Internal Audit – User Access Management Follow-up

Please note that in the spirit of the Access to Information Act, some information within this document cannot be disclosed for reasons related to the vulnerability of structures or systems, including computer or communication systems.

Executive summary

User access management is a key line of defence in safeguarding the Canada Revenue Agency’s (CRA’s) information and systems. The effective management of user identity and associated access to CRA information and systems is critical to the CRA being able to deliver its programs and services, maintain the public’s trust, and ensure that sensitive information is protected.

In 2013, the Audit, Evaluation, and Risk Branch completed an audit of user access management. The audit identified opportunities for the CRA to further strengthen its processes to ensure that user access is managed effectively, efficiently, and consistently.

Since the 2013 audit, the Finance and Administration Branch completed the Identity and Access Management Project. The objective of this enterprise-wide project was to strengthen controls over user access and achieve consistent user identity and access administration by standardizing and automating the processes across the five major computing environments. The CRA has also since implemented the Enterprise Fraud Management System.

The objective of this follow-up audit was to provide assurance that controls are in place and working as intended to ensure that user access administration is managed and monitored according to the CRA’s policies, standards, and procedures.

Overall, the internal audit team found that the CRA has internal controls in place to ensure that user administration is managed and monitored according to CRA policies, standards, and procedures. The internal audit team found that significant improvements have been made to user access management since the previous internal audit in 2013. However, the internal audit team also noted some opportunities to further strengthen CRA’s compliance with policies and monitoring activities to ensure that user access administration is appropriately managed.

Summary of recommendations

The Finance and Administration Branch and the Information Technology Branch should strengthen appropriate controls related to user access management in order to ensure that user accesses are provisioned, reviewed, suspended, and removed in compliance with CRA policy requirements. They should also ensure that appropriate security screening levels for employees with privileged access are consistently applied and that data administrator activities on all platforms are monitored. Additionally, the Finance and Administration Branch should ensure that non-validated segregation of duties conflicts are addressed in a timely manner.

Management response

The Finance and Administration Branch and Information Technology Branch agree with the recommendations in this report and have developed related action plans. The Audit, Evaluation, and Risk Branch has determined that these action plans appear reasonable to address the recommendations.

1. Introduction

User access management is a fundamental component of information technology (IT) security. The Canada Revenue Agency (CRA) is one of the largest holders of personal information in the Government of Canada. Protecting client information and safeguarding privacy are key priorities of the CRA.

Managing identities and controlling access to the CRA’s IT systems are critical to ensuring that information assets are protected. There are approximately 300,000 accounts across the five CRA IT platforms, which include both standard and non-standard accounts (system, multi-user, and privileged). (see Appendix B for list of IT platforms). Protection can be achieved and maintained only through effective management of user accesses practices for these accounts.

In 2013, the Audit, Evaluation, and Risk Branch completed an initial audit of user access management. This audit identified opportunities for the CRA to further strengthen its processes to ensure that user access management is performed effectively, efficiently, and consistently.

Since the 2013 audit, the Finance and Administration Branch completed the Identity and Access Management Project. The objective of this enterprise-wide project was to strengthen controls over user access and achieve consistent user identity and access administration by standardizing and automating the processes across the five major computing environments.

The CRA has also since implemented the Enterprise Fraud Management System, which provides cutting-edge capabilities, that enhances monitoring and detection by identifying questionable transactions through the application of business analytics. This system flags activities that appear inconsistent with employees’ assigned workloads and duties.

In order to further improve the effectiveness of the CRA’s information security program and initiatives, user access management is a shared responsibility:

As such, the protection and safeguarding of taxpayer, benefit recipient, and employee information can be achieved only through effective user access management practices across all IT platforms and by all users. But, the CRA must also ensure that minimum access principles do not become a barrier for enabling client-centric service.

2. Focus of the audit

2.1. Importance

This audit is important because effective management of user identity and associated access to CRA information and systems is critical to the CRA being able to deliver its programs and services, maintain the public trust, and ensure that sensitive information is protected.

