We’re all aware of the outsider threats a company can face, like social engineering and phishing, but we often overlook insider threats, such as human error and disgruntled employees. In fact, employees were the cause of 60% of data breaches (both intentional & accidental) in 2016.
You can address those threats with an Access Onboarding & Termination Policy. The purpose of this policy is to minimize the risk of data loss/exposure by enforcing the principle of least privilege. (The scope of this policy is technical infrastructure. Things like payroll, benefits, etc. are not included in this policy).
Companies ranging from small startups to large enterprises have been breached by an insider, so whether you have 5 or 5000 employees, you should include this policy in your toolkit. Here are five best practices to consider when writing your Access Onboarding & Termination Policy:
Reduce your risk with least privilege
Least privilege is the practice of restricting account creation & permission levels to only the resources absolutely needed to perform a person’s job duties. By enforcing least privilege when granting access, you can reduce the surface area through which an insider can breach your data. When a new employee joins the company, their hiring manager must consider: which systems/applications does this hire really need accounts for? What permissions are necessary to perform those tasks? Should they be an admin or is a user sufficient?
How to implement least privilege during onboarding
Hiring managers should inform HR* upon hire of a new employee. HR communicates this to IT, who creates a check list of access & permission levels appropriate to the role. The owner of each application reviews and approves account creation and permission levels and then works with IT to set up the user.
When is access terminated?
Similarly, hiring managers should inform HR when an employee has been terminated. Every week, HR should send a list of terminated employees and instruct IT to suspend their access within five business days.
When does access change?
When an employee changes roles within the organization, their account access and permission levels should change accordingly. Similar to the onboarding process, hiring managers will inform HR of a role change. HR & IT will follow the same steps for onboarding & offboarding to provision new access.
When are permissions reviewed?
Your company should define a cadence for review of existing accounts and permission levels. Early stage companies should hold a monthly review, while mature companies that have more accounts to manage can host a quarterly review.
*If your company doesn’t have an HR role, hiring managers should work directly with IT to follow the outlined procedures.
We know writing policies can be tough. Check out our SOC2 Compliance course for more expert advice on writing an Access Onboarding & Termination Policy.