On 22 November 2021, Parliament passed the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (the Act) which implements a number of amendments to the existing Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act). One feature of the Bill is that it creates an obligation for the owners of Critical Assets to adopt a security standard such as NIST or ISO 27001 and then demonstrate ongoing compliance.
One of the defining features of those security standards is the need to perform periodic user access reviews and in particular, physical access reviews under SOCI. In this article, we will walk through how RightCrowd Access Analytics helps physical security with user access reviews and get back in control of physical access permissions.
What is a Physical User Access Review?
Physical access reviews go by many names. Some organizations call them access recertification’s, account attestations, entitlement reviews, others call them periodic access reviews or access certifications. Regardless of the name, they are important because many regulatory standards contain mandatory requirements for user access reviews around physical security controls.
No surprise that each standard requires the review for a different take on assessing the adequacy of information and physical security controls.
Regardless of the standard, a user access review is a process of reviewing and validating user access rights to locations, systems and information. The process as it stands for many organizations centers around:
- Planning and selecting the teams or locations to be reviewed
- Determining the location owners and system admins
- Collecting user access reports and correlating that to identities
- Generating and tracking the access reviews
- Reviewing user access, and generating modifications and revocations
- Capturing audit information and signing off
Challenges of a Physical User Access Review
Amongst the biggest challenges is the collection of physical access information and correlating that data to actual people. In most instances, reviewers are working with dense technical, access control system data, across multiple sources and trying to tie that back to a single user identity.
Often user identifiers in the physical access control system are different to the corporate standard stored in the HR application. No surprise that a manual access review requires a good amount of corporate knowledge and time.
Under SOCI, within a large complex physical environment, there could be many secure areas that require regular review. This clearly has a compounding effect on the resources and time required to support compliance, and a direct cost to the organization.
Wouldn’t it be nice if there was another way to tackle this? We should talk about RightCrowd Access Analytics.
RightCrowd Access Analytics Simplifies Physical User Access Reviews
RightCrowd Access Analytics delivers accurate, up-to-date reporting on physical access to facilities, buildings and areas. The product can interact with any physical access control system, and integrate it with HR or ActiveDirectory to identify physical access by people, teams or business units.
RightCrowd Access Analytics adds powerful analytics to existing access control system data and accurately identifies who has access to every location and if it complies with policy.
The solution identifies and monitors privileged physical access, lapsed and inappropriate access permissions, duplicate cardholders and a host of other security risks and compliance failures.
Under SOCI critical infrastructure organisations will have ongoing obligations to review and monitor inappropriate physical access, and to improve compliance outcomes. Do it the smarter way with RightCrowd Access Analytics.
If you would like more information on RightCrowd Access Analytics please contact us.