Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 165

All accounts associated with a human user of your systems should be subject to review on a periodic basis and special reviews when circumstances warrant it. For the most part, these will be user-level accounts and not systems accounts that are restricted to systems processes to use. (You'll learn about those next.) Whether you control access by enforcing rules or interpreting the various roles of the user, you must periodically review the access privileges accorded to each user (or system or software entity). The period of the review should be set by policy and strictly enforced by well-documented processes. Many organizations review the access of each user once per year.

Your user access review process should include, at a minimum, the following:

 All of the accounts created for the user or the accounts to which the user has been granted access

 All of the computers this user can connect to, use, or log into

 All of the databases this user can read from or write to

 All of the applications this user can use

 All of the websites controlled by your enterprise that the user can visit and whether the user can log in, change things on the site, or merely read from it

 What sorts of data this user can see or change

 The times of day or days of the week all of these things may be done

 The geographical locations—and logical places on the enterprise network or in the cloud—from which all of these things may be done

Many of the most serious computer breaches in history have been the result of access rights left in place after a user changed assignments or left the company. Leftover accounts and no-longer-needed access are like land mines in your network. Defuse them with periodic substantive access review.