Many companies deal with their fair share of vaguely defined, outdated, cumbersome, inefficient or non-secure processes for handling application and data access requests. Often, there's an old, outdated hardcopy form used by everyone that has been copied so many times it's barely legible. Even worse, it often doesn't require the proper signoffs for access to systems and data. If you plan on passing a serious audit and want to improve your request processes, read on!
The first step in setting up a good request-handling process is to define the application and data owners for your organization. This requires your applications and data to be broken down into categories, and assigned an owner. For example, the director of finance may own accounting and payroll data, and sales data may be owned by the director of sales. Once you've defined your application and data owners, it's time to create an updated form.
It's best if you can create a Web-based form or custom e-mail form that can be kept online and restricted to a defined group of users who are authorized to request access for employees. If you don't allow hardcopies of the request form to be submitted, you can always ensure that only authorized people are using the most updated form. An added benefit of using Web-based forms is that you can capture the user's userID and IP address for further proof that the request came from an authorized employee. Your forms should require approval by the application or data owner for each area the user needs to access. Depending on how sophisticated you want your forms to be, the application or data owner's approval could be electronic, or you may need to print a hardcopy and have it signed by the owners. Usually, you can find someone in IT who has experience creating Web-based or e-mail-based forms.
Once you've created your forms, it's time to restrict them to authorized personnel and create some instructions for users to follow. The instructions should be stored in the same location as the forms. A flowchart should also be created to document the IT department's internal processes for fulfilling the requests.
It's best to designate one person to maintain the forms you create. This makes it easier to have forms designed and modified with a consistent theme. With a little creativity, these same access request forms and processes can be used to handle employee terminations. Once you've set up a sound process and easy-to-use forms, you'll have a much happier staff and your auditors will be pleased. Just make sure you have an access request form for each person who is granted access to an application or data set!
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
