It’s easy to focus on cybersecurity threats like social engineering and phishing. However, internal threats, such as human error and disgruntled employees, can be just as dangerous – and are often overlooked. A mature onboarding and termination policy is essential to preventing a data breach. Employees and other internal users were the cause of 60% of data breaches – both intentional and accidental – in 2016.
In the world of SOC 2, these types of threats are addressed in the Access Onboarding and Termination policy. The policy’s purpose is to minimize the risk of data exposure by enforcing the principle of least privilege. The scope of the policy is only technical infrastructure. Areas like payroll and benefits are not included in this policy.
Here are five best practices to consider when writing your company’s Access Onboarding and Termination Policy:
Reduce risk with least privilege
Least privilege is the practice of restricting account creation and permission levels to only the resources needed to perform a person’s job duties. For example, if a new user starts in your marketing department, there probably isn’t a good reason for this person to also have access to the HR and finance department shares. By enforcing least privilege when granting access, you can reduce the surface area through which an insider can breach your data.
When a new employee joins the company, the hiring manager must consider: which systems/applications does this hire need accounts for? What permission levels are necessary to perform those tasks? Should the user have administrator-level access, or is a standard user account sufficient?
Least privilege is especially crucial for your IT and security staff. In many organizations, users in these departments have full visibility into the network. This can include excessive rights to shared folders, user email accounts and sometimes even payroll information. Therefore it is critical to implement the least privilege from the time a user is onboarded.
Implement least privilege during onboarding
Hiring managers should inform HR* upon the hire of a new employee. HR communicates this to IT, who creates a checklist of access and permission levels appropriate to the role. This checklist should include systems internal to the company, as well as any necessary external portals (HR, payroll, etc.). The owner of each application will review and approve account creation and permission levels, and then work with IT to complete user setup.
Automate manual steps during termination
Hiring managers should inform HR promptly when termination occurs. Every week, HR should send a list summarizing termination and instruct IT to suspend their access within five business days. As much as possible, these steps should be triggered by automation and should not require manual intervention. We’re all human and forgetful. Things can easily slip through the cracks when you don’t have enough coffee. In many companies, a centralized database (such as Active Directory) is the primary mechanism for provisioning user access, but don’t forget about any external or third-party systems that use other authentication systems. Often companies will leverage HR systems or ticketing/support portals from managed service providers, so terminated users should have their access revoked from those sites as well.
Removing access is especially important for any members of the IT and security staff. As mentioned in the previous section, these users often have network-wide access and could make quickly make significant changes in the environment very quickly. Revoking their access from all systems immediately upon termination is critical.
When does access change
When an employee changes roles within the organization, their account access, and permission levels should change accordingly. Too often, when users get promoted within the organization, they retain access rights from their previous position, which may be excessive or inappropriate for their new job. Similar to the onboarding process, hiring managers should inform HR of any role change. Then HR and IT will follow the same steps for onboarding and offboarding to provision new access.
When are permissions reviewed
Your company should define a cadence to review existing accounts and permission levels. Newer companies should hold a monthly review, while mature companies that have more accounts to manage can host a quarterly review.
*If your company doesn’t have an HR role, hiring managers should work directly with IT to follow the outlined procedures.
We know writing policies can be difficult. But companies ranging from small startups to large enterprises have been breached by an insider. So whether you have 5 or 5,000 employees, you should include this policy in your toolkit. Check out our SOC2 course for expert advice and more best practices to write an Access Onboarding and Termination Policy.