The Audit, Evaluation, and Risk Branch verified whether user accesses were being managed appropriately in its 2013 audit. The audit identified opportunities for the CRA to further strengthen its processes to ensure that user accesses were managed effectively, efficiently, and consistently. Because the Identity and Access Management Project that followed this audit resulted in many changes, a follow-up audit was deemed appropriate.

Recent privacy breaches in other organizations further confirmed the importance of this audit. In addition, this audit is linked to three risks identified in the CRA’s Corporate Risk Profile: protection of taxpayer information, values and ethics, and privacy.

This audit was first included in the Board of Management approved Risk-Based Audit and Evaluation Plan 2013-2016. However, in 2016, the audit was deferred to the 2018 to 2019 fiscal year, awaiting the completion of the Identity and Access Management project. The Agency Management Committee approved the Assignment Planning Memorandum on July 3, 2019.

2.2. Objective

The audit objective was to provide the Commissioner, CRA management, and the Board of Management with assurance that controls are in place and working as intended to ensure that user access administration is managed and monitored according to CRA policies, standards, and procedures.

2.3. Scope

The audit covered the CRA’s production environments, where taxpayer, benefit recipient, and CRA employee information reside. It excluded the business intelligence environment as this was covered in the recent Business Intelligence Renewal Data Protection review. The audit work included examining many of the implemented improvements resulting from the Identity and Access Management Project. The audit team also conducted audit tests similar to those performed during the 2013 Internal Audit of User Access Management in areas where high risks were identified.

The internal audit team conducted interviews and testing within Headquarters, the Atlantic Region, the Western Region, as well as at Shared Services Canada to obtain information on their employees’ access to CRA systems.

2.4. Audit criteria and methodology

The audit criteria and methodology can be found in Appendix A.

The examination phase of the audit took place from July 2019 to January 2020.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

3. Findings, recommendations, and action plans

The recommendations presented in this report address issues of high significance or mandatory requirements.

The Finance and Administration Branch and the Information Technology Branch agree with the recommendations in this report and have developed related action plans. The Audit, Evaluation, and Risk Branch has determined that these action plans appear reasonable to address the recommendations.

3.1. Compliance

3.1.1 Policy instruments related to user access management are in place and communicated.

Based on document reviews, interviews, and analyses, the internal audit team determined that the Finance and Administration Branch has reviewed and updated corporate security policy instruments relevant to user access management. The internal audit team found that corporate policy instruments had established requirements consistent with Government of Canada policies from the Treasury Board of Canada.

The internal audit team also found that the corporate policy instruments are published on the employee portal (Infozone) and communicated to employees to provide information on objectives, expected outcomes, and security requirements related to the management of user access to CRA information and systems.

3.1.2 Stakeholder roles and responsibilities related to user access management are in place.

Based on interviews with selected stakeholders and testing, the internal audit team determined that the roles and responsibilities regarding the management of user accounts and access within the CRA are clearly defined, documented, communicated, and generally understood.

The Finance and Administration Branch provides stakeholders with support and guidance on information security to reinforce their understanding of their security responsibilities. Roles and responsibilities were communicated to stakeholders through various outreach and engagement activities, including internal intranet communications, CRA emails, and security training courses.

3.1.3 Processes, guidance, and tools used for managing user access have significantly improved since the previous internal audit.

Overall, the internal audit team found that there have been many improvements to user access management since the 2013 internal audit. These improvements are due to the completion of management action plans that addressed the recommendations made in the 2013 audit as well as on-going initiatives in the Identity and Access Management program that are improving processes, guidance, and supporting tools.

These action plans and initiatives include system improvements in the management of CRA user identities across IT platforms and the centralization of access requests and system administration. In addition, the CRA specified requirements on the consistent use of supporting tools for managing user access through the Role Based Access Control, the System Access Definition Catalogue, and the Access Review and Certification application. The Role Based Access Control and the System Access Definition Catalogue repositories provide information for assigning minimum system access permissions based on job duties. The Access Review and Certification application supports managers in their mandatory review of their employees’ system access permissions. These systems are in place to assist managers in ensuring employees have only the minimum system access permissions required to process their workload.

