Access Management

  • Access Management in general is an important topic for your ISMS. Not being in control of software access can easily cause incidents turning into data breaches.  
     
    You will have to be in control of different types of access:  

    • Access to the office location – we address this in the Policies & Procedures, Workspace & Equipment Policy, template is provided on Compleye Online in section Templates
    • Access to Hardware (e.g. laptops) – we will address that in the Policies & Procedures ,Workspace & Equipment Policy, template is provided on Compleye Online in section Templates
    • Access to Software – that is addressed in this section. 
    • Access to Documentation Storage – that is addressed in this section. 
    • Access to Data – that will be addressed in Data Classification Section 

    With respect to the Software Access, high-level requirements are:  

    • Having an overview of all Software used by your organization 
    • Defining a policy on how you organize the access.  
    • Assign administrators for every software, describe roles and responsibilities in the Access Management Policy.  
    •  
      • Software Access Section content needs to be very much aligned to your Suppliers Overview, as all of your Software are – by default – classified as a supplier. Therefore start with the Supplier Overview and copy the names of the suppliers that provide Software as a product, to this section. Make sure you will use the exact same name. 
         
      • You will find out by making use of this section, that next to your own team (internal access), some suppliers will also have access (external access). You might need to go back to Supplier Overview and tick the box ‘Is part of Software Access’ in the General tab of the Supplier. Once ticking the box, this supplier will appear in the overview of external access, if you use the Edit button. 
         
      • We advise you to include your supplier – for documentation storage, in this overview. That can be Google Drive, MS Office, Dropbox or your own server environment. In this case, you will choose the Profile Documentation Storage’ . By making use of this profile you will be able to document who has access to specific folders.  
         
      • The external auditor needs to see how you will get organized around confidential documents in your organisation. We advise you to address in your Access Management Policy, that sharing information (including documents) is organized on a need-to-know-base and that is organized in access management. 
         
      • You can start easy with 2 (two) main folders: Management and Operations. All confidential information is placed within folder Management with limited access. And everything else is organized in Operations – with access to the entire team. When you scale your organization, you change the folders and access in Operations by assigning certain information to specific teams. Before you create a complex tree with access rights in Operations – think first, if this is really needed. 
         
      • It is our experience, when startups scale, they are organizing specific (confidential) information also in tooling available for limited team members. Eg: customer processes embedded in help desk tooling or in a wiki for dedicated teams (wiki or GitLab/confluence). 
         
      • Admins need to use an admin account while performing admin activities and use a different user account when working with the tool. That might be a challenge for some Startups. Eg: you are using an expensive tool that can only afford 1 user license. This can happen, especially in the early stage. Unfortunately, that will be classified as a non-conformity, as it is a potential risk for security.   
         
      • It is our experience, that external auditors accept it during the first year of your certification, however, you will need to have some evidence in place, to prove that you are aware of this issue and know the risks. However the tool is important for your Business (or security) and C-Level accepts the risk. 
         
      • Our suggestion is that in this case – you will already make a note in the risk assessment for this supplier. It is not yet needed to perform an entire supplier assessment. Just add notes about single user account for multiple users and the reason why in the field [define residual risk] Supplier Assessment  –and you can add to the field [suggest Improvements] ‘next year we will reconsider the subscription fee.’ or any other improvement that you want to add.      
          
      • If there are more team members assigned for admin role – to 1 tool: in Compleye Online, you can make use of the  ‘add new field’ functionality and  add an extra field . In use, this will be visible for all other tools as well.   
         
      • Selection of who has access is easy. It is divided into 2 tabs, Internal and External. Ticking the boxes must be easy. If you do miss team members, you probably have not added them to the section ( link to People@.  Missing suppliers, you will need to tick the box  “Is part of Software Access”  in the General tab of the  Supplier Overview.   
         
      • When Supplier has access, we suggest you create an extra field by making use of   ‘add a new field’ and choosing for a Text field (eg: name the field Remarks). Add to remarks some notes. eg: how many users of the supplier have access. If you have guidelines for this (either in supplier assessment or supplier management policies) and add the name of the contact person from supplier to this field with an email address . This will become handy during security controls related to Access Management.   
         
      • Add to the  Procedure/Info feature , the Access Management Policy once defined and approved. Write notes for your team members.  
         
      • There is the possibility to perform a  quick search – eg: to what tooling a particular team has access to. In this case, make use of the search filters. You can add the name of the team member in the selection filter.  
         
      • This quick search is handy eg: in case of team members leave the company and you want to close all access to tooling in 1 day. 

      • Activity logs of this section can be used for  Security Controls  – for evidence of performing control activities.  
Field Name  Values  Explanation / Example 
Software Tool   Describe software tools in a free text format.   Compleye Online 
Profile  Indicate profile from a drop-down menu, options are Business Services.  Cloud Provider. MarCom. Office Tool. Project Management Tool. Third-Party Data Provider. Documentation Storage. Installers. Support Desk Tool. Security Support. Other.  

You can pick from the dropdown list, or choose Other. In case you will choose Other, you add a new profile.   

Compliance Tool 

Admin and Status Indicate administrator from a drop-down menu. Select the status of the tool – active or non-active – mandatory to fill in

[choose a team member how is either admin or who will be responsible for access management.]  

Internal Access  Select names from names included in the checkbox.   [Choose team members who will have access] 
External Access  Select names from names included in the checkbox.   [Choose suppliers who will have access]  
Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.