8.3.3 Removal of Access Rights

Illustrative Controls and TIBCO LogLogic Solution

Auditors sample employment records and cross-check changes in employment against changes in access rights as identified in historical system logs. They also cross-check changes in shared passwords against these same employment records. Administrators are required to demonstrate that the user access privileges are modified and revoked in a timely manner upon job change or termination. Review reports and alerts on account activities, accounts created/deleted, group members added/deleted, and successful logins to VPN concentrators and critical servers.

Take expedient actions regarding job changes, especially job terminations. Knowledge transfer must be arranged, responsibilities reassigned and access rights removed such that risks are minimized and continuity of the function is guaranteed. When a person changes jobs or is terminated from a company, user access privileges must be modified according to the company’s business guidelines.

To satisfy this requirement, administrators must periodically ensure that only current and authorized employees have access to the servers and systems. Administrators must ensure that all terminated users have been disabled. In addition, administrators must ensure that the logins to servers as well as permissions to the new users are appropriate as per the new role they are in

To ensure that the preceding requirements are met, administrators must review reports of all user deletions and group member modifications. This ensures that the terminated users are removed and users who changed jobs have been removed from the appropriate groups. TIBCO LogLogic access reports and alerts that detail accounts and groups being removed are used to validate that access to corporate information has been terminated as part of this addressable control. Access reports and alerts are reviewed to ensure that anyone terminated does not retain access or has any system or network activity following the termination.

Reports and Alerts

Use the following link/reference to see the 8.3.3 reports and alerts: TIBCO LogLogic Reports and Alerts Quick Reference.