Appendix N
393
ship and accountability for the various tasks. Policies might have higher-
level roles, such as at the department level, whereas procedures define
roles more specifically by their job titles. Some of the roles that should be
defined include:
• Who provides access
• Who approves access
• Who tracks what access a person has
• Who owns the termination process
With ID administration, ownership is critical. In many companies, owner-
ship is not clear, and personnel have different ideas about who does what.
This situation can become chaotic depending on the number of personnel
and the level of turnover. It is very important that these roles and respon-
sibilities are not defined for specific people but for actual roles. This results
in less maintenance and it makes it easier to allocate specific responsibili-
ties to others if needed.
Risk:
Without clearly defined roles and responsibilities, there is no own-
ership or accountability. A risk exists that user ID administration processes
will not be completed properly or performed consistently. Taking it one
step further, enforcement is also difficult because there is no formal process.
Client Response:
4. Is access to IT resources provided based on what is needed for a particular
job and is it approved by a management-level employee?
Guidance:
Typically, when new employees join a company, access is giv-
en to certain IT resources so they can do their jobs. The purpose of this
question is to determine how this access is given and whether it is based
on a person’s job description. There is a balance here that should be con-
sidered. The more granular a level someone’s access is granted, the more
administration effort will be required. Ideally, job descriptions should cor-
respond to certain roles, which should correspond to certain access. For
example, a profile should exist for the position of accounts receivable clerk
that provides certain access, perhaps including edit access to the accounts
receivable transactions, read access to other financial information, and oth-
er general access such as e-mail and the Internet. Another consideration
when reviewing how access is granted is regulatory concerns. For example,
access to view consolidated financial information in publicly traded com-
panies should be restricted, as this is sensitive information that can be used
for insider trading. In addition, special thought should be given when
granting access to sensitive information (e.g., employee salary informa-
tion, research and development data) or privileged access.
AU1706_book.fm Page 393 Wednesday, July 28, 2004 11:06 AM