Access Management

Access Management in general is an important topic for your ISMS. Not being in control of software access can easily cause incidents turning into data breaches.  
 
You will have to be in control of different types of access:  

• Access to the office location – we address this in the Policies & Procedures, Workspace & Equipment Policy, template is provided on Compleye Online in section Templates
• Access to Hardware (e.g. laptops) – we will address that in the Policies & Procedures ,Workspace & Equipment Policy, template is provided on Compleye Online in section Templates
• Access to Software – that is addressed in this section. 
• Access to Documentation Storage – that is addressed in this section. 
• Access to Data – that will be addressed in Data Classification Section 

• Overall you will need an Access Management Policy – we will address that in the Policies & Procedures / Access Management Policy

With respect to the Software Access, high-level requirements are:  

• Having an overview of all Software used by your organization 
• Defining a policy on how you organize the access.  
• Assign administrators for every software, describe roles and responsibilities in the Access Management Policy.  
  

• • Start by going back to the Supplier Overview Section and making a list of all suppliers that provide an application or tool that your team is using.
  • Access Management Section content must be very much aligned to your Suppliers Overview, as all of your software is – by default – classified as a supplier. So, start with the Supplier Overview and copy the names of the suppliers that provide software as a product, to this section. Make sure you use exactly the same name.
  • You’ll find out by making use of this section that, apart from your own team (internal access), some suppliers will also have access (external access). You might need to go back to Supplier Overview and tick the box, ‘Is part of Software Access’ in the supplier’s general tab. Once the box is ticked, this supplier will appear in the external access overview, if you use the edit button.
  • We advise you to include your documentation storage supplier in this overview. That could be Google Drive, MS Office, Dropbox or your own server environment. Choose the profile ‘ Documentation Storage’. By making use of this profile, you’ll be able to document who has access to specific folders.
  • The external auditor needs to see how you’ll organise confidential documents. We advise you to address – in your Access Management Policy – that sharing information (including documents) is organised on a need-to-know-basis in access management.
  • You can easily begin with 2 (two) main folders: Management and Operations. All confidential information is placed within the Management folder with limited access. Everything else is organised in Operations – with access for the entire team. When you scale your organisation, you change the folders and access in Operations by assigning certain information to specific teams. Before you create a complex tree with access rights in Operations – consider whether this is really needed.
  • It’s our experience that when startups scale, they tend to organise specific (confidential) information in tooling available for limited team members, e.g.: customer processes embedded in help desk tooling or in a wiki for dedicated teams (wiki or GitLab/confluence).
  • Admins need to use an admin account while performing admin activities and use a different user account when working with the tool. This could be a challenge for some startups, e.g., if you’re using an expensive tool and can only afford 1 user license. Although this can happen, especially in the early stages, it will be classified as a non-conformity, as it’s a potential security risk.
  • In our experience, external auditors accept this during the first year of your certification. However, you’ll need to have some evidence in place to prove that you’re aware of this issue and know the risks. The tool is important for your business (or security) and C-Level accepts the risk.
  • Our suggestion is that you make a note in the risk assessment for this supplier instead of performing an entire supplier assessment. Add notes about a single user account for multiple users and the reason why in the field [define residual risk] Supplier Assessment - you can add to the field [suggest Improvements], ‘Next year we will reconsider the subscription fee’ or any other improvement that you want to add.
  • If there are more team members assigned to the admin role – to 1 tool: in Compleye Online, you can make use of the ‘add new field’ functionality and add an extra field . In use, this will be visible for all other tools as well.
  • Selection of who has access is easy. It’s divided into 2 tabs, ‘Internal’ and ‘External’. Ticking the boxes should be easy. If you do miss team members, you probably haven’t added them to the section [Link to People@]. For missing suppliers, you’ll need to tick the box, ‘Is part of Software Access’ in the General tab of the Supplier Overview.
  • When the supplier has access, we suggest you create an extra field by making use of ‘Add a new field’ and choosing a text field e.g., name the field ‘Remarks’. Add notes e.g., how many of the supplier’s users have access. If you have guidelines for this (either in supplier assessment or supplier management policies), add the name of the contact person from the supplier to this field with an email address. This will come in handy during security controls related to Access Management.
  • Add the Access Management Policy to the Procedure/Info feature once defined and approved. Write notes for your team members.
  • There is the possibility to perform a quick search, e.g., what tooling a particular team has access to. In this case, make use of the search filters. You can add the name of the team member in the selection filter.
  • This quick search is handy e.g,: in case team members leave the company and you want to close all access to tooling in 1 day.
  • This section’s activity logs can be used for Security Controls – for evidence of performing control activities.