by Tim Marley

As we move into CIS Control 6, Access Control Management, we’re going to spend the next several weeks discussing how organizations determine who gets access to what. We begin with Safeguard 6.1: Establish an Access Granting Process.

At first glance, this control sounds simple. Someone needs access to a system, they ask for it, and IT provides it. In practice, however, that process is often far less structured than organizations realize.

Over the years, I’ve conducted countless interviews and reviewed countless policies as part of risk assessments, compliance reviews, and governance initiatives. When I reach the topic of access control, there are always a few groups I want involved in the discussion. Human Resources is almost always one of them.

That may seem unusual for an access control conversation, but HR plays a critical role in ensuring that access decisions align with business intent. Technical teams know how to grant access within a system. They generally do not know what access an employee should receive, whether a promotion changes those requirements, or whether access is still appropriate after an organizational change. Those decisions belong to the business. A well-defined access granting process helps bridge that gap.

IT Implements, the Business Decides

One of the most common misconceptions I encounter is the belief that IT determines who gets access to systems and data. In reality, IT should be implementing access decisions, not making them.

The hiring manager, department leader, data owner, or other authorized individual is typically in the best position to determine what access is necessary for someone to perform their job. IT’s responsibility is to implement that decision accurately and consistently.

Without a defined process, those decisions often become informal. Someone sends an email. Someone makes a phone call. Someone stops by an office and asks for access to be granted.

Sometimes it works.

Sometimes it doesn’t.

The problem is that informal processes make it difficult to verify who requested access, who approved it, and whether the access granted was actually what the business intended.

Formalization Creates Consistency

The level of formality will vary depending on the size and complexity of the organization. A small business may rely on a simple workflow or ticketing process. A larger enterprise may have dedicated approval systems integrated with HR and identity management platforms.

The format matters less than the consistency. What matters is having a repeatable process that ensures access requests are handled the same way every time.

In mature environments, that process is often tied to predefined roles rather than individual permissions. Instead of manually determining every permission a user requires, the requestor selects from established roles that align with job responsibilities. Those roles can then be applied consistently across the organization.

The objective is not bureaucracy. The objective is accuracy. When the same process is followed every time, organizations are more likely to grant the intended level of access, less likely to make mistakes, and better able to demonstrate accountability when questions arise later.

Access Requests Should Capture the Right Information

A useful access request should answer several basic questions:

  • Who needs access?
  • What access is being requested?
  • Why is the access needed?
  • Who approved the request?
  • When should the access be provided?

These questions create the foundation for an audit trail. When an organization can answer those questions consistently, it becomes much easier to validate that access decisions were appropriate and properly authorized.

Modern Environments Are More Complex Than They Appear

When people think about access control, they often think about logging into a computer. In reality, most organizations manage access across dozens of systems.

Employees may require access to:

  • Email platforms
  • HR systems
  • Customer relationship management applications
  • Accounting software
  • Engineering tools
  • Governance and compliance platforms
  • Industry-specific business applications

Some organizations centralize authentication through a single identity platform. Others manage access separately within each application. Either way, access decisions often affect multiple systems simultaneously. That complexity makes a documented process even more important.

Without one, organizations frequently lose track of what was requested, what was approved, and whether implementation occurred consistently across all required systems.

Where the Process Breaks Down

Most access control failures are not caused by technology. They occur when the process itself breaks down.

Verbal requests. Informal emails. Missing approvals. Assumptions that someone else already reviewed the request. These are the situations that create confusion and increase risk.

A documented workflow helps eliminate those gaps by creating accountability and ensuring that access decisions are made intentionally rather than casually.

A Place to Start

If your organization does not have a formal access granting process today, start simple.

Define who can request access. Define who can approve access. Establish a consistent workflow for submitting requests and documenting approvals. Whether that workflow is a ticketing system, an online form, or another process is less important than ensuring it is followed consistently.

The goal is not to create paperwork. The goal is to ensure that access is granted to the right people, for the right reasons, with the appropriate approvals and documentation to support the decision.

 

Further reading

Working with Forthright is as easy as 1, 2...3

  1. Get a detailed analysis of your current technology
  2. Get an action plan to address operational deficiencies
  3. Get a detailed budget plan and scope of work