What role-based access control (RBAC) best practices are most important when it comes to periodic reviews and updates for roles/permissions?

Process ManagementIdentity & Access Management (IAM)
2.5k viewscircle icon4 Comments
Sort by:
CISO/CPO & Adjunct Law Professor in Finance (non-banking)a year ago

Having a good control process, ideally groups and repeatable, transparent, automated processes. The process should also make reporting and tracking simple, the value will become apparent in the first audit.

Lightbulb on1
CISO in Insurance (except health)a year ago

Periodic reviews and updates of roles and permissions within an RBAC system are critical to maintaining security and operational efficiency. One best practice is the principle of least privilege, ensuring that users have the minimum necessary access to perform their functions. Regularly auditing roles to identify and remove unnecessary or outdated permissions helps reduce the attack surface and prevents privilege creep. Additionally, involving business units in the review process ensures that the roles align with current organizational needs. Automating these reviews where possible, using tools that flag anomalies or changes in user roles, can streamline the process and maintain the integrity of the RBAC system. These practices are essential for keeping the system agile and secure.

Lightbulb on1
Director of IT in Energy and Utilitiesa year ago

Automate as much as you can.  Manual anything creates too much risk and consequence quickly can be dire.

Vice President in Bankinga year ago

Someone posted similar question here. Refer https://www.gartner.com/peer-community/post/we-looking-at-implementing-role-based-access-controls-some-our-saas-platforms-due-to-entry-emerging-markets-anyone-have-best

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

Has anyone gone through the UK's Cybersecurity Essentials Plus certification and if so, would you be willing to share with me your experience and what was involved? I just want to make sure I understand what is involved and what is in scope.

For European companies with DORA requirements – DORA expects to have in place exit strategies for critical IT providers, and internal IT providers. How are you handling exit strategies for internal IT providers (especially when they're set up as separate legal entities within your group)? More importantly, has anyone actually conducted the required exit strategy tests for internal providers, and if so, how did you approach it?

Which cybersecurity attack is currently your highest priority (to defend against)?

Ransomware and multifaceted extortion33%

Business email compromise40%

Third-party vendor compromise (supply chain)17%

Cloud security incidents7%

I have no idea1%

View Results

How does your company ensure control and consistency of its AI agents?

We don’t yet have a governance framework26%

We use manual checks or periodic reviews37%

We have defined policies and guidelines for the creation and deployment of agents, which each team ensures independently30%

We have introduced a platform to centrally manage policies, versions, and monitoring of agents4%

None of the above4%

View Results