Identifying possible threats in the access control system

In a typical environment, IT compliance is confined to configuration management, the firewall, the antivirus systems, and the vulnerability assessment. However, there is a difference between managing security configurations and vulnerabilities and managing access controls and data entitlements. Incidents can occur when a valid user can have access to the data that the user should not access.

Control Compliance Suite facilitates the monitoring of access rights in the organization. The Control Compliance Suite identifies false entitlements. The Entitlements view in the Control Compliance Suite lets you define the data a user is entitled to access. The Entitlements view also monitors whether the system adheres to the defined access controls.

Before you begin to monitor the entitlements of the control points, it is recommended that you review the basic concepts in entitlements management.

See Concepts in entitlements.

Table: Identifying threats in access control

Task

Description

Locating the potential control points in the asset system

Go to Manage > Assets > Asset system.

Consider the following to locate the potential control points in the asset system:

  • Control points are the data locations in the system at which the access permissions are granted and approved. Locate the type of assets that should be marked as control points. You can decide the potential control points based on the Confidentiality, Integrity, and Availability values of the assets or any other criteria.

    For example:

    You might want to frequently review the permissions granted to the assets that belong to the Finance department. In this case, consider the creation of a tag, Finance for a set of assets so that you can easily locate the potential control points.

  • You cannot mark the Windows machines and the UNIX Machines assets as control points.

See Control points.

Mark the assets as control points

Go to Manage > Assets > Asset System > Global Tasks > Mark as Control Point.

Consider the following to mark the assets as control points:

  • After you locate the assets as potential control points, you can mark the assets as control points.

  • After you mark the assets as control points, they are available for monitoring of entitlements in the Manage > Entitlements view.

See Marking an asset as a control point.

Create Review Cycle Setting

Go to Manage > Entitlements > Review Cycle Settings.

Consider the following to create a review cycle setting:

  • You must have the Entitlements Administrator role to create a review cycle setting.

    See Predefined roles.

  • Create a review cycle setting to monitor the control points over a specific time period.

    See Review cycle setting.

  • You can create a Recurring or a Non-recurring review cycle.

See Creating a review cycle setting.

Configure the control point

Go to Manage > Entitlements > Control Points.

Consider the following to configure the control points:

  • You must have the Entitlements Administrator role to configure control points.

    See Predefined roles.

  • You configure the control point to associate a data owner and a review cycle to the control point.

    See Configuring control points.

Monitor the control point status throughout the review cycle

Go to Manage > Entitlements > Control Points

Before you begin monitoring the control points in the review cycle, it is recommended that you understand the various control point states.

See About the control point status.

Perform the following tasks in the given order as an Entitlements Administrator:

The control points are then approved by the data owners or the data owners request changes in the control point entitlements.

To know more about the entire approval workflow visit the following link:

See About the entitlements system workflow.

Generate entitlements report

Go to Reporting > Report Templates

You can generate the following types of entitlements reports:

  • Entitlement changes report

  • Trustee report

  • Effective permissions report

  • Simple permissions report

See Predefined report and dashboard descriptions.