348
A Practical Guide to Security Assessments
8. If the terminated employee had access to specific applications aside from
the standard business applications (e.g., word processing, spreadsheet),
are those application owners informed on a timely basis so that the
application access can be removed?
Guidance:
Some clients will say that not revoking application-level ac-
cess is not a major risk as long as access to the network has been revoked
because you need network access to get to the application. Although this
might have some merit, there are ways to gain unauthorized access to the
network. In the case of terminated employees who are technically savvy,
we are dealing with insiders who know the network and can potentially
gain access because of their knowledge. If they gain access to the network,
they can access the applications and cause damage. Depending on what ap-
plication they access, the damage can be enormous. For example, if they
can access order entry systems, fictitious orders can be placed or worse yet,
orders can be deleted. If the terminated employee was from HR, that per-
son could potentially gain access to sensitive personnel information. The
damage to a company can be significant. Revoking the application access
might appear unnecessary, but it is another layer of security that is valu-
able. Ideally, application access should be specifically addressed in the ter-
mination process.
Risk:
If a terminated employee’s application access is not revoked, a risk
exists that the former employee may gain unauthorized access to the appli-
cation or that some other employee might use the terminated employee’s
access to access applications and potentially cause damage.
Client Response:
9. Are network access, application access, and facility access lists periodi-
cally reviewed and purged to help ensure that terminated users’ access
has been removed at both the network and application levels?
Guidance:
Periodic review of access lists for the network and key appli-
cations is another layer of security that helps ensure that terminated per-
sonnel’s access has been removed. If an oversight occurred and a
terminated employee’s access was not revoked, this process should catch
such a case. Department heads or application owners should review these
access lists to determine whether any access should be removed and ensure
that only those who require access have it. The frequency of the process
depends on the level of risk associated with the terminations.
AU1706_book.fm Page 348 Wednesday, July 28, 2004 11:06 AM