ACME is a privately held company listed on NYSE and offers B2B services. In order to be compliant with the applicable regulations, several control mechanisms have been set up: access reviews are performed every 6 months for internal users and every 3 months for external users.
The goal is to certify, from a business perspective, that the entitlement management policy is enforced and that Managers are well aware of their responsibilities. Running an access review is a difficult task, due to IT silos and the lack of a comprehensive entitlements description.
As a result, the IT Security team is preparing access reviews by consolidating user entitlements in Excel files and dispatching the files to managers. This tiresome task often results in « blind validation »and leads to many risks, such as invalid, incomplete or irrelevant information and poor operational performance.
To reduce operational risks caused by permissiveness in users’ entitlements, security good practices recommend that the following principles (included in operational risks regulations as well as in security policy standards) are applied: