Identity management is essential for operational effectiveness and also organizational strategy. However, not all business owners and managers realize the importance of adopting practices to facilitate logical access controls to programs used in the execution of activities provided for in their routine work and business systems.
Logical access controls concept
The logical access controls management concept is aimed at centralizing, automating and auditing employees access permissions to company information. Its goal is to facilitate the control of accounts and communication between areas, in particular among the Human Resources and Information Technology sectors, areas directly involved in the particular access approval process of each employee to promote actions that ensure compliance with laws and collaborate with the information security of an organization.
According to a processes consultant, in an attempt to simplify things, many employees keeps track of all of their access to systems, files, programs, etc. evidently unaware that this is a significant risk to the organization.
“With the way we access different channels every day, it is common that it is difficult to remember so much information and so, we record it all in online agendas or in the computer equipment itself, without realizing that this is a factor that endangers the security of the information we have access to. This can cause serious problems since most organizations offer unlimited access to activities in which its employees are directly involved. “
Some organizations offer generic usernames and passwords to groups of employees, and this as well highlights the consultant, also represents a danger for companies regarding information security.
“When you offer user names and generic passwords to a particular group of employees, it’s difficult to identify who accesses what. This can be an aggravating facing a problem such as users’ unauthorized access, for example. “
With the use of logical access controls such as Lightweight Directory Access Protocol (LDAP), which is a protocol for updating and searching directories, organizations could manage and identity effectively and efficiently, avoiding communication problems and administering access safely from a single username and password to access all of the programs he needs to use.
“The most common tools of LDAP are OpenLDAP and Activity Directory (AD) used as a means of controlling access of users through which you can centralize and monitor all of the organization’s access permissions”
This unique username and password is also known as ‘Single Sign-On (SSO)’.
“When a company adopts logical access controls all employees have access to a ‘single sign- on,’ that is, a single user name and password to enter in the system or program, it will automatically check in the LDAP if you have permission to access a particular program from the system. The tool allows access to all programs, folders, etc. You provide access to all user accounts with one account, centralizing all access. The programs are synchronized with LDAP”
By automating and centralizing access to its employees with a unique username and password, the organization adds many benefits such as the optimization of time (since you do not need to get in and out of various accounts). Also, it contributes to information security and facilitates the audit processes as required in laws like Sarbanes-Oxley (SOX), which requires the use of logical access controls as an essential requirement for transparency in accountability, for example.
The importance of HR in access management
Access Management is very helpful in the processes of hiring, dismissal and also positional changes of an organization’s employees, facilitating the transfer of information and streamlining critical procedures for the proper conduct of business.
“When a company manages access, it manages to create an interface between the Human Resources department and the IT area and they collaborate for the effective exchange of information, in the execution speed of procedures involving the hiring of employees (account creation and granting access), resignations (account deletion and blocking access) and also positional / sector changes (changes in the granting of access). These actions usually need to be flagged and resolved when there isn’t integration between sectors.”
In this sense, companies that work guided by processes can better manage the information that directly affects logical access controls. In hiring, dismissal and employee positional change processes, the use of processes works to facilitate and speed up communication between HR and IT. Information is transferred automatically from process to process, and thus all actions and decisions that must be made are made in an organized and orderly manner, giving and blocking access to ensure information security, operational effectiveness, and organizational strategy.