Skip main navigation

Monitoring, Access Reviews, and Reporting

In this video, you will learn about monitoring processes, access reviews, and reporting processes.
And we also need to monitor all of our processes. We need to make sure that we understand what we’re checking. Do we perform sample checking? Or do we monitor, in detail, all of our requests? And this may change depending on the type of account. Again, for privileged use, we may want more monitoring. Who’s undertaking the checks? Who’s responsible for them? How often do they occur? We need to define as a process. Ideally, we want an objective party. This could be audit, IT, or a third party. The frequency of any checks, of any monitoring, should be linked to privilege levels and also to the risk. What kind of information are we protecting? How at risk is that information?
So for perimeter or internet-facing services, again, we may want high levels of monitoring. The process should specify what monitoring processes are included, how we undertake those processes. And also we can check for things like weak passwords on a semi-regular basis. Microsoft offer a free set of scripts that you can use to do this. So we can also use processes to help identify standard passwords as well.
Access reviews are recommended as a process. So these can be a point in time check, and they can look at individual roles or identities. So we could take an example user and look at all the different permissions they have and how they’re being used and whether they’re appropriate. Or we could look at all domain administrators, for example. So we want to look for active accounts that should not be being used, accounts that have been left dormant, and accounts that potentially have high levels of privilege. So sample checking of deprovision is also useful, and sample checking of the change management process.
Checking not just that the account should or should not exist, but that the access permissions, the privileges assigned to the account, are appropriate. We can use some kind of automated monitoring systems. Similarly, we’ve mentioned SIEM. And these can provide an automated supplementary form of control for us. Usually we want to supplement any automated process, though, with a periodic manual access review check. So we can be checking for dormant accounts. We can use our automated systems. We may want to check for the use of high levels of privilege, what they’ve been used for, when they’ve been used, management confirmation and review. Did the manager actually request the creation or the deletion or the relevant change?
So typically, these tend to be audit-related functions.
Finally, we need to consider reporting. What are we reporting? To who are we reporting it? Do we have internal reporting requirements? Or do we have an external compliance requirements? How often are we reporting information? What is the format of the report? Do we have points where we need to consider escalating the report? And do we need to sanitise any information in what we’re reporting? So the reporting frequency may be defined by compliance requirements. If not, we need to define it as an organization. We may want to escalate some things to senior managers – where there are urgent actions that need to be taken, where there are sufficient or high levels of privileges being assigned to an account, for example.
Ultimately, we want something that is providing an insight into the ongoing operational processes related to our identity and access management system. If we’re using third parties as part of our reporting process or as part of our access reviews, it’s sensible to request a non-disclosure agreement from them, just as a basic control, so that information doesn’t leak inappropriately from the organization.

In this video, you will learn about monitoring processes, access reviews, and reporting processes.

Once you have watched the video, read the recap below:

  • We need to monitor all processes. We will want to know what to check for, who executes the checks, how often the checks are completed, and how to assess vulnerabilities.
  • Access reviews are recommended and can be a point-in-time assessment to review accounts that are dormant, disabled, or similar, and review their privileges to see if they are correct and appropriate.
  • Reporting processes should consider what is being reported, how and why certain data is reported, and whether there are any compliance requirements. In addition, how often reports occur, the format it is generated and any escalation processes will need to be considered.
This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now