For those that know me, you know that since grad school my work experience has centered around Information Risk Management (in both a Big 4 and within the Insurance industry). For my techies out there that are familiar with COBIT controls, you are familiar with two security control objectives, but I will try to explain them in English for those non-techie folks:
DS 5.4 (User Account Management) – This control centers around how you give access and how you take it away.
DS 5.5 (Access Reverification) – This control checks the frequency in which you check (and either verify or invalidate) who has access, and what you do in the event someone has inappropriate access. This control is there in the event DS 5.4 is inadequate.
Best practices dictates that, depending on the level of risk, you should execute this control at least once a year, and the higher the access, the more often you should execute (for example, those with a LOT of access should be checked every 3 months, those with a little you can check once a year).
Ok Rich, where ya going with this????
Here’s the deal: most of us don’t really take the time to analyze who it is that we have in our lives (at all levels), and we wonder why so many people are up in our business, causing havoc, and not adding anything positive at ALL. Think of yourself as a system, and sometimes too many people have inappropriate access to your life. They don’t need to know what you plan to do on your birthday, or know that you’re going to Homecoming, or even know that you’re still alive (and vice versa). So, every once in a while, we all need to go through an Access Reverification to see who’s in our lives, what level of access they have to us, and see if they’re appropriate based on their position. Let me give you an IT-based translation of the levels of access you need to consider when doing this exercise:
No Access: This seems to be self-explanatory to an extent. These are folks that don’t need to have any access to you at all. You may or may not speak to them when you see them on the street, but other than Yardfest at Howard Homecoming or the Morehouse Homecoming Tailgate or the Taste of Chicago, they don’t need to speak to you or see you again. These are folks who have no purpose in your life at all; they don’t even need to connected to you on Facebook, Twitter, Linkedin, etc.
Read-Only Access: These folks can be connected to you on all of the sites I mentioned above, and might even leave a message or two every once in a while, but outside of them sending you a tweet or writing on their wall once every 6 months, these are folks you keep at arms length distance from you. They don’t need to see anything of you more than what you publish (just like some of the people who are reading this blog as this very moment).
Admin Access: These folks go beyond Facebook, Myspace, and Twitter. These are people that you share IM’s with, you’re always writing on each other’s walls, and you even chat it up with on the phone at least once a month (maybe even more), hell, you might even hang out on occasion. These people might know how your day at work was, you might know what she plans to cook for her husband tonight, or what restaurant he’s taking his wife to for their anniversary dinner (before it actually happens). They don’t know everything that’s going on with you, but they know enough to say that they know you. But they don’t know you as well as your……..
Super Users: This group of people know your past, your present, and most likely are part of your future. They know your weaknesses, your hopes, your dreams, your plans in a manner that hardly anyone outside of God knows. These folks can reach you at least 90% of the time 24/7 (and vice versa). This usually consists of close friends and family; pretty much, the people you love (or that you are courting in some cases).
Now when you think of these categories, think of the people in your life, where they stand, what lane they should be in. Sometimes, within our busy lives, we neglect to do this inventory, and/or our DS 5.4 is not on point. We don’t do enough due diligence as to who we let into our lives, or how adequate the exfoliation of folks from our lives is. There are folks who you might stay connected to on facebook and linkedin, and might hit them occasionally with an IM, but they don’t need to be in your iphone. Then there are folks who you might know, you might see them once a month, you went to undergrad with this person, they might be your frat bro or soror, but they don’t need to know anything other than what they see when they see you on the street.
With that being said, I challenge each of you to take inventory of the people in your lives and ensure their access to you is “appropriate”. You will realize that some folks have to go, and some folks need to have their access adjusted. It’s not going to be a quick and easy exercise, but it’s something that we deal with in Corporate America to protect the information and privacy of our customers and the reputation of our shareholder image. After all, the person with the wrong access can abuse that access and do something they’re not supposed to do. Why would you risk someone doing the same with you?
Very well put!
You better keep me with my access dammit!!!
Yeah, you went in withthis one! Good shyt son!
Nice. My thoughts… Super Users should change the least often, then admin, so on and so forth. Whatever the case, I agree that it is imperative to perform reverification. Not only does one risk giving someone unworthy too much access; one also risks, not keeping the Super Users abreast of important information and attention that reminds them that they are indeed priviledged users. It’s not hot for Super Users to find out what’s going on with a fellow Super User on facebook or one of the other social sites… I can dig it.
YES! Doing this will definitely help me reevaluate friendships and associates…
love the way you laid this out! I definitely have my own systems of Tier 1,2 and 3 friends.
As a Techie, I absolutely love the analogy! U are so on point! Great post!
-V
Love this one
Portia