Enterprises are beginning to master the task of provisioning access rights to new employees, and terminating those rights when employees are terminated from employment. And when employees advance or are transferred into new positions, enterprises are becoming more effective at granting new access privileges in support of advancing / transferring employees’ new duties.
But enterprises are mostly failing to remove the privileges associated with the positions they have left behind when transferring or advancing. This results in the problem known as “accumulation of privileges.”
Accumulation of privileges is the result of employees who are granted access rights in their first position, and more rights as they advance, transfer, or are given additional responsibilities. The real problem is that employees fail to shed unneeded privileges when they move into new positions. Given enough time, an employee who moves around to different positions in an organization can amass an array of privileges.
It’s not altogether simple. Often, transferred employees need to retain their former privileges until some projects or tasks are completed, or to support cross-training their successors. But rarely will an employee, nor his old or new manager, request that those old and no longer needed privileges be revoked.
Most enterprises simply lack the discipline to set up a process for eventually revoking unneeded privileges. The result is that employees with more tenure can amass a wealth of privileges that would turn an auditor pale.
There is no easy answer to this. But probably the best answer that I can come up with is this:
When an employee has transferred to a new position, all privileges associated with the specifics of the old position should be immediately revoked. Policy should reflect and require this. But reality can accomodate a compromise, where the transferring employee may retain the old privileges for a maximum of, say, two to four weeks, after which the old privileges must be revoked. If an extension is required, it must be approved by a senior manager or executive, with another time limit of, say, 30 days. The same executive must approve every 30 day extension.
Regular audits of employee access rights should be taking place. The list of employees who should have access privileges needs to be carefully matched to the userids that actually do. All exceptions must be noted and remedied, to eliminate any forgotten accumulations. The regular audit is the only way that an access privilege – that should have been revoked – will be caught and remedied. If regular audits do not catch these, then they will continue unfettered until an external auditor finds it or an incident – made possible by the accumulated privileges – occurs.
Example 1: A systems support engineer is promoted to software test engineer. This requires that she be given privileges to development systems, test systems, and source code. However, after she transitions to her new job, she still has access to production databases. This is a blatant violation of the requirement that personnel in development have no access to production systems or data.
Example 2: An accounts payable clerk is promoted to accounts payable supervisor. This results in the employee having access to functions that a single individual must never have: approving payments and printing checks. This will cause an audit exception if an auditor is careful to examine each employee’s privileges.
Peter H. Gregory 