One of the key parts of security compliance consists of access management controls. Whether your organization is aiming for compliance with the AICPA’s SOC criteria, NIST framework, GDPR, or even HIPAA certification, access controls play a key role in the internal control environment. Throughout this blog, we will explore the types of common access management controls within an organization’s internal control environment and key considerations when developing and implementing a suite of access controls. There are many differing opinions on how, where, and which access management controls should be implemented. We will dive into the general terminology and key considerations when it comes to identity and access management controls to help provide a baseline understanding.
What are the Main Types of Access Controls?
Logical vs. Physical
Within a suite of access management controls, there are typically either logical or physical access controls. Logical access controls are the virtual type of access controls such as system authentication configurations or applying role-based access control to restrict access to certain data within an organization’s IT environment. Physical access controls relate to the restriction of access to the physical environment or tangible assets, such as an office building or data center facilities being restricted through badges or keycards. Various factors should be analyzed such as the ratio of employees that are remote, the medium of the data intended to be secured (physical documents or cloud-based), and if a subservice organization is used to manage or store that data. Depending on the applicability of these factors, an organization can determine the emphasis on the amount and sub-types of logical or physical access controls that should be considered.
Access controls can also be categorized as preventive or detective controls and it is best practice to have a combination of both preventive controls and detective controls within the suite of access controls to strengthen the internal controls overall.
What Are Some Examples of Access Controls & Key Considerations?
Below are some examples of key access controls used within a suite of access management controls that help entities strengthen their internal control environment and address risks related to security:
- Security Policies – A good first step in defining access management controls is developing or updating information security policies. Security policies generally cover a wide range of topics, including identity and access management.
- Provisioning and Deprovisioning – When authorizing and assigning access, it is best practice to ensure access is appropriately requested and approved, such as an access request ticket that tracks who requested the access and who authorized and provisioned the requested access. At the other end of the access lifecycle, controls around terminating user access are just as important to determine if all access is removed when no longer required.
- Access Reviews – Periodically reviewing user access helps catch if any other access controls in place failed during the access provisioning and deprovisioning processes. An appropriately detailed access review showing which permissions or roles a user has within each IT system of the organization is more effective than simply reviewing whether the user is an employee.
- Privileged Access Management – Having additional access controls within the control framework that focuses on users and accounts with elevated permissions can help mitigate more significant risks as these accounts typically have access to sensitive or confidential information. A great exercise to perform for each IT system within an organization is to identify which set of permissions or roles should be categorized as privileged and restrict those permissions or roles to only individuals absolutely necessary.
What is the Difference Between Identity Management & Access Management?
You will often hear the combined term Identity and Access Management (IAM) which is used to describe the overall processes and methods in place to identify, authenticate, authorize, and maintain access to an entity’s IT environment. However, when it comes to evaluating a suite of internal controls for access management, it is important to distinguish between identity management and access management.
- Identity management relates to the processes and controls in place to identify and authenticate a user. How do you know the user is who they say they are? This is typically achieved through assigning credentials to a user that uniquely identifies the user through the use of usernames and passwords.
- Access management focuses on the second step: authorization of the access. Now that you have identified the user, what resources should they have access to and what is the level of permissions necessary for them to perform their job function?
Authentication and authorization are two terms that are sometimes thrown around interchangeably, however, they are separate considerations when implementing and evaluating access management controls.
How Can IAM Tools Be Used to Implement & Maintain Access Management Controls?
There is a large market of various access management tools available that perform a variety of identity and access management functions. Often, during an audit of security compliance, data is extracted directly from an access management tool or system to display what privileges or permissions users have within an organization. Through the use and proper implementation of an identity access or a privileged access management tool, control owners are able to identify who has elevated access, restrict elevated access, and periodically review user access so that the access continues to be appropriate within the organization. Identity and access management tools that also offer some level of monitoring or logging of the authentication and/or usage of accounts can help mitigate risks in the event of a security breach. Having logs of data readily available to investigate can help contain a breach and may reduce the risk of further exposure.
What Are the Benefits of Identity Access Management?
Besides helping an entity achieve compliance with industry regulations, such as GDPR (check out this GDPR checklist of compliance requirements) or HIPAA compliance, or client contract stipulations requiring a SOC 1 or SOC 2 report, IAM has a host of benefits internally to an organization as well. Here are some of the main benefits seen with the proper use of an IAM framework:
- Reducing Costs of IT – Many organizations have made the shift to using cloud-based IAM products that eliminate the need to host and maintain on-premise infrastructure. Additionally, it eventually reduces the amount of time and headaches spent by system administrators managing user identities so that the focus can be changed toward higher priority items.
- The User Experience – IAM streamlines the authentication and authorization processes which improve the user experience when gaining access to IT systems. System administrators’ experience also receives the benefit of easier user management.
- Risk Mitigation – Security threats and risks are easier to identify and mitigate when there are access controls in place that log and track user authentication and access to information. As mentioned above, monitoring through the use of an IAM tool can serve a great purpose when identifying and addressing security risks.
Hopefully this article has helped provide a few insights on the importance of access management controls and what considerations must be taken into account when implementing or evaluating an organization’s identity and access management framework. Linford and Company has extensive experience in providing guidance and evaluating access management controls.
If you would like to learn more about how Linford and Company can assist your organization with services such as SOC 1 audits, SOC 2 audits, HIPAA audits, FEDRAMP compliance, HITRUST certification, and more, please contact us.
Natalie Munro specializes in SOC examinations for Linford & Co., LLP, and is currently a manager with the firm. She started her career with Ernst & Young’s Risk Assurance group in 2014 after completing her Masters of Accountancy from the University of Georgia. Natalie’s experience includes internal and external audits across multiple industries. She enjoys learning each client’s processes to help them meet their customer’s needs as well as fulfill regulatory requirements.