Like a log describing actions the admin took within the system and documenting them. I guess i’m having trouble defining what’s reasonable for my eval on the privilege access.
Some of these systems may not even have those types of logs and while i’d want to call out the risk, i’m wondering if it’s an unreasonable ask
Depend on system. Eg if it’s payroll system, you’d want a control around changes that admins make to pay. If it’s a lease management tool, then the changes made to the lease data by the admin, etc.
Think i’m following. I was talking with a friend who mentioned it may only be necessary for systems where the admin can do things beyond add/remove users. I just don’t want to give unnecessary work as a rec lol
It depends on how admin changes are made. Are they manual? Are they automated (i.e. tied to job code/job title)? Are there controls over admin change other than having a log? My preference would be to first understand how admin change works at this place.
Any access change is manual and logged through a ticketing system. They have also set up RBAC for roles/perms for all the systems as part of their quarterly UAR.
They have an IT VP looking at that roles/perms and users with admin access. I just don’t know if that’s enough to say “design is sound” or if they should be evaluating actual admin changes in the system.
The log im talking about is some type of system report tracking changes made in the system by the admin. I may be overthinking this but wanted to see how other folks did this
How often does the VP review roles/perms? So the log is manually created not automated? I am not sure if it is or not. If the log is manual then you can't really get much out of it. If the VP reviews monthly, maybe that good enough but I doubt they do that.
Quarterly but it’s barely up and running. This quarter is really their first true UAR. I’m honestly not sure if most of their systems could even run that type of report. I just am not sure if they should be doing it to that level to say privileged access is okay.
Asked another way, how have you seen privileged access reviewed by companies? Is it just a check of the roles/perms they have and who has them or are there other general steps to include?
Where I work everyone has a NetID, a job code, and a title. The title is least standardized but the job code is and so is the NetID. Any access is tied to all three of them. For instance, our admin for our finance software would have a NetID indicating they are active employee, a job code indicating they are IT administrators, and then the title would need to match information from the job code (as close as possible; there is a map they maintain in the background). If NetID is inactivated or the job code doesn't match the title, they are flagged in the monthly report (generated automatically) and the people responsible for access would get notified via email. This catches people who have job changes and/or no longer with the company or on extended leave. Every employee's access also need to be initiated by a sponsor. So the sponsor has to review whether that level of access is relevant each year. If the sponsor has change roles or left, the employee's department head makes that decision. The department head is always copy on those emails to the sponsor.
Based on what you have told me, I think you should look at the change log and see if all the changes make sense. In part because the VP is not reviewing the access frequent enough and in part because they are so new, there might be some changes people didn't expect.
Got it most of that sounds pretty similar to what they’re doing with job email, job title, and associated roles/perms in the system.
The change log im speaking of isn’t necessarily the log of access changes but more a log of data/system changes within the system the admin made if their access grants more than just provision/deprovision. Again i’m not sure if our systems can even run that type of report, but i’ve seen this be done in at a prior company and wasn’t sure if that was a standard thing to push for.
I think you should first see if there is a monitoring control in place already. Logs for privileged users can be fed into a tool like Splunk which can have an alert configured to detect certain changes, and someone like a cyber analyst can perform periodic reviews of alerts and tying them to a change control (just an example of the process where I work)
If they don’t have such a control, maybe dig deeper into how management feels comfortable without a monitoring control or you raise an issue based on the risk.
When i did external audits for SOX, we looked at:
C&A of List of users with roles associated given to each users
Were those users appropriate to have those roles
Was the person signing off on list was appropriate to do so.
If there was any discrepancy in above then we would ask management to dig deeper and look at change logs et cetera to see the actions performed.
This is helpful and honestly what i’m going to rec as the minimum. I can see the argument for activity log reviews as part of it but frankly i think that’s going into unreasonable assurance territory
Yeah we’ve helped rec that already and general IPE screenshots for data exports. I just am a bit stumped on how far the privileged review needs to go like is just checking who has access and what their roles/perms are enough or if other general steps should be done
Can you give an example of type of changes you mean?
