8-18-14 The problem with former employees retaining access to companies they no longer work for

Bulk of Ex-Employees Retain Access to Corporate Apps: Survey

http://www.securityweek.com/bulk-ex-employees-retain-access-corporate-apps-survey

http://www.infosecurity-magazine.com/news/uk-smbs-manage-exemployee-risk/

C-IT Recommendation

  1. Verify your company has an effective and enforced access control standard and policy which requires that access be removed when an employee transfers within the organization or leaves the organization.
    1. Use Role based Access Control. Roles should be specifically defined by the needs to perform the duties of the roles and only those duties
    2. Privileged access should granted to the roles and not to the individual users. Individual users should then be added to the roles according to their positions
      1. ex: Database Administrator should not have the rights of the Operating System Administrator
  2. Perform periodic access reviews for privileged account users. Any users or groups who are discovered to have  unnecessary access should have privileged access be immediately removed.

Article Resources

Intermedia Report on Rogue Access

http://www.multivu.com/players/English/7281751-intermedia-s-2014-smb-rogue-access-study-security-threat-posted-by-former-employees/

Role Based Access Control (has links to other resources including the  “Economic Benefits of Role Based Access Control”)

http://csrc.nist.gov/groups/SNS/rbac/

 

Leave a Reply

Your email address will not be published. Required fields are marked *