While NIST CSF is a voluntary standard that companies can use as a cybersecurity guideline, NIST 800-53 and 800-171 are mandatory for organizations that work with government networks or data. NIST: The NIST Cybersecurity Framework and special publications SP 800-53 and 800-171 all include requirements to audit accounts for compliance and revoke access when it is no longer needed. If too many people can access personal data, businesses risk significant fines of up to 4 percent of their annual revenue. In effect, this requires organizations to audit who can access personal data. As specified in article 25, this includes limiting the number of persons who can access personal data to those with a legitimate interest. GDPR: Europe’s General Data Protection Regulation puts safeguards on the collection, storage and processing of personal data. However, a periodic review of access rights (5.18) is one of the recommended controls in Annex A that organizations need to consult per 6.1.3 c). ISO 27001: By design, ISO 27001 gives organizations a lot of freedom to choose the scope and controls of their information security management system (ISMS). Common problems that occur without user access reviews: The problem? Many organizations have no process for auditing access rights, meaning that employees accumulate more and more permissions over time, an issue also known as privilege creep. Which is why user access reviews are demanded by many regulations like HIPAA, the SOX Act, COBIT, PCI DSS, ISO 27001 and the NIST Cybersecurity Framework. Regular access reviews are the only way to enforce least privilege access by ensuring that nobody in an organization has unnecessary permissions. Regular access reviews are essential to maintaining security and compliance: When users can access files or systems they do not need, it puts these resources at risk both through insider threats like employee data theft and outside attacks like account hijacking.Ĭonsequently, it is a best practice of cybersecurity to keep IT privileges to a minimum and only assign permissions that are essential to a user’s role – also known as the principle of least privilege.
User access reviews, also known as permission reviews, privilege reviews or access recertification, are a periodic audit of the current access rights in your organization designed to spot and remove unnecessary or outdated permissions.
0 kommentar(er)
