CTPAT Breakdown: 4.7

Item 4.7

User access must be restricted based on job description or
assigned duties. Authorized access must be reviewed on a
regular basis to ensure access to sensitive systems is based
on job requirements. Computer and network access must
be removed upon employee separation.

Another management item that requires reporting from IT staff.

Management needs to set access rights for each job description or duty. IT needs to be able to generate a list of users and their access rights. Management needs to review the users and the access rights.

Management needs to ensure access rights are revoked when users are no longer employed.

Implementation

If using Active Directory, LDAP, or some other centralized access control system, the IT staff needs to be able to generate a list of user accounts with their status and access rights. SolarWinds has an Active Directory Monitoring program. Each centralized access control system should have the ability to list accounts. Active Directory has scripts via Powershell to list accounts and their status.

Change Management needs to be implemented along with an audit record that is signed off by at least two(2) people with the possibility of a third person signing off on verification of the changes.

The MoveItNow Suite has reports for listing user accounts and their access rights. Queries can be run to pull the audit records for these changes.

Bookmark the permalink.

Comments are closed.