Introduction:
Access control is one of the most important aspects of information security.
A.9.2.6 of the ISO/IEC 27001 standard focuses on the removal or adjustment of access rights of employees, vendors, and contractors on termination or change of their employment, contract, or agreement.
Organizations need to ensure that appropriate measures are in place to prevent unauthorized access to their systems and data.
This article will provide a sample checklist for evaluating the effectiveness of access rights removal or adjustment procedures.
Sample Checklist:
- Check the procedure for removing or adjusting access rights: The first step is to review the procedure for removing or adjusting access rights. Is it clearly defined, documented, and communicated to all employees, vendors, and contractors? Is it aligned with the organization’s access control policy and procedures?
- Physical access to facilities: Access rights removal or adjustment procedures should cover physical access to facilities. Are all access control systems, such as badges and keys, promptly deactivated or reprogrammed when an employee, vendor, or contractor leaves or moves internally?
- Logical access to the network: Logical access to the network, such as user accounts and passwords, should be removed or adjusted when an employee, vendor, or contractor leaves or moves internally. Are there procedures in place to promptly remove or adjust logical access rights?
- Password changes for group user IDs: Check if passwords of known or group user IDs are changed when employees leave or move internally. It’s important to ensure that such passwords are not shared or misused. In such cases, are departing/moving individuals removed from groups at the same time as changing passwords?
- Sample records: Finally, check a sample of records to verify that access rights were promptly removed or adjusted when employees, vendors, or contractors left or moved internally. Are there any instances of delayed or incomplete access rights removal or adjustment?
Conclusion:
Access control is critical to maintaining the confidentiality, integrity, and availability of an organization’s systems and data.
A.9.2.6 of the ISO/IEC 27001 standard highlights the importance of removing or adjusting access rights of employees, vendors, and contractors on termination or change of their employment, contract, or agreement.
Organizations need to ensure that appropriate measures are in place to promptly deactivate physical access control systems and remove or adjust logical access rights.
Regular reviews and sample record checks can help ensure the effectiveness of access rights removal or adjustment procedures.