During testing, the internal audit team also noted a number of Finance and Administration Branch initiatives that were in progress to further improve the consistency and completeness of role management through automation and to further integrate supporting tools.

3.1.4 Controls are in place to provide access to systems; however, improvements are needed to ensure access is removed when an employee’s workload changes as well as to ensure need-to-know and minimum system access principles are applied consistently.

The Information and Systems Security Directive aims to ensure that system access permissions for employees are effectively managed and rigorously controlled. User access is granted only when it is authorized and appropriate. This is determined based on the current duties of the employee as well as the principles of need-to-know and minimum system access. Accounts that are inactive or no longer required must be suspended.

The internal audit team found that user access requests for platforms were documented and appropriately approved by managers. However, there were cases where users were granted access without the need-to-know and minimum system access principles being applied. Through a sampling of accounts, the internal audit team found that some user accounts had unnecessary system access permissions after employees had been transferred to new job duties and previous accesses had not been removed. Access requests submitted through the IT Self Service Portal and instructions were not always clear and the Information Technology Branch’s system administrators did not consistently remove accesses on all platforms.

In addition, automated system processes exist to ensure that access is suspended when there is a relevant change in an employee’s employment status or when the account is inactive. However, not all inactive user accounts were suspended. PROTECTED

There is a risk that unnecessary system access permissions and non-removal of accounts will result in inappropriate or unauthorized access to sensitive information.

Recommendation 1

The Finance and Administration Branch must ensure that user accounts are consistently provisioned in compliance with CRA policy requirements of need-to-know and minimum system access or when an employee’s workload changes.

Action Plan 1

During the period under review, the Finance and Administration Branch has developed and was in the process of publishing a number of learning products that promote access management principles for CRA supervisors. In addition, the Finance and Administration Branch will incorporate reminders on the use of proper forms for transfers and reactivations of accounts into its semi-annual awareness product issued to all CRA managers.

The Finance and Administration Branch will review the IT Self-Service Portal forms used for transfers and reactivation of accounts and propose changes to the Information Technology Branch as required. Further work on ensuring that user accounts are provisioned according to “need-to-know”, “minimum system accesses,” and “segregation of duty” principles for transfers and reactivation of accounts is planned under the new comprehensive Access and Role Management Solution tool.

The Finance and Administration Branch will provide guidance to the Information Technology Branch on the required updates to the applicable Information Technology Branch National Standing Operating Procedures to ensure system access permissions are managed appropriately in the case of transfers and reactivation of accounts.

Completion date: October 2020 (Excluding Access and Role Management Solution, see action plan 4B)

Recommendation 2

The Information Technology Branch must ensure that an employee’s user access is removed when requested and that inactive accounts are appropriately suspended.

Action Plan 2A

The Information Technology Branch will review and update National Standard Operating Procedures and standards to ensure an employee’s user access permissions are managed and appropriately removed in the case of transfers and reactivation of accounts. 

The Information Technology Branch will deliver awareness through virtual training sessions, as well as communications for managers and service providers to ensure employee’s user access permissions are managed appropriately. This information will be published in the IT Knowledge Centre (ITKC) to ensure it is available for new employees in ITB.

Once changes to the procedures and standards have taken place and awareness sessions have been completed, a Quality Audit will be performed. This will assess whether the changes made have had a positive impact, as well as identify if there are any other changes required to documents and processes.

Completion date: March 2021

Action Plan 2B

The Information Technology Branch will implement changes to the IT Self Service Portal web forms for account transfers and reactivations identified as a result of the Finance and Administration Branch review of these forms.

Completion date: March 2021

Action Plan 2C

The Information Technology Branch will determine the root cause PROTECTEDand implement corrective actions to address the risks associated with these accounts.

Completion date: March 2022

3.1.5 User accounts are unique and traceable to the assigned user; however, the risk of unmatched user accounts should be addressed.

