- How does your organization onboard new staff members?
- Do repeatable processes exist to ensure that new staff members get the correct permissions and have access to only the information and information systems that they need to do their jobs?
- Do processes exist to onboard contractors and partners in a similar fashion as mentioned previously for staff members?
A very common issue that an organization will often experience is building solid repeatable processes for their internal staff members, and only having ad hoc processes in place for contractors and partners. Ensure that you build a process that includes everyone that will require access to your organization's data and information systems.
- How does your organization out-process staff members?
- As previously mentioned, ensure that any process includes internal staff, contractors, and partners.
- Does your organization have a mechanism where HR informs IT that staff members are leaving so that rights can be revoked?
- How are application owners notified of changes in employment? IT may be notified and network access may be revoked, however application access may still be enabled
After an employee, contractor, or partner leaves a company, application access is often still in place. It is very important that a process exists to notify everyone that has IT administration capabilities in an organization. It is important to remember that not all IT administration exists under the chief information officer. In most cases, the user administration of business applications is performed by business units (finance manages the accounting system, HR manages the HRIS system, and so on). The points of contact for these systems must be notified when someone has left the service of an organization.
- How do you monitor personnel?
- Do you have policies and training in place that clearly sets expectations regarding privacy and monitoring of users?
- What technological capabilities do you have in place?
- Do you have a DLP solution that can ensure that users are unable to send sensitive corporate data to unauthorized users or networks?
- Have you deployed a solution such as information rights management in Office 365 (https://technet.microsoft.com/en-us/library/dn792011.aspx) that allows you to revoke access to information regardless of its location?
- Do you have a Cloud Access Security Broker (CASB), which allows you to define rules for a user's access to information in a cloud environment?