While vulnerable passwords typically receive the bulk of media coverage, an equally serious system threat may already be stalking the halls of your organization. Company employees and the systems they should have access to are constantly changing. Employees’ roles are revised, they move on to new organizations, and new personnel are onboarded, and with each and every change comes the risk of someone continuing to have access to your systems when they should not.
If an employee’s role changes, for example, do they still need the same level of system access, if at all? And what if a system administrator misses an employment termination email? Wouldn’t that former employee still be able to use a system for far longer than they should?
To prevent these scenarios from wreaking havoc on your organization’s information, it’s critical that you take regular inventories of your systems’ users and their access requirements. You can do so by conducting routine audits of user-access lists.
At a high level, user access dictates how available the organization’s data is to system users. Frequently auditing which users have access to your systems, and how much access they have, is one of the most effective ways to protect your information from unwanted eyes. Should this user still have access to this particular system, and how much access do they really need to do their job effectively?
Whether you’re guarding against a disgruntled employee or defending against mishaps, auditing user-access lists assesses these vulnerable areas and helps to ensure your systems’ information is safe, secure, and compliant. Here are four tips to make your user-access audits more effective:
Organizations should review their termination processes on a regular and consistent basis to ensure that all account disablements are accounted for. As a best practice, you should keep records of terminated employees and account revocations. You can then cross-reference these records with your HR department’s list of active employees and revoke any inappropriate accounts.
Managers are often aware of special projects that require personnel to have temporary access to a system. Similarly, company vendors or contractors may need interim access to keep projects moving forward. To keep user-access lists up to date, companies should consider building user-access requirements into employee’s annual performance review to help determine if the same level of access is still needed.
Typically, numerous departments across an organization have access to one system. Take Fujifilm’s Synapse® PACS, for example, which provides access to both the radiology and cardiology departments. Because of this, it’s essential that you confirm with the other departments which employees have access to the system, verify their employment status, and confirm if their current level of access is warranted. It’s also common for accounts to be created and then never used for interdepartmental systems. You should investigate these situations as well.
A functional review of job roles in your organization will help ensure that all employees have the access they need. It will also actively flag employees who maintain system access that is no longer needed. Do people with a particular job title really need access to these applications to do their job effectively?
To optimize user-access audits, it’s imperative that the entire organization works together to create a culture of security, starting with top management, branching out to vendor partners, and continuing down the full organizational chain. Fujifilm Medical Systems, U.S.A., Inc. (FMSU) can partner with you to audit your user-access lists. For additional information on FMSU’s user-access audit initiatives, please contact your Fujifilm representative.