User Account and Password Management Standards require that access to CRA information and systems be provided through a user account with a single, unique, and traceable user ID. This requirement is necessary for ensuring accountability when employees access taxpayer, benefit recipient, and employee information and CRA systems.

The internal audit team noted that user accounts were provided through unique user accounts on the IT platforms and traceable to a valid identity. Through data analysis, the internal audit team found that, in most cases, standard accounts complied with naming standards and matched with valid identifiers. However, the team noted data integrity issues, including unmatched accounts on IT platforms that were created by system administrators and not appropriately linked to a valid identity.

During interviews with the Finance and Administration Branch, the internal audit team noted that periodic reporting was in place, with an ad-hoc review to resolve issues with the integrity of identity data. However, formal documented procedures were not yet in place.

There is a risk that users accounts not properly linked to an accountable individual will result in inappropriate and unauthorized access to sensitive information that cannot be detected.

Recommendation 3

The Finance and Administration Branch, together with the Information Technology Branch, should address the risk of unmatched user accounts and data integrity issues and ensure that issues are resolved.

Action Plan 3

The Finance and Administration Branch has procedures in place to address unmatched user or system accounts ensuring resolution in a timely manner. It will continue to work in conjunction with the Information Technology Branch to review and address the unmatched user or system accounts and data integrity issues on the on-going basis.

The Finance and Administration Branch will formalize its procedures for addressing the risk of unmatched user or system accounts and data integrity issues.

Completion date: April 2021

3.1.6 Segregation of duties controls were in place; however, improvements can be made to address non-validated segregation of duties conflicts in a timely manner.

The Segregation of Duties Directive defines the security requirements and roles and responsibilities that are in place for defining, designing, and assigning system access permissions to maintain proper segregation of duties.

During the course of the audit, the internal audit team found that branches identified, documented, and communicated segregation of duties requirements in the Role Based Access Control and System Access Definition Catalogue repositories. This was done to ensure that conflicting job functions were separated through associated roles and profiles. At the time of examination, an annual process was in place to ensure that all roles, profiles, and segregation of duties requirements were reviewed and validated by each branch’s Assistant Commissioner.

Furthermore, in order to support operational efficiency and client service, Assistant Commissioners can validate exceptions when there is a business need that requires conflicting job functions. The Assessment, Benefit, and Service Branch has a documented process for validating segregation of duties exceptions, supported by a risk assessment approach.

Reporting by the Finance and Administration Branch was in place to identify and document employees with segregation of duties conflicts on a monthly basis. As well, certain segregation of duties rules were integrated though the Enterprise Fraud Monitoring System to mitigate the risk of fraud, error, and misuse.

However, based on a test of a sample of user accounts, the internal audit team noted instances where employees had non-validated segregation of duties conflicts. This was especially the case when employees transferred to new job duties. The functionality of supporting tools should be improved to ensure that segregation of duties conflicts with an employee’s current system access are identified and prevented before the provisioning of new system accesses.

In addition, reports for segregation of duties conflicts do not track the length of time since their initial detection. The CRA’s Segregation of Duties Directive requires that immediate and appropriate action must be taken when a segregation of duties conflict is detected. This is done to ensure that formal approval of exceptions are based on the assessed risks and the mitigating controls in place. Based on a comparison of July 2019 and December 2019 reports, some users still had non-validated segregation of duties conflicts even after five months.

Without properly addressing segregation of duties conflicts in a timely manner, there is a risk of inappropriate or unauthorized system access. Therefore, there is also a risk to the protection of taxpayer information.

Recommendation 4

The Finance and Administration Branch should ensure that user accounts are provisioned according to the segregation of duties requirements and that non-validated segregation of duties conflicts are addressed in a timely manner, in compliance with CRA policy requirements.

Action Plan 4A

The Finance and Administration Branch will define a formal protocol for working with Branches to address non-validated segregation of duties conflicts, in compliance with CRA policy requirements.

