What can we help you with?

Access Management

  • Access Management in general is an important topic for your ISMS. Not being in control of software access can easily cause incidents turning into data breaches.  
     
    You will have to be in control of different types of access:  

    • Access to the office location – we will address that in the Policies & Procedure / HR- Rules 
    • Access to Hardware (e.g. laptops) – we will address that in the Policies & Procedures / HW Asset Rules
    • Access to Software – that will be addressed in this section. 
    • Access to Documentation Storage – that will be addressed in this section. 
    • Access to Data – that will be addressed in Data Classification Section

    With respect to the Software Access, high-level requirements are:  

    • Having an overview of all Software used by your organization 
    • Defining a policy on how you organize the access.  
    • Assign administrators for every software, describe roles and responsibilities in the Access Management Policy.  
      • This Software Access needs to be very much aligned to your Suppliers Overview, as all of your Software is – by default – classified as a supplier. So start with the Supplier Overview and copy the names of the suppliers that provide Software as a product, to this section. Make sure you will use the exact same name.  
         
      • You will find out by making use of this section, that next to your own team (internal access), also some suppliers will have access (external access). You might need to back to Supplier Overview and tick the box ‘Is part of Software Access’ in the General tab of the Supplier. Once ticking the box, this supplier will appear in the overview of external access, if you use the Edit button.  
         
      • We advise you to include your supplier – for documentation storage, in this overview. That can be Google Drive, MS Office, Dropbox, or your own server environment. In this case, you will choose the Profile ‘Documentation Storage’.  By making use of this profile you will be able to document who has access to specific folders.  
         
      • The external auditor needs to see how you will get organized around confidential documents in your organisatio. We advise you to address in your Access Management Policy, that sharing information (including documents) is organized on a need-to-know-base and that is organized in access management.  
         
      • You can start easy with 2 (two) main folders: Management and Operations. All confidential information is placed within folder Management with limited access. And everything else is organized in Operations – with access to the entire team. When you scale your organization, you change the folders and access in Operations by assigning certain information to specific teams. Before you create a complex tree with access rights in Operations – think first, if this is really needed.  
         
      • It is our experience, when startups scale, they are organizing specific (confidential) information also in tooling available for limited team members. E.g. customer processes embedded in helpdesk tooling, or in a wiki for dedicated teams (wiki of GitLab/confluence).  
         
      • Admins need to use an admin account while performing admin activities and use a different user account when working with the tool. That might be a challenge for some Startups.  E.g. you are using an expensive tool hat can only afford 1 user license. That can happen, especially in the early stage. Unfortunately, that will be classified as a non-conformity, as it is a potential risk for security.   
         
      • It is our experience, that external auditors accept it during the first year of your certification, however, you will need to have some evidence in place, to prove that you are aware of this issue and know the risks however the tool is important for your Business (or security) and C-Level accepts the risk.  
         
      • Our suggestion is that in this case – you will already make a note in the risk assessment for this supplier. It is not yet needed to perform an entire supplier assessment, just add notes about single user account for multiple users and the reason why in the field [define residual risk] Supplier Assessment –and you can add to the field [suggest Improvements] ‘next year we will reconsider the subscription fee.’ Or any other improvement that you want to add.      
          
      • If there are more team members assigned for admin role – to 1 tool: in Compleye Online, you can make use of the ‘add new field’ functionality and add an extra field. In use, this will be visible for all other tools as well.  
         
      • Selection of who has access is easy, it is divided into 2 tabs, Internal and External, ticking the boxes much be easy. If you do miss team members, you probably have not added them to the section (link to People@. Missing suppliers, you will need to tick the box “Is part of Software Access” in the tab General of the Supplier Overview.  
         
      • When Supplier has access, we suggest you create an extra field by making use of  ‘add a new field’, and choosing for a Text field (e.g. name the field Remarks). And add to remarks some notes e.g. how many users of the supplier have access, if you have guidelines for this (either in supplier assessment, or supplier management policies) and add the name of the contact person from supplier to this field with an email address. This will become handy during security controls related to Access Management.   
         
      • Add to the Procedure/Info feature, the Access Management Policy once defined and approved.  Write notes for your team members.  
         
      • There is the possibility to perform a quick search – e.g. to what tooling particular team has access to. In this case, make use of the  search filters. You can add the name of the team member in the selection filter.  
         
      • This quick search is handy e.g. in case of team members leave the company and you want to close all access to tooling in 1 day. 

      • Activity logs of this section can be used for Security Controls – for evidence of performing control activities.  
Field Name  Values  Explanation / Example 
Software Tool   Describe software tools in a free text format.   Compleye Online 
Profile  Indicate profile from a drop-down menu, options are Business Services.  Cloud Provider. MarCom. Office Tool. Project Management Tool. Third-Party Data Provider. Documentation Storage. Installers. Support Desk Tool. Security Support. Other.  

You can pick from the dropdown list, or choose Other. In case you will choose Other, you add a new profile.   

Compliance Tool 

Admin  Indicate administrator from a drop-down menu.   [choose a team member how is either admin or who will be responsible for access management.]  
Internal Access  Select names from names included in the checkbox.   [Choose team members who will have access] 
External Access  Select names from names included in the checkbox.   [Choose suppliers who will have access]  
Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.