MIS or 3rd Party Application Vendor access to Production 1848

  • MIS and 3rd Party should not have Update access in Application (e.g. Payroll) in Production;
    What are the Compensating Controls , If they want to have Update access for Support?
    a) If application has audit log capability , the log is reviewed by the Business owner;
    b) On need basis , create Emergency Id with Update access to be used for support and then Deleted .
    Any other ideas?

  • Hi - Briefly, I’d suggest:

    1. Examine and justify the need (if possible look at ways to any need eliminate 3rd party access and update).

    2. Still, if there truly is a business or technology need that can’t be met without their ability to access – then restrict it to just those folks who absolutely need it and just the needed resources to accomplish it.

    3. The use of a ‘Fire ID’ (special emergency account) is a better control than simple logging (as often access audit logs aren’t thoroughly researched). Fire IDs are usually checked out though only in true emergencies.

    4. If there is a more frequent access need, maybe giving the user a 2nd special login for just these special needs might help (you can track all access for the special ID and it might make the user think and be more cautious when accessing highly sensitive data).

    5. Use read/write logging on either the Fire ID or the special accounts. If there are any issues they will be recorded and can still be looked at ‘after the fact’ in the logs.

    6. I also like strong 2-factor authentication controls if cost-justified (e.g., Secure ID, Cryptocards, etc). A user ID/password can easily be shared.

    7. The general search below seemed to have some good links:
      Please enter www and paste to browser
      google.com/search?hl=en-and-lr=-and-q=external user security controls

Log in to reply