How to complete your access and assets controls
OVERVIEW
Access: Access to systems and data follows the concept of least privilege. Access should only be granted to employees or other third parties when there is a legitimate business need. That access should be restricted to the minimum level possible without unnecessarily limiting the required business role.
The termination/off-boarding checklist ensures that all employee off-boarding activities are completed promptly. This usually requires coordination across multiple functions and is a common area of control failure from missed tasks.
Assets: It is essential to maintain and update a register of all assets. Assets include but are not limited to servers, cloud infrastructure, end-point devices, employees, documents/policies, key information systems and anything else that is critical to the business. A documented asset inventory aims to track and support the monitoring of your devices used for accessing and potentially storing sensitive information. This helps other control practices to ensure these devices are appropriately protected, security restrictions and policies are applied, all devices are accounted for, and critical processes such as data erasure before asset disposal are used effectively for each device (when applicable).
When system assets, devices and hard copy documents are disposed of, the information security practices that otherwise apply, are removed. It is important to ensure all sensitive data is completely and effectively erased prior to the removal of these protections.
CONTROLS AND EVIDENCE
Access: We will review your quarterly access control review (DCF-11). The access to all systems should be reviewed on at least a quarterly basis to ensure there is a legitimate continued business need for the access and to identify if there have been any failures in the access provisioning or revocation.
We will review a sample of termination/off-boarding checklists (DCF-43) to ensure access has been removed promptly and that no steps in the off-boarding procedure have been missed.
Assets: Your asset register will be reviewed (DCF-20). Drata automatically captures the asset register based on the integrations, policies and personnel linked. Ensure all of your Drata connections are up to date.
We will review your Data Disposal Policy (DCF-109) to ensure proper erasure and security steps are adhered to. It is important to define key erasure and security standards to ensure no sensitive data can be recovered.
We will follow up with these controls in October following our continuous audit timeline.