Requirements for a Strong Access Control Program
The lack of an overall strong access control program generates opportunities for the unauthorized access to potentially sensitive data in your organization.
Most frequently, this is due to not complying with internal security control requirements, regulatory control requirements, or industry best practices during the access provisioning process. This is likely to result in incorrect permissions being granted when user accounts are created. Access control program requirements are the focus of pitfall #27 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
A formal access control program should be implemented that includes a documented user registration and de-registration process for requesting, approving, granting, modifying, reviewing, or revoking access. Many organizations successfully document the components of their access control program within an Access Control Policy that references any specific procedures that have been developed to support the overall access control program. This gives your organization the ability to comply with two critical control requirements by maintaining a single document.
Access control rules should reflect the requirements of your organization for the authorization, access to, dissemination, and viewing of information. These rules should be supported by formal procedures with clearly defined responsibilities that are assigned to appropriate roles. Be sure your access control requirements address both logical and physical control measures which should both be based upon the principle of least-privilege.
Account types (e.g., standard user, privileged user, system, service, etc.) used by your organization should be identified and documented. Generally, an Access Control Policy is the best place to record this information. Access control rules for each user, or group of users, should be clearly stated. The conditions for group or role membership should be established as well. Users should be given a clear understanding of the security framework requirements to be met by the access controls implemented by your organization.