Risk Topics

the problem of entitlements


Virtually every organization has the problem of managing IT asset entitlements. Each entitlement is the grant of access rights to a specific person, on a specific asset. Tracking entitlements answers questions such as:

It can get complicated fast, especially if you're in any way answerable to an auditor, who'll insist that all entitlements be justified by the assignment of a defined role to person with the grants. They'll tie in concepts such as "least privileges" and "segregation of duties" in the approval, custody, and accounting functions. And they're right; if you're going to start dealing with the above questions in a consistent fashion, you'll need to tackle all of that.

And the risks are real. Listing a few of what I like to call "loss scenarios" in this space, you get a sense of the scope of the problem:

  1. Entitlements are not managed. Inappropriate access is granted to physical and IT assets. Outcomes can include: money and intellectual property is misappropriated, damaging communications are sent from named accounts, embarrassing internal communications are distributed outside the organization, or the office and/or its contents are vandalized.
  2. Inappropriate parties are responsible for system access oversight. The parties named are not actively involved with monitoring system access or do not have the appropriate skills. Entitlements are not managed (see #1).
  3. Personnel are handicapped in their roles by unnecessary restrictions on asset entitlements. Countless negative potential outcomes, including loss of personnel.
  4. Entitlements to production systems are not reviewed. Former or other unauthorized personnel retain entitlements on assets – and/or – unused accounts remain active. Assets are compromised. Outcomes as stated in scenario #1 above.

The answer, I've decided, is two part:

  1. Get a simple register together that records all the assets in the organization, and all of the people. The crux is the intersecting list that shows the entitlements granted to a specific person on a specific asset, at the time the grant was made.
  2. Ensure that the book of record (typically HR) is communicating the changes to the parties with custody (IT), and that a third party (an Entitlements manager, for want of a better word) is recording the changes.

This will accomplish a number of things, including:

The register's not hard to get right; it can be managed in a three page Excel spreadsheet. If you know what you're doing, a simple pivot table or two can do all of the heavy lifting on report generation.

This leaves one substantial gap. The roles.

I've decided that they're a superfluous distraction with little bearing on the high-pace environment in which we now work. Who wants to, for instance, keep a client waiting when someone needs access but their "on paper" role doesn't jibe with the entitlement you want to grant? I've found that unless an entitlement is obviously well outside of the grantee's role or skill set, it won't be challenged by an auditor. No one else will even think of looking for a documented reason for a grant; the reason for the grants will be obvious.

© 2013 - 2019 werneburg information risk management inc.