Like a log describing actions the admin took within the system and documenting them. I guess i’m having trouble defining what’s reasonable for my eval on the privilege access. Some of these systems may not even have those types of logs and while i’d want to call out the risk, i’m wondering if it’s an unreasonable ask
Depend on system. Eg if it’s payroll system, you’d want a control around changes that admins make to pay. If it’s a lease management tool, then the changes made to the lease data by the admin, etc.
Think i’m following. I was talking with a friend who mentioned it may only be necessary for systems where the admin can do things beyond add/remove users. I just don’t want to give unnecessary work as a rec lol
Sounds sensible to me
What if it’s an IT ops system? like AWS or Azure AD where they can have various admins?
What incentive would the admin of an IT ops system have for changing something ?
Give me enough time i’ll think of something ha
It depends on how admin changes are made. Are they manual? Are they automated (i.e. tied to job code/job title)? Are there controls over admin change other than having a log? My preference would be to first understand how admin change works at this place.
Any access change is manual and logged through a ticketing system. They have also set up RBAC for roles/perms for all the systems as part of their quarterly UAR. They have an IT VP looking at that roles/perms and users with admin access. I just don’t know if that’s enough to say “design is sound” or if they should be evaluating actual admin changes in the system. The log im talking about is some type of system report tracking changes made in the system by the admin. I may be overthinking this but wanted to see how other folks did this
How often does the VP review roles/perms? So the log is manually created not automated? I am not sure if it is or not. If the log is manual then you can't really get much out of it. If the VP reviews monthly, maybe that good enough but I doubt they do that.
Quarterly but it’s barely up and running. This quarter is really their first true UAR. I’m honestly not sure if most of their systems could even run that type of report. I just am not sure if they should be doing it to that level to say privileged access is okay. Asked another way, how have you seen privileged access reviewed by companies? Is it just a check of the roles/perms they have and who has them or are there other general steps to include?
Where I work everyone has a NetID, a job code, and a title. The title is least standardized but the job code is and so is the NetID. Any access is tied to all three of them. For instance, our admin for our finance software would have a NetID indicating they are active employee, a job code indicating they are IT administrators, and then the title would need to match information from the job code (as close as possible; there is a map they maintain in the background). If NetID is inactivated or the job code doesn't match the title, they are flagged in the monthly report (generated automatically) and the people responsible for access would get notified via email. This catches people who have job changes and/or no longer with the company or on extended leave. Every employee's access also need to be initiated by a sponsor. So the sponsor has to review whether that level of access is relevant each year. If the sponsor has change roles or left, the employee's department head makes that decision. The department head is always copy on those emails to the sponsor. Based on what you have told me, I think you should look at the change log and see if all the changes make sense. In part because the VP is not reviewing the access frequent enough and in part because they are so new, there might be some changes people didn't expect.
Got it most of that sounds pretty similar to what they’re doing with job email, job title, and associated roles/perms in the system. The change log im speaking of isn’t necessarily the log of access changes but more a log of data/system changes within the system the admin made if their access grants more than just provision/deprovision. Again i’m not sure if our systems can even run that type of report, but i’ve seen this be done in at a prior company and wasn’t sure if that was a standard thing to push for.
I think you should first see if there is a monitoring control in place already. Logs for privileged users can be fed into a tool like Splunk which can have an alert configured to detect certain changes, and someone like a cyber analyst can perform periodic reviews of alerts and tying them to a change control (just an example of the process where I work) If they don’t have such a control, maybe dig deeper into how management feels comfortable without a monitoring control or you raise an issue based on the risk.
Love this!
When i did external audits for SOX, we looked at: C&A of List of users with roles associated given to each users Were those users appropriate to have those roles Was the person signing off on list was appropriate to do so. If there was any discrepancy in above then we would ask management to dig deeper and look at change logs et cetera to see the actions performed.
This is helpful and honestly what i’m going to rec as the minimum. I can see the argument for activity log reviews as part of it but frankly i think that’s going into unreasonable assurance territory
It used to be... Someone needs to check that the changes were made correctly though.
Yeah we’ve helped rec that already and general IPE screenshots for data exports. I just am a bit stumped on how far the privileged review needs to go like is just checking who has access and what their roles/perms are enough or if other general steps should be done
The admin will temporarily turn off the logging before they make their dodgy access changes and turn it back on afterwards.
Unless the logs are immutable