top of page
AdobeStock_69523090.jpeg

How to

Establish an Access Granting Process

- SafeGuard 6.1

Here's a step-by-step guide to establishing and following a process for granting access to enterprise assets upon new hires, rights grants, or role changes of a user, as per the requirements in CIS Control 6 - Access Control Management, Implementation Group 1 (IG1):

 

Step 1: Define Access Provisioning Policies:

  1. Define clear policies for when access should be provisioned, such as for new hires, rights grants, or role changes. Determine the timing and triggers for these actions.

 

Step 2: Inventory of Enterprise Assets:

  1. Create and maintain an inventory of all enterprise assets, including systems, applications, databases, and other resources that require user accounts.

 

Step 3: Automated Account Management:

  1. Implement an automated account management system that can provision access based on predefined triggers. This helps ensure immediate action and consistency.

 

Step 4: Identify Triggers:

  1. Identify triggers that indicate when an account should be provisioned, such as when a new employee joins the organization, a new role is assigned, or specific rights are granted.

Step 5: Provision Accounts:

  1. Upon detection of a trigger, automatically provision the user account with the appropriate access rights and privileges.

Step 6: Role-Based Access Control:

  1. Utilize role-based access control (RBAC) principles to determine the access rights and permissions associated with each user's role.

Step 7: Communication and Verification:

  1. Communicate the access revocation process to relevant stakeholders, including HR, IT, and management, to ensure consistent implementation.

This process contributes to your organization's incident response capabilities and overall security posture.

Step 8: Integration with HR and IT:

  1. Establish a streamlined communication process between HR and IT to ensure that access provisioning actions are executed promptly upon new hires, role changes, or rights grants.

 

Step 9: Review Process Annually:

  1. Review the access provisioning process annually to ensure it remains effective, relevant, and aligned with organizational changes.

Step 10: Incident Response Integration:

  1. Integrate the access provisioning process with your incident response plan to ensure rapid response to potential security breaches.

Step 11: Continuous Improvement:

  1. Continuously assess and improve the access provisioning process based on feedback, lessons learned, and changes in technology or roles.

Step 12: Record Keeping:

  1. Maintain records of all access provisioning actions, including the reason, date, time, and individuals involved.

Step 13: Training and Awareness:

  1. Train relevant personnel involved in HR, IT, and security on the importance of accurately and promptly provisioning access upon triggers.

as

By following these steps, you'll establish a robust and automated process for granting access to enterprise assets, enhancing security, and ensuring efficient onboarding and role changes, in alignment with the requirements of CIS Control 6. This process contributes to your organization's incident response capabilities and overall security posture.

bottom of page