identities and control access to resources. An auditor assesses IAM on three levels: granting access (provisioning), actively managing access (governance) and revoking access (deprovisioning).
For provisioning, the auditor checks whether there is a structured process for requesting and approving access rights. Is there an approval chain in which the manager and/or data owner grants authorisation? Is the principle of least privilege applied, whereby users receive only the minimum rights they need? Are rights granted based on roles (RBAC) rather than on an individual basis?
Access governance is the active management of access rights throughout an employee's lifecycle. The auditor checks whether periodic access reviews take place, in which managers confirm that their employees' access rights are still appropriate. When employees change roles, old rights must be revoked and new ones granted. This prevents the gradual accumulation of rights that is typical in organisations without an active governance process.
Deprovisioning is one of the most critical controls. The auditor checks whether access rights are revoked in a timely manner when an employee leaves the organisation. A common finding is that accounts of departed employees are still active, sometimes months after they left. This represents a significant security risk.
Privileged access management (PAM) deserves special attention. Administrative accounts with elevated privileges are an attractive target for attackers. The auditor checks whether administrative accounts are separated from regular accounts, whether multi-factor authentication is enforced, whether the use of administrative rights is logged and monitored, and whether just-in-time access is applied.
Password policy and authentication are assessed as well. The auditor checks whether there is a password policy that meets current guidelines, whether MFA is implemented for all external and administrative access, and whether no shared accounts or hardcoded credentials are used.
Secure Audit assesses access control and IAM as a core component of every IT audit. From user management and access reviews to privileged access management. Get in touch for an IAM assessment.
About the author
Partner | IT Auditor