Completion date: April 2021

Action Plan 4B

The Finance and Administration Branch will ensure that the preventative controls for segregation of duties are incorporated into the Access and Role Management Solution business requirements. In the interim, current monitoring over segregation of duties will continue to be in place to address the identified risk.

Completion date: April 2023

3.1.7 CRA IT platform owners can identify privileged accounts; however, criteria used to determine security screening requirements for positions where duties involve the administration of privileged accesses are not consistently applied.

The internal audit team identified privileged users for the mainframe IT platform. Based on interviews and testing, the team noted that the Information Technology Branch currently has an initiative underway to further define profiles and develop roles for common jobs for privileged users.

Through testing, the team also noted that mainframe privileged users had valid security screening levels. However, there were discrepancies between branches regarding which security screening levels should be granted to administrators with privileged accesses. The criteria for determining the security screening requirements of positions (including positions requiring frequent and unsupervised access to Government of Canada information, assets, and facilities) are established according to Treasury Board of Canada Secretariat Standard on Security Screening. The internal audit team determined that 75% of CRA privileged users sampled had Secret clearance. Whereas, 50% of Shared Services Canada employees who are responsible for managing IT infrastructure and network services for the CRA and require privileged access to IT platforms had Secret clearance or above. The internal audit team could not conclude on the appropriateness of the security screening levels but determined that there was a possible lack of consistency.

The Treasury Board of Canada Secretariat criteria referenced in the CRA Personnel Security Screening Procedures are unclear and applied inconsistently across the CRA. Therefore, there is a risk that the CRA might not be assessing and determining consistently the security screening requirements that correspond with the duties of some privileged users.

Recommendation 5

The Finance and Administration Branch should determine and document security requirements where duties require privileged access to CRA infrastructure and systems. It should then communicate the results to the Information Technology Branch to ensure proper security screening.

Action Plan 5

The Finance and Administration Branch will take the following actions:

Completion date: October 2021

3.2. Monitoring

3.2.1 The monitoring tools related to the review of user accounts are being used, but improvements are needed to ensure that non-standard accounts are reviewed in a timely manner.

Access reviews are an essential control to ensure that users have only the minimum system access permissions required to perform their duties. The Information and Systems Security Directive requires managers to periodically review accesses for all user accounts under their responsibility.

Based on testing performed, the internal audit team noted that standard accounts were certified in a timely manner through the Access Review and Certification application. However, this was not the case for specific non-standard accounts (which include system, generic, and privileged accounts). The team also found that the CRA, even after multiple communication attempts, was still waiting for Shared Services Canada to report on the review of its accounts, including those for privileged users.

The internal audit team found that supervisors did not always complete access reviews to ensure that user access was granted based on the principles of need-to-know and minimum system access permissions for standard accounts. Based on testing, the team found that some supervisors did not appropriately update employees’ system profiles with updated Role Based Access Control roles and remove access permissions from previous positions. Some areas did not have updated or complete roles that included all application profiles required to establish standards for need-to-know and minimum system access permissions. During interviews, managers also reported that supporting tools were in place to assist with access reviews, but they noted that improvements are needed regarding usability. In particular, managers specifically stated that:

Without accurate and timely access reviews, there is a risk of unnecessary system access permissions and inappropriate access, such as by employees with conflicting roles.

Recommendation 6

The Finance and Administration Branch should review supporting tools for clarity and accuracy of information as well as ensure that user account roles and accesses for all account types are reviewed and certified, in compliance with CRA policy requirements.

Action Plan 6

During the period under review, the Finance and Administration Branch had developed and was in the process of publishing a number of learning products that promote access management principles for CRA supervisors. In addition, the Finance and Administration Branch had established regular Access Review and Certification training sessions for CRA supervisors that have been well received in the CRA supervisory community.

The Finance and Administration Branch will review its protocols related to non-standard accounts certification in order to evaluate the associated risk. In addition, the Finance and Administration Branch will assess the cost effectiveness of incorporating changes into the existing process given that it is in the process of initiating two projects that will modify the provisioning and certification of non-standard accounts (Access and Role Management Solution and Privileged Access Management).

