Registering and authorizing new users before granting access

When a person starts an employment relationship, he or she is granted access to all data systems related to his or her role at once.

Our organization has defined procedures for coordinating, at the time of termination of employment, e.g..:

• Hardware recovery
• Removal of access rights
• Restoration of other information assets

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

• how much information each user needs access to
• how widely the user should be able to edit data (read, write, delete, print, execute)
• whether other applications have access to the data
• whether the data can be segregated within the property so that sensitive data is less exposed

In all changes on employment relationship, access rights should be reviewed in cooperation with the owners of the protected property and re-granted to the person completely when there is a significant change in the person's employment. A change can be a promotion or a change of role (e.g., moving from one unit to another).

If a person's employment is terminating or significantly changing, the reduction of access rights to assets should be considered, depending on the following:

• a person’s reluctance towards the upcoming change
• the extent of the person’s current access rights and responsibilities
• the value of the assets to which the employee has access