One of the key points of focus when it comes to security compliance is the strength of access management controls. Whether your organization is aiming for compliance with the AICPA’s SOC criteria, NIST framework, GDPR, or HIPAA certification, to name a few, access controls play a key role in the internal control environment. Throughout this blog, we will explore the types of common access management controls found in many internal control environments, as well as key considerations when developing and implementing access controls.
There are many differing opinions on the best practices for the what, where, when, and how of access management controls and their implementation. This blog will not be an exhaustive list of best practices because there are many, but we will dive into general terminology, key considerations related to identity and access management controls, and the importance of access management controls. Our hope is to help users obtain a baseline understanding of access management controls that can then be built upon based on an organization’s individual needs.
What Are Access Management Controls?
In general, access management controls can refer to controls within an internal control environment that restrict/limit/monitor/review access to networks, systems, machines, physical locations, etc., to authorized users/individuals. The purpose of access controls is to help an organization manage the risk present with storing or having access to sensitive, confidential, and/or personally identifiable information of their personnel and/or clients via internal systems, physical network devices, etc. This is why access management controls are important.
What Are the Types of Access Controls?
Access management controls can typically be categorized into two main types – logical access and physical access controls. They are then further categorized into other control types based on the organization’s IT and internal environments and the control itself. Logical access controls are the virtual type of access controls, such as system authentication configurations or applying role-based access control (RBAC) to restrict access to certain data within an organization’s IT environment. Physical access controls relate to the restriction of access to the physical environment or tangible assets, such as an office building or data center facilities being restricted through the use of registered badges or keycards.
When an organization is trying to determine what types of access controls are needed and how many various factors should be analyzed such as the environment/systems involved, the risk being mitigated by the control, resources available, etc. For example, when considering physical access controls, an organization should consider things such as the number of employees that are remote vs located in a physical office, the medium of the data intended to be secured (physical documents or cloud-based), and if a subservice organization is used to manage or store that data. Depending on the applicability of these factors, an organization can determine the scope of risk present and the amount and sub-types of logical or physical access controls that should be considered.
Access controls can be further categorized into many different groups but another main categorization that is applicable to access management controls is whether the control is preventive or detective. When considering an organization’s internal control environment and specifically access management controls, it is best practice to have a combination of both preventive controls and detective controls in order to create a strong control environment.
What Are Examples of Access Controls?
Below are a few examples of some basic types of access controls used to help organizations strengthen their internal control environment and address risks related to access management and security.
Access Management Policies
A good first step in defining access management controls is developing and implementing information security policies, and specifically access management policies. Security policies generally cover a wide range of topics, including general identity and access management policies, and/or an access management policy could be used to document specifics around a certain access management process. These define the requirements of the access management controls that are then implemented.
Access Provisioning & Deprovisioning
When authorizing and assigning access to users that require system or physical access, it is best practice to implement the following:
- Only grant the access required based on the job function being performed.
- Document the access request.
- Have the access approved by a manager or other authorized person.
This can be done in an access request ticket that tracks the request for access, including who authorized and provisioned the requested access. At the other end of the access lifecycle are access controls around removing user access when individuals no longer require access. With these controls, it is important to structure the control so that all logical and physical access is removed when it is no longer needed and access is removed in a timely manner. It is also recommended that access removal requests are documented and tracked to completion in order to determine that the control is operating effectively when reviewed by management or auditors.
Access Reviews
Management should also implement a periodic review of user access to systems and physical locations. This review should include roles assigned to users including elevated access rights (such as administrators) and will help catch any possible control failures during the access provisioning and deprovisioning process. This review would be considered a detective control where the access provisioning and deprovisioning controls are preventive controls.
Privileged Access Management
Having additional access controls within the control framework that focuses on users and accounts with elevated permissions or physical access, can help mitigate more significant risks. The risk associated with users that have elevated privileges is typically higher than that associated with users that have general access because these users could have the ability to:
- Provision, change, and remove user access.
- Edit system or network configurations.
- Access sensitive or confidential information.
A common control to implement at an organization is to review each key IT system and identify which set of permissions or roles within those systems should be categorized as privileged. Once privileged access types are identified, access to them should be limited to only individuals who absolutely require the access to perform their job function. Furthermore, when a new user requires privileged access, it is common for additional approval to be required prior to granting access.
How Can IAM Tools Be Used to Implement & Maintain Access Management Controls?
When considering access management controls for implementation, the use of tools to implement and monitor access management controls could be an option available to your organization. There is a large market of various access management tools available that perform a variety of identity and access management functions. Through the proper implementation and use of an identity access management (IAM) tool, access to multiple systems can be managed.
Access can be granted based on groups or job functions. Control owners are able to easily identify who has elevated access, restrict elevated access, and use the tool to periodically review user access. Identity and access management tools can also offer some level of monitoring or logging of the authentication and/or usage of accounts which can help mitigate risks in the event of a security breach.
What Are the Benefits & Disadvantages of Access Control?
Implementing access controls can help an entity achieve compliance with industry regulations, such as GDPR (check out this GDPR checklist), HIPAA, SOC 1, or SOC 2, to name a few. Implementing access controls has a host of benefits internally to an organization as well. Some of the main benefits seen with the implementation of proper access controls are the reduction of security threats, breaches, and risks.
What Are the Risks of Poor Access Management?
The risk of security events occurring due to unauthorized access can be mitigated when there are access controls in place over, but not limited to, the following:
- Prevent unauthorized user access.
- Detect unauthorized user access attempts and potential security events.
- Log user authentication attempts and privileged user actions.
- User access provisioning and access changes.
- User access deprovisioning.
- User access to sensitive and/or confidential information.
Once implemented, access management controls can streamline the authentication and authorization processes which also improves user experience when gaining access to IT systems.
A potential disadvantage to the implementation of access management controls is the time and resources that will be needed to define and implement the access controls. The use of IAM tools or other access management tools will have a financial cost but typically reduces the amount of time and resources spent on access management controls as these tools help to centralize and automate the process.
In the end, the benefits and disadvantages of the implementation of access controls depend on the risk appetite of the organization and the virtual and physical environments that require access controls. As auditors we are biased, but find that the benefits of strong access management controls outweigh the disadvantages.
Summary
Hopefully, this blog has provided you with a general overview of access management controls, what the purpose of access management control is, and some considerations to take into account when implementing or evaluating an organization’s internal control environment, and specifically its access management controls.
If you would like to learn more about how Linford and Company can assist your organization with services related to frameworks requiring access management controls such as SOC 1 audits, SOC 2 audits, HIPAA audits, FEDRAMP compliance, and HITRUST certification, please contact us.
This article was originally published on 4/6/2022 and was updated on 9/13/2023.
Megan Kovash works primarily on SOC audits with experience in financial audit and internal audit as well. Megan started her career in January 2012 after completing her Masters of Accountancy with the University of Denver. She worked in the Risk Assurance group at Ernst & Young, then moved to the Internal Audit Data Analytics group at Charles Schwab. She is now a Partner at Linford & Co., LLP. Megan enjoys working with clients and coworkers to find and implement solutions to better her client’s business.