Completion date: April 2021 (excluding ARMS and PAMS that are to be completed by April 2023)

3.2.2 Monitoring tools related to database administrators should be improved to ensure that privileged activities are appropriate.

Monitoring user activities is an essential component of the prevention and detection of fraudulent and inappropriate use of sensitive information. This monitoring is especially important when it comes to database administrators who have access to large amounts of taxpayer, benefit recipient, and employee data.

The internal audit team tested a sample of database administrators and found that tools to support the monitoring of certain privileged activities are not yet in place. The Information Technology Branch is currently implementing monitoring rules for database administrators. These will be integrated into the Enterprise Fraud Monitoring System and will be completed PROTECTED.

Because not all database administrator activities on all platforms are currently integrated into the Enterprise Fraud Monitoring System, inappropriate database administrator activities might go undetected. This lack of detection might compromise CRA sensitive information and critical services.

Recommendation 7

The Information Technology Branch, in consultation with the Finance and Administration Branch, should ensure that monitoring of database administrator activities on all platforms is in place.

Action Plan 7

The Information Technology Branch has an existing Electronic Fraud Management System (EFMS) that is being leveraged to help address these gaps. The IT Security Centre (ITSC) and the IT Security Solutions (ITSS) divisions are working to implement “detection models” that will identify any wrong doing of database administrators on all platforms within CRA.

The initial detection models being implemented in the EFMS will:

PROTECTED

Completion date: June 2021

3.2.3 Performance indicators and reporting mechanisms are in place for the Identity and Access Management program.

The CRA’s Project and Programme Management Directive states that monitoring and decision-making are based on performance measurements data in order to support accountability and transparency.

The internal audit team found that the Finance and Administration Branch had implemented key performance indicators regarding the Identity and Access Management program. The indicator data was gathered through results from periodic monitoring of access review and certification activities as well as monitoring of the Branch Assistant Commissioner’s assessment and validation of roles and profiles was in place. Additionally, the internal audit team noted that monitoring initiatives pertaining to client engagement and awareness, segregation of duties, and a third-party benchmark assessment were completed to ensure the effectiveness of the Identity and Access Management program.

The internal audit team also found that reporting mechanisms had been established through various committees, including the Identity and Access Management Steering Committee and the Access Advisory Committee. These committees include representation from all branches and provide oversight of and direction to the Identity and Access Management program performance. Through observation and analysis, it was found that these committees also provide ongoing support in the implementation of user access management processes and tools.

4. Conclusion

The objective of this audit was to provide assurance that controls are in place and working as intended to ensure that user access administration is managed and monitored according to CRA policies, standards, and procedures.

Overall, the internal audit team found that the CRA has many internal controls in place to ensure that user administration is managed and monitored according to CRA policies, standards, and procedures. However, the internal audit team also noted some opportunities to strengthen compliance with policies and monitoring activities to ensure that user access administration is appropriately managed.

The Finance and Administration Branch and the Information Technology Branch should further strengthen controls related to user access management in order to ensure that user accesses are provisioned, reviewed, suspended, and removed in compliance with CRA policy requirements. They should also ensure that appropriate security screening levels for employees with privileged access are consistently applied and that data administrator activities on all platforms are monitored. Additionally, the Finance and Administration Branch should ensure that non-validated segregation of duties conflicts are addressed in a timely manner.

Internal audit will consider doing another follow-up audit in 3 years, given the significant risks associated with user access management.

5. Acknowledgements

In closing, the Audit, Evaluation, and Risk Branch recognizes and thanks the Finance and Administration Branch, the Information Technology Branch, the Atlantic Region, the Western Region, and Shared Services Canada for the time they have dedicated and the information they have provided during the course of this engagement. Additionally, we would like to thank representatives from the Appeals Branch; the Assessment, Benefit, and Service Branch; the Collections and Verification Branch; the Compliance Programs Branch; and the Legislative Policy and Regulatory Affairs Branch for their assistance and cooperation.

