Secure access management is essential for protecting sensitive data and systems. It ensures that only authorized users have the right level of access, reducing the risk of data breaches, insider threats, and operational disruptions. Learn how to improve managing access to your system with these tips and resources.
Onboarding and Offboarding Checklists
Effective user access management is crucial for maintaining security and operational efficiency within an organization. Including user access management within an onboarding/offboarding process can help streamline access for new hires, minimize delays, and ensure that access is removed in a timely manner, thereby reducing potential security risks. Below are some examples of items you may want to consider having as part of your onboarding, offboarding process:
Onboarding - Access Requests
- Initiate the formal access provisioning request through the designated system (e.g., IT ticketing system)
- Ensure all required approvals are obtained
- Pre-provision access to systems
- Enroll the new employee in training
- Provide temporary credentials securely
- Guide the employee through the initial login process and passphrase change
- Assist with Duo enrollment and setup
- Confirm the employee can access systems
- Document all access requests, approvals, and changes (e.g., System Access Tracking Spreadsheet)
Offboarding - Access Removal
- Identify all systems to which the employee has access (e.g., in the System Access Tracking Spreadsheet).
- Inform IT about the employee's upcoming offboarding and schedule deprovisioning actions with IT.
- Revoke user access to systems
- Set a follow-up date to check and confirm all access has been removed.
- Update the System Access Tracking Spreadsheet to reflect the removal of access.
System Access Tracking
Managing who has access to what within your Unit can quickly become complex, especially as teams grow and systems multiply. Without a structured approach, access control can become a security risk and compliance headache.
ISO has created two Google Sheets templates to help you track account provisioning and deprovisioning for systems and applications within your Unit. Each template offers a different approach to account inventory and tracking. These templates are intended to serve as a guide and can be customized to your Unit's liking. Click the links below to create your own copy of the templates and refer to the worksheet titled INSTRUCTIONS for guidance on how to use each spreadsheet.
- Account Provisioning/Deprovisioning Template #1(link is external): This template enables you to maintain a comprehensive log of all accounts managed by your Unit in a single worksheet. You can sort and filter accounts by system, user, and other fields.
- Account Provisioning/Deprovisioning Template #2(link is external): This template focuses on each person within your Unit and the systems and applications to which they have access. Each person has a dedicated tab, which may be easier to use for smaller Units, or you can rename the tabs to "sub-Unit" instead.
- Questions about the templates? Contact: security-assessments@berkeley.edu(link sends e-mail).
Unit Information Security Plan
Creating your Unit Information Security Plan(link is external) is essential for information security. It reduces uncertainty and the risk of overlooking policy requirements. By adapting security policies to your Unit's environment, you set clear expectations and provide specific instructions, which helps minimize unauthorized access.
The following snippet provides starter language for putting this all together in your Unit's Information Security Plan:
5.2 Protect
[Unit] uses the following controls and programs to develop and implement appropriate safeguards to ensure delivery of critical services.
5.2.1 (PR.AC) Identity Management and Access Control
- Unit-specific access control measures
- Our Unit's access control strategy is closely linked to human resources actions such as hiring, promotions, transfers, and terminations. We utilize onboarding and off-boarding checklists to manage access control tasks. You can find the checklists here:
- Onboarding Checklist: <Link to your onboarding checklist>
- Offboarding Checklist: <Link to your onboarding checklist>
- Our user provisioning process (creating, modifying, disabling, or removing user access) is documented and tracked in this spreadsheet:
- Unit Access Control Spreadsheet: <Link to your completed access control spreadsheet>
- We use the following tools to manage access control within our Unit
- User Account Inventory Spreadsheet: <Link to your completed access control spreadsheet>
- We use the following tools to manage access control within our Unit
- User Account Inventory Spreadsheet: <Link to your inventory spreadsheet>
- Access Request Tool: <Name and link to Access Request Tool (e.g., Google Form, Ticketing System, etc.>
- Access Management System: <Name and link to Access Management System>
- Privileged Access Management System: <Name and link to Privileged Access Management System>
- Our Unit's access control strategy is closely linked to human resources actions such as hiring, promotions, transfers, and terminations. We utilize onboarding and off-boarding checklists to manage access control tasks. You can find the checklists here: