The user access process determines and ensures who has appropriate logical access to what type and level of IT resource.

IT systems today can process and store a wide variety of information and provide access to it to a large number of users. It is not unusual for a system in a large organization to contain some information that must be accessible to all users, some that is needed by several groups or departments, as well as some that should be accessed by only a few individuals. Having information reside centrally on a system used by everyone contributes to cost effective and efficient information sharing and processing. Information residing on a system that is accessed by many users, however, can also create problems.

A significant concern is ensuring that users have access to information that they need but do not have inappropriate access to information that is sensitive. It is also important to ensure that certain items, though readable by many users, can only be changed by a few.

Logical or User access controls are a means of addressing these problems. Logical access controls are protection mechanisms that limit users’ access to information and restrict their forms of access on the system to only what is appropriate for them.

Logical access controls are often built into the operating system, or may be part of the “logic” of applications programs or major utilities, such as Database Management Systems. They may also be implemented in add-on security packages that are installed into an operating system; such packages are available for a variety of systems, including PCs and mainframes.

Additionally, logical access controls may be present in specialized components that regulate communications between computers and networks. NIST.gov

Important considerations with respect to the user provisioning process are;

  • Whether a well defined process is in place to manage the Requesting, Approving and Granting (RAG) of logical and physical accesses to IT (ITSE) & Business Resources?
  • How is the Changing & Deleting (CD) of logical and physical accesses to IT (ITSE) & Business Resources managed?

In addition does your Internal or External Auditors consider the following while listening, learning and advising you?

  • How is the user population defined per access to the ITSE – Network, OS, DB and Application environments?
  • Does the user population include employees, contractors, vendors etc.
  • What level of emphasis is given to privileged access to systems and applications?
  • Are all terminated staff promptly removed or disabled from system access?
  • Does the termed user sample testing consider the fact that not all of the termed population would have access to some or all of the IT Structural Environments?
  • Does the RAG and CD processes suffer from any segregation of duties violations and what is its mitigation?
  • Has a periodic review of the user provisioning process been conducted and approved by management?

The above texts are a sample of the advisory research & analytical rigor we undertake in our pursuit to get you the right advise!