- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
It's easy to focus on cybersecurity threats like social engineering and phishing. However, internal threats, such as human error and disgruntled employees, can be just as dangerous - and are often overlooked. A mature onboarding and termination policy that leverages least privilege access is essential to preventing a data breach.
Employees and other internal users were the cause of 60% of data breaches - both intentional and accidental - in 2016.
In the world of SOC 2, these types of threats are addressed in the Access Onboarding and Termination policy. The policy’s purpose is to minimize the risk of data exposure by enforcing the principle of least privilege access. The scope of the policy is only technical infrastructure. Areas like payroll and benefits are not included in this policy. Are customers concerned about your support staff accessing their data? StrongDM provides you with an audit trail of who did what, when and where.
Here are best practices to consider when writing your company’s Access Onboarding and Termination Policy:
Implement least privilege access during onboarding
Hiring managers should inform HR upon the hiring of a new employee. HR communicates this to IT, who creates a checklist of access and permission levels appropriate to the role. This checklist should include systems internal to the company, as well as any necessary external portals (HR, payroll, etc.). The owner of each application will review and approve account creation and permission levels and then work with IT to complete user setup.
Automate manual steps during termination
Hiring managers should inform HR promptly when termination occurs. Every week, HR should send a list summarizing termination and instruct IT to suspend their access within five business days. As much as possible, these steps should be triggered by automation and should not require manual intervention. We're all human and forgetful. Things can easily slip through the cracks when you don't have enough coffee. In many companies, a centralized database (such as Active Directory) is the primary mechanism for provisioning user access, but don’t forget about any external or third-party systems that use other authentication systems. Often companies will leverage HR systems or ticketing/support portals from managed service providers, so terminated users should have their access revoked from those sites as well.
Removing access is especially important for any members of the IT and security staff. As mentioned in the previous section, these users often have network-wide access and could make quickly make significant changes in the environment very quickly. Revoking their access from all systems immediately upon termination is critical.
When does access change?
When an employee changes roles within the organization, their account access and permission levels should change accordingly. Too often, when users get promoted within the organization, they retain access rights from their previous position, which may be excessive or inappropriate for their new job. Similar to the onboarding process, hiring managers should inform HR of any role change. Then HR and IT will follow the same steps for onboarding and offboarding to provision new access.
📣 Download the 2022 Technical Staff Offboarding Checklist
When are permissions reviewed?
Your company should define a cadence to review existing accounts and permission levels. Newer companies should hold a monthly review, while mature companies that have more accounts to manage can host a quarterly review.
*If your company doesn’t have an HR role, hiring managers should work directly with IT to follow the outlined procedures.
We know writing policies can be difficult. But companies ranging from small startups to large enterprises have been breached by an insider. So whether you have 5 or 5,000 employees, you should include this policy in your toolkit. Check out our SOC 2 course for expert advice and more best practices to write an Access Onboarding and Termination Policy.
Looking for additional SOC 2 resources? Get Comply, a free and open-source resource center for SOC 2 certification.
About the Author
Brian Johnson, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.
Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.