Security professionals are generally most concerned with outside hackers, malicious insiders and accidental data loss. However, if they don’t focus on internal processes around their organization’s employees’ changing roles and responsibilities, organizations are missing a key area of risk.
Manual processes within IDM could introduce mistakes and open the door to both privilege creep and account latency. Automation of new employee onboarding, promotions or transfers, administrative requests and terminations reduces risks and implements processes that alleviate these mistakes.
New employee onboarding
If done manually, the security implications of hiring a new employee can be daunting and prone to error. The provisioning process starts: computer access, id and password, network access, and application access are all just the tip of the iceberg. HR processes have to be followed; FERPA or HIPAA tests need to be passed. Automation of this process guarantees new employees base system access and allows security teams to focus on the more challenging processes below.
To accomplish this, the hiring event starts the automated process of providing least privileged access. By providing this, new employees should only have access to the initial set of self service functions such as enrolling in benefits. This allows the account provisioning to be triggered automatically from other IDM solutions that may be in use without introducing institutional risks. Granting higher privileged access is covered in the next section.
Newly hired, promoted or transferred workers
When a person starts new job functions or his/her job changes, it is imperative that the PeopleSoft privileges are accurate, made in a timely manner and can be monitored. Automating this procedure guarantees access changes don’t go unnoticed and lowers a company’s risk of data breach and privilege creep. Privilege creep occurs when employees move from job to job inside of an organization and system access no longer matches their role within the organization.
To accomplish this, job codes should be mapped to privileges so that automated processes can be built to modify privileges upon changes in job responsibilities. That way the system naturally mitigates privilege creep through job migrations.
Administrative access requests
Some administrative functions are very specialized and cannot be automatically assigned based on job codes in the HR application. Therefore, tracking the systems is absolutely critical. These high privileged users have access to the institutions most prized data or intellectual property.
Organizations should establish a change control process over administrative privileges that may be project related or on going. Tracking and understanding what access a user has within each application, network device and computer is critical to managing their movement throughout the organization or out of the organization.
Terminations – there goes the data!
Termination is a critical security event. When an employee is terminated (whether involuntarily or involuntarily) the clock is ticking on restricting their access. An article from the Wall Street Journal suggests 50% of employees take data with them upon termination.
To address this concern, access must be removed from numerous systems precisely and efficiently especially for high privileged users. When an employee gives a two-week notice, data security requirements should log or remove all access besides base HR self-service functions to ensure data loss is kept to a minimum.
Automating this process involves tying the termination request to the modification of the users privileges. To accomplish this, the termination will trigger a removal of all roles and permissions other than base self service HR functions. This has to be done immediately upon the termination event and logging all access for these users is critical.