| Monitoring identity statusAs users work in the organization, their roles change and so also do their needs to access services. Examples of changes include:
- Job changes. In this case the user will possibly need access to different or additional services.
- Promotions or demotions. The user will probably use the same set of services, but will need access to different levels of functionality or data.
- Transfers. In this situation, the user may need access to exactly the same set of services, but in a different region with different working practices and different sets of data.
- Resignation or death. Access needs to be completely removed to prevent the username being used as a security loophole.
- Retirement. In many organizations, an employee who retires may still have access to a limited set of services, including benefits systems or systems that allow them to purchase company products at a reduced rate.
- Disciplinary action. In some cases the organization will require a temporary restriction to prevent the user from accessing some or all of the services that they would normally have access to. There should be a feature in the process and tools to do this, rather than having to delete and reinstate the user’s access rights.
- Dismissals. Where an employee or contractor is dismissed, or where legal action is taken against a customer (for example for defaulting on payment for products purchased on the Internet), access should be revoked immediately. In addition, Access Management, working together with Information Security Management, should take active measures to prevent and detect malicious action against the organization from that user.
Access Management should understand and document the typical User Lifecycle for each type of user and use it to automate the process. Access Management tools should provide features that enable a user to be moved from one state to another, or from one group to another, easily and with an audit trail.
Date: 2014-12-29; view: 1618
|