Access to information and related assets must follow the organization's access control policy, this involves setting up, reviewing, modifying, and removing access rights in line with the Organization's rules. The process of assigning or revoking access rights can involve e.g. obtaining authorization from asset owners, with separate management approval if necessary, addressing segregation of duties, including separation of approval and implementation roles and ensuring timely removal of access rights when not needed.
Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.
When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.
In all changes on employment relationship, access rights should be reviewed in cooperation with the owners of the protected property and re-granted to the person completely when there is a significant change in the person's employment. A change can be a promotion or a change of role (e.g., moving from one unit to another).
Supervisors have been instructed to notify the owners of data systems in advance of significant changes in the employment relationships of subordinates, such as promotions, discounts, termination of employment or other changes in the job role.
Based on the notification, a person's access rights can be updated either from the centralized management system or from individual data systems.
Before granting access rights to data systems with confidential information employees have:
On average, the IT administrator estimates that staff use about 50 cloud services when the actual number is 1,000. Many of these are important for staff productivity and are used outside the organization’s network, so firewall rules do not solve the challenge.
Systems that focus on identifying and managing cloud services allow you to identify the cloud services used by your staff and monitor users of different services. This helps e.g.:
If a person's employment is terminating or significantly changing, the reduction of access rights to assets should be considered, depending on the following: