Leadline Inc.Leadline Inc.
Control Requirements

LS-04: External User Account Management

Approval process for external user account changes or user entity responsibility for access controls

Control Description

"Requests to add, modify, and/or remove external user accounts must be approved by an authorized client representative prior to the change being made.

OR

Add the following CUEC:

To the extent user entities have Administrative access to Company terminals and systems, including access via the Internet, each user entity is responsible for establishing and maintaining adequate controls over physical and logical access at the user entity's location. Each user entity is responsible for the provisioning and deprovisioning of access to the in-scope applications and related databases."

Plain Meaning

This control provides two options: either implement an approval process where external user account changes require client representative approval, OR establish that user entities are responsible for managing their own access controls and account provisioning/deprovisioning.

Implementation

Option 1: Client Approval Process

Approval Workflow

  1. Request Submission: External user submits account change request
  2. Client Approval: Authorized client representative reviews and approves
  3. Implementation: IT team implements approved changes
  4. Documentation: Record all approvals and changes
  5. Verification: Confirm changes were implemented correctly

Approval Requirements

  • All external user account changes require client approval
  • Maintain approval records for audit purposes
  • Define who qualifies as "authorized client representative"
  • Establish timeframes for approval and implementation

Simple Implementation

  • Use email-based approval process
  • Create approval templates with required information
  • Store approval emails in designated folder
  • Implement changes only after receiving approval

Option 2: User Entity Responsibility

User Entity Controls

  • User entities manage their own access controls
  • User entities handle account provisioning/deprovisioning
  • Company provides access to systems and applications
  • User entities maintain physical and logical security

Implementation Approach

  • Document user entity responsibilities clearly
  • Provide access management tools to user entities
  • Establish communication channels for access requests
  • Monitor user entity compliance with security requirements

Key Success Factors

  1. Clear Process: Well-defined approval or responsibility assignment
  2. Documentation: Maintain records of all account changes
  3. Timeliness: Implement changes within reasonable timeframes
  4. Verification: Confirm changes were implemented correctly
  5. Audit Trail: Complete record of approvals and actions taken

Common Pitfalls to Avoid

  • No Approval Process: Missing formal approval for account changes
  • Unclear Responsibilities: User entities don't understand their obligations
  • No Documentation: Missing records of approvals and changes
  • Delayed Implementation: Changes not implemented promptly

Access Management

Change Management

Monitoring and Logging

Data Security

Incident Response

Risk Assessment

Third-Party Management

LS-01: Database Encryption at Rest

Encryption of sensitive system data within databases while at rest using AWS RDS encryption

LS-05: Direct Database Access Restrictions

Restrict direct access to in-scope databases based on job function