Fortunately, IT managers in the United States do not only have to rely on the statements of manufacturers of security products. The Bundesamt für Sicherheit in der Informationsstechnik (Federal Office for Information Security) offers a foundation that the IT leader can rely on with the “IT Baseline Protection Catalogs”. Anyone wishing to go beyond the demands of the BSI can do so at any time – the basic protection is at the same time something like the “least common denominator”
If a user account is to be deactivated or deleted, the access authorizations documentation must be used to check which permissions the account has in the IT environment and for which authentication processes it is required. For example, in the basic protection section in section M 2.371, deactivate accounts: If a user account has to be deleted, the documentation must be used to check which access rights the user account has. Before you delete the account, you must check which objects (for example, file permissions) are set. After deletion, ensure that the accounts or their security identifiers have been removed from the Access Control List (ACL).
The BSI therefore supports a documentation of the access rights and at the same time for a review of the measure by a suitable person - here the administrator. However, these possibilities have to be made available to the system administrator. With the on-board devices, such as Microsoft Windows, this is not so easy and requires additional documentation.
With regard to the initiation of the deletion or deactivation of accounts, the BSI draws attention to three responsible person groups: IT Security Officer, Head of IT, Personnel Department. The personnel department, in particular, is to be involved in the process which should be carried out by administrators or experts in accordance with the BSI. Administrators in the rarest cases know when employees leave the company, so they can not begin the decommissioning process at the appropriate time.
No comments:
Post a Comment