User access basics
Are access rights appropriate?
Broadly, user access may be:
- Business appropriate and a close fit to needs.
- Appropriate but overly broad -- i.e., users have the access that they require, but it is defined in such a way that they also have access that exceeds their needs.
- No longer appropriate -- access made sense previously but is no longer required.
- Was never appropriate -- granted in error.
- Compliant with policy, or not (for example, regarding segregation of duties)?
Are users reliably identified before gaining access?
User access may either be reliably or weakly authenticated. If the latter, even if user access is business appropriate, there is only a weak guarantee that the right user has the appropriate access rights.
Is there an audit trail?
Finally, there are audit questions:
- Is there a record of when and how a user gained a given set of access rights?
- Who requested and who approved user access?
- Is there a record of when and how access rights are used?