6. Appendices

Appendix A: Audit criteria and methodology

Based on the Audit, Evaluation, and Risk Branch risk assessment, the following lines of enquiry were identified in the Assignment Planning Memorandum and approved by the Management Audit and Evaluation Committee:

Appendix A: Audit criteria and methodology
Lines of enquiry Criteria
Compliance CRA policies, directives, standards, and procedures are in place, current, published, communicated, and align with those of the Government of Canada.
Compliance Stakeholder roles and responsibilities are defined, documented, and communicated.
Compliance Accounts are managed effectively and consistently in compliance with CRA policies.
Monitoring Monitoring tools are being used and are working as intended.
Monitoring Identity and Access Management program key performance indicators for managing user accounts are defined, documented, implemented, reported, and actioned.
Monitoring Reporting mechanisms are used and are working as intended.

Methodology

The methodologies used for examination included the following:

Appendix B: Platform descriptions

The table below identifies the major information technology platforms that make up the CRA’s production environment.

PROTECTED

Appendix C: Glossary

Glossary
Term Definition
Access Review and Certification A mandatory risk management activity in which managers regularly review system access permissions of their employees' and non-employees' standard and non-standard accounts.
Access and Role Management System (ARMS) Security initiative that enhances CRA’s Identity and Access Management (IAM) processes through automated provisioning and de-provisioning of system access permissions via Attribute and Role-Based Access Control functionality
Identity A reference or designation used to distinguish a unique and particular individual, organization, or device.
Identity and Access Management Policies, processes, and systems for the effective governance of digital identities and accounts through standardized and consistent processes for managing information about users: who they are, how they are authenticated, and what they can access.
Minimum system access permissions The need for someone to have only the required accesses to perform their duties.
Need-to-know A principle that restricts access to systems, information, and data to what an individual needs to perform assigned tasks or duties.
Non-standard user account A user account that is created to allow a user to gain access to computing platforms, systems or applications that is normally restricted. Often these types of accounts provide elevated, non-restrictive access to a computing platform, a database, or an application, or are used by multiple individuals.
Non-standard account administration The standardized process for requesting, authorizing, granting, reviewing, and removing system access permissions that are not part of a basic user account, or for situations where more than one account is required for an individual. Often, these types of accounts provide elevated, non-restrictive access to a computing platform, a database, or an application, or are used by multiple individuals.
Privileged access An authorization or set of authorizations that allows users to bypass logical access controls and execute functions that are normally forbidden to ordinary (non-privileged) users, allowing the privileged users to execute functions such as: installing software, changing configuration settings, adding or removing user accounts, and granting or changing other users' system access permissions. Equivalent terms: elevated permissions, administrative powers.
Privileged users Individuals who are granted privileged access in order to perform their job, which can be system-wide or restricted to site, region, system, or work requirements.
Privileged Access Management System (PAMS) Privileged Access Management products prevent unauthorized access and use within systems using advanced security controls such as credential vaulting, active monitoring, and integration with Multifactor Authentication (MFA).
Provisioning Adding access permissions to user accounts to allow access to specific applications and systems. Provisioning is usually triggered when the CRA hires a new worker (onboarding) or moves an existing user to a new location or job function.
Role Based Access Control The authoritative source for assigning minimum system access permissions based on job duties.
Security screening The assessment of an individual's reliability and loyalty to Canada which is a condition of employment. The range of levels consists of: reliability status, secret clearance, and top secret clearance.
Segregation of duties The principle of separating key job functions (duties) within a business process among multiple individuals and work groups to mitigate the risk of fraud, error, and misuse.
Standard account An account that conforms to the CRA's user account standard of three alpha characters followed by three numeric characters, such as "ABC123” (3A+3N) and is assigned to and used by one individual. Generic, system, and exception accounts are not standard accounts.
System Access Definition Catalogue Central repository for branch authorities that provides descriptions and details of their system access permissions associated with the organization’s various computing environments (such as PROTECTED.)

Page details

Date modified: