The pandemic has triggered a wave of identity and access management (IAM) challenges as businesses internally restructure, onboard specialized skillsets or face financial pressures to make redundancies. What questions do you need to ask to ensure security and privacy remain part of the IAM lifecycle?
Industries experiencing huge demand have an incentive to expedite onboarding processes for new joiners, while others are doing the same for specialist skillsets they desperately need.
Meanwhile, organizations are diverting personnel and resources to meet the shifting demand. And as we move through the extended impact, some organizations will face the prospect of furloughing staff or letting go of them entirely.
Maintaining security and privacy are critical during this time. Here are some questions that may help to assess how prepared you are to deliver compliance.
Considerations for new joiners
- How is your HR team coping with remote working? Do they have the privacy to process applicant data and conduct interviews remotely from their homes?
- How are HR teams handling and disposing of physical applicant identification data, e.g. copies of passports or academic certificates?
- Where portals for new applicants have been set up to process emergency demand, have security and privacy teams reviewed them?
- Is your HR team having to rush through academic and employment history checks?
- Does your HR team rely on a third party provider to conduct criminal background and sanctions checks? Is the provider meeting SLAs? Do you have arrangements in place to use another provider should the current contract fail to deliver on SLAs?
- For third party managed services and contractors, can you rely on the background checks of external organizations under similar strains?
- How are contractor onboarding processes being managed? Is there a consolidated database of new vendor services and personnel to manage the lifecycle during high demand and downturn?
- How are developers given access during this time – how are they being provisioned appropriately restricted hardware?
- Are any activities being performed retroactively to cope with demand, i.e. after new joiners have started? Have you worked with the business to define the risk appetite for these activities?
- Are new joiners appropriately trained in security and privacy hygiene, or are they being rushed to start work?
- Is approval always sought and gained before granting employees access to systems? Do you have backups for approvers in case primaries fall ill?
- How is training being delivered for new employees during remote working? Is it as effective, and are you tracking its delivery?
- How is hardware securely provisioned and set up for new joiners who start during this period?
- How is physical access to the office (where required) arranged, in terms of the provisioning of access IDs? Does it need to be arranged at all, given current remote working arrangements?
- Where two-factor authentication, in the form of a physical token, is required to perform the role, how are these securely provisioned?
- For public sector organizations and charities, how are volunteers being checked, trained and onboarded during remote working?
Considerations for movers
- How are access changes managed for employees moving teams or performing temporary roles? Are old access rights being retained, given that the move may be temporary? Are these instances being logged?
- Where employees are assigned the access rights and privileges of multiple roles to enable them to perform various tasks, how is the risk of toxic access combinations managed?
- Where employee privileges are elevated to cover for senior staff temporarily, how are toxic access combinations avoided?
- For employees moving over international boundaries due to COVID-19 travel restrictions, how is their access to the network managed? Has the security team verified that their IP addresses are not being geo-filtered out by the network firewall?
- Are moving staff receiving appropriate security and privacy training for their new roles?
- For employees that have temporarily changed offices due to closures or proximity for essential work, how is their access to their old office being treated?
Considerations for leavers
- How is HR coping with the number of leavers? Are they able to revoke access for employees promptly? Where revocation of access is slow due to volume, what process modifications are within the risk appetite of the business to allow the process to move faster?
- Where employees are dismissed on bad terms, is there a process to ensure removal of access immediately and completely?
- For employees on a long leave of absence due to furlough or pandemic-related domestic challenges, are their access rights temporarily revoked?
- How is the returning of hardware assets such as laptops, mobile devices, access cards and physical tokens performed? Who is, how are they, checking the completeness of hardware returned?
- How are security teams arranging access to the office space to allow former employees to collect belongings?
- Are HR teams able to subject access and erasure requests from current or former employees?
- How is the security team managing the risk of former employees keeping physical data and company assets (which they may have printed during remote working) in their homes?
Governing your IAM processes
- Are access provisioning, modification and revocation processes being appropriately managed through an identity governance system? Are business units going around the system to meet business needs?
- How is your security team performing access, entitlement and activity reviews during this time? Do they have access to relevant reports and systems?
- Do access review processes require modification for movers with temporary assignments? Have automated access removal scripts been modified appropriately?
- Are exceptions from access and entitlement reviews appropriately followed up and investigated? Does your team have the capacity to keep to schedule?
- Are reporting systems configured to include new assets and recent joiners, and are automated scripts configured to operate during remote working?
- Are access risks being logged, escalated and regularly reported during the pandemic? Are changes to standard joiners/movers/leavers processes being logged for later review?
- How are you tracking lessons learned during this period? Are there opportunities for automation of access processes, which may reduce dependence on your security team and speed up IAM activities?
If you have any questions or would like additional advice, please contact us.