An Excel based tool which matches Who has right of access to What systems and Why this is the right decision.

In the previous blog, Hello, Sam IAM, the challenges of system security was discussed. In this post, knowing who has access to what through System Access Management (or the ‘Sam’ part of Sam IAM).

1. Download Sam IAM Tool
2. Remembering AOL and Zombies
3. Inventory of Sam
4. Kludged-Sam IAM
5. Two Celines
6. Access-Assets
7. Matrix – Who Can Access What…. and Why?
8. Spending Time with Sam IAM
9. References and Further Reading

Download Sam IAM Tool

Remembering AOL and Zombies

How Many Systems do you have access to? the bank, a few utility companies, a couple of governments, loyalty programs, email accounts, and a good number of ‘etc.’.

Remembering AOL. At the very least, you have a dim recollection for signing up for an AOL account (remember AOL, anyone?). Now imagine that you are a new board member, and you ask the innocent question, how many systems does our organization use or have a subscription to? The answer is … umm, lots?

Documented-Zombies. Well intentioned board members and volunteers (and perhaps staff) come and go. They sign up for things. If not consistently used, the account is eventually closed – maybe. If that system contains protected information (e.g. volunteer or participant names, phone numbers, addresses, birthdates, etc.), then this zombie subscription may become compromised and used by bad guys/girls.

Inventory of Sam

Passwords – A Start. Having a password log can reduce this risk [1]. Password managers (e.g. Nordpass, KeePass, Bitwarden, LastPass, etc.) can be used to infer this. Corporate credit numbers and text information can also be stored in these systems.

Who Has Access to What? A limitation of using this type of tool to manage system access, is that they don’t readily answer the question ‘who has access to what, right now?’ or ‘who had access previously?’. For a smaller nonprofit with only a few volunteers/systems, likely not a problem. For a larger organization with numerous people access various systems – a better inventory tool is needed.

Kludged-Sam IAM

The Linked spreadsheet provides a solution. Although meant for a small non-profit, it can be used by an individual, small business, a family, etc. There are likely better tools out there that do the same thing, but this tool is meant to be ‘good enough’ until an organization is ready to adopt something more sophisticated.

Two Celines

There are three different perspectives for the Sam IAM Tracking Tool. The first asks ‘Who’ has potential access. Who considers both the person involved (Michael, Celine, etc.) and the role they play. Because one person can play more than one role, the modifier field is used to create a unique record.

Celine, for example, has two roles on the board, Vice President and Chief of Marketing. A replacement is being sought for the latter but until found, Celine will continue to do both. Celine was a director without portfolio but left that role in 2023.

Access-Assets

Log in credentials, keys, combination locks, and other resources are all access points to be documented. Different access levels can be added. For example, the accounting software used, Intuit, is configured for three different roles: Administrator/Accountant, Approver (but able to enter transactions), and View only (able to see all transactions and some settings).

Additional details such as the vendor, which board member is accountable for the system, and whether it is a currently used system are documented.

Matrix – Who Can Access What…. and Why?

The final perspective pulls together the first two tabs. Importantly, as volunteers come and go and access is granted or removed, rows are never deleted – only updated. In case of a significant cyber-incident, knowing who had past access may be important.

This list should be reviewed at least annually, signed off by the board, and minuted. As to who ‘owns’ and/or maintains this list, ideally it is owned by the Treasurer, Vice President, or signing authority. Maintenance may be done by a staff member or volunteer. 

Returning to Celine, she has twelve points of access of which two are in the past. Questions for each of these roles include:

• Is Celine the right person or in the right role to have access?
• Is there access missing for Celine?
• Is Celine trained and comfortable managing these systems?
• For past accesses, has she returned the relevant asset (e.g. a key),
  • was the password updated,
  • or has she purged all records (for example, erased the combination to the shed lock)?

Spending Time with Sam IAM

Set up time for the above will vary with each organization and finding how many systems a nonprofit is associated with will be the most time consuming. This is followed by creating the matrix of Who can access What. Maintenance should then be less than an hour or so each year depending on the size and complexity of the organization.

What is the alternative to spending this time? Madly running around trying to recreate it in an emergency situation (such as a cyber incident) or getting an unexpected bill for a service subscribed to by a volunteer who has long since left.

References and Further Reading

1. But make sure you use a reputable system AND that there is a recovery and backup process for the passwords. Having a password locker compromised, being locked out of it, or, it disappears in a puff of bankruptcy smoke defeats the purpose. This subject is worthy of a few posts in of itself. In no particular order, consider the ones in the above graphic.