Access Management is now one of the highest security controls
How you manage access roles to networks and Enterprise Systems provides some of the highest security controls to prevent cyberattacks, fraud, waste, and abuse of Commonwealth resources. Don’t just rely on your Department Security Officer to manage access. IT staff, CFOs, Payroll/HR, Legal and Audit staff should be reviewing overall access and risks. Access management is now a routine part of IT and operational audits. Take this time to review your access management process.
Action Steps – Top 5 Access Management reminders:
- Least privilege – limit access only as needed for job duties.
- Ensure staff have additional internal controls for roles accessing confidential data.
- Segregation of duties – restrict overly broad access to prevent fraud and/or misuse of assets.
- Authenticate users “personally” prior to a password reset (not just through email/chat).
- Offboarding Staff – ensure that enterprise system access is deactivated within 24 hours of transfer, retirement, termination or extended leave (more than 90 days).
See our CTR Cyber page for more cybersecurity internal controls and contact [email protected] with any incidents or suspected incidents of fraud or cyber threats or if you need support from our Statewide Risk Management Team.