Access Management refers to the careful control and monitoring of accesses granted to high risk software and tools utilized within an organization. This practice is pivotal in ensuring only authorized individuals can access sensitive data, thereby shielding the company from potential threats and breaches. This process ensures that vendor access is properly granted, monitored, and revoked when no longer needed.
For audits, it shows that the organization carefully manages third-party access and demonstrates a proactive approach to managing vendor-related risks.
The first step in the execution of access management is to document and review all accesses to software identified as critical and high-risk during your Vendor Risk Management exercise. Tools like Personio, Jira, Hubspot, GitHub, Slack, and Notion often fall into this category. It is recommended to carry out these reviews at least quarterly. Broadening this to encompass tools utilized in various departments such as development, product, HR, communication, and sales, though optional, is a good practice.
What accesses do I need to document?
Access management primarily focuses on human accesses as they are often associated with a higher degree of risk and unpredictability compared to machine accesses, which generally operate within fixed parameters and thus pose a lower security risk.
How to work on access management
Exporting user list
In Secfix, navigate to the Vendors section
Sort by Risk level
Copy the vendors that have the High risk assigned
For each high risk vendor, export the user list (preferably in .csv). You should be able to export it directly from the vendor's application
Spreadsheet structuring
Access management template was shared with you by your CSM and can be found in the Supporting Docs folder on your shared Google/OneDrive.
Open the Access management template
Replicate the ‘Customer Template’ tab for each high-risk vendor identified
Customize each tab with the respective vendor's name for easy identification
Importing user list
Under each vendor-specific tab, incorporate the user list exported from the vendor's application
Click on File and then Import. Select Append to current sheet
Align and organize the data to resonate with the template’s structure
Filling the remaining columns
In each vendor tab, go ahead and populate the remaining columns according to your organization’s stipulated structure
Reporting necessary changes
Use the ‘Findings’ column to note down necessary adjustments regarding user roles
Be meticulous, enlisting all the crucial details to foster informed decisions during the review meetings
Summary report
Work on the "Report Summary" tab within the same spreadsheet
Transfer the insights gathered in individual vendor tabs into this consolidated report
Version history
Craft a “Version History” tab to encapsulate all the alterations made to the spreadsheet
Log every update along with the date and a succinct description to foster a transparent change management process
🤝 Access review meeting
On a quarterly basis you should have the access review meeting and document it in your Manual evidence.
You will also need to demonstrate documents or reports from a recent periodic access review of all in-scope components, including data stores, cloud infra, version control system, etc. It can be in a form of a ticket, email with findings, etc.
