Monday, 30 May 2022

Your guide to creating an effective enrolment policy for users and devices

We discuss why an effective enrolment policy is important. Plus, how to go about creating the right policies and processes.

People are often said to be the “weakest link” or the “first line of defence” in your cyber strategy. But what happens when they aren’t there? But all their connected devices and accounts are? That’s why an effective enrolment policy is essential.

What happens in your organisation when someone leaves? How do you know that your data doesn’t leave with them? And how could that leave your business exposed? And what about logins and devices? What happens to those when a staff member leaves? Are you confident that none of them offer a backdoor onto your corporate network?

These questions illustrate exactly why it’s important to create an effective enrolment policy for users and devices.

In this article, we’ll use a Q&A format to discuss why it’s important. Plus, we’ll discuss how to go about creating the right policies and processes.

Why does having a clearly defined process for the onboarding and offboarding of people and things matter?

Simply, if you are going to protect your organisation from cyber risk, you need to know exactly what you are protecting.

How does an organisation come to understand what it needs to protect?

You can’t know what to protect unless you maintain a comprehensive asset register – one that is kept up to date at all times. That requires understanding when new people and things (data, services and devices) are added to your environment. And when they need to be decommissioned.

That’s where your onboarding and offboarding policies and processes come in.

What’s the best way to store this information?

The usual way to store information about your IT assets is in a configuration management database (CMDB).

A CMDB is simply a database that contains all the relevant information about all the hardware and software used in an organisation’s IT services. It will list the relationships between those components, making it really useful for understanding what will or could be affected when things go wrong.

It also usually includes data about each IT asset (or configuration item; CI), such as financial information, upgrade history and performance profile. Having visibility over assets in this way can help to reduce IT expenditure, as it provides an opportunity to reallocate or eliminate assets that aren’t being used, thereby avoiding the associated costs.

The CMDB will also be very useful if you wish to attain ISO 27001 certification because it will go a long way towards informing and building your asset register.

Getting the right information sounds like a mammoth task. How do I make a start?

When you choose to work with Grant McGregor as an IT partner, we will run a comprehensive scan of your environment and find and itemise all the devices that are connected to your network. This is an automated process that we manage for you.

It’s not uncommon at this stage to discover devices that you weren’t aware of. Usually with the information attained through this process alone, we can help you close down cyber-security vulnerabilities.

However, it is important to understand that – while this automatic network scanning goes a long way towards understanding your IT assets – it is not the whole solution.

What else do I need to do to ensure I have the right information about my organisation’s IT assets?

An automated scan isn’t the whole solution because you’ll probably find you’ll want to manually add additional information against your IT assets – for example, purchase and service information.

Secondly, automated discovery tools can’t discover items that aren’t connected to your corporate network. Which may mean that you have assets that hold corporate data or have the ability to connect to key services which aren’t discoverable.

This is one of the main reasons why any automated discovery tool must be paired with good joiners and leavers policy and an effective onboarding and offboarding process.

What should my joiners and new starters policy look like?

There are many good reasons for getting your new starters policy right.

Giving new employees a great start when they join your organisation is important. That first impression of the organisation – and its IT team – sets the tone for the whole relationship moving forward.

Ensuring staff have the right tools to do their job from day one ensures they are as productive as they can be – right from the get-go. It also makes life easier for your IT team because they won’t be dealing with extra requests and queries.

Depending on the size of your organisation, you may want to look at setting up automated notifications to inform the IT team of new starters. For example, when a new employee record is created in the HR system, this triggers an automated notification.

Creating job profiles within each department is an easy way to communicate essential requirements to IT. This way, the spec of the laptop and the various software required, for example, can be requested easily upfront.

A great way to save time when rolling out devices – whether to new starters or not – is Microsoft Autopilot. It enables a “no touch” deployment in which a device is pre-configured and installs remotely over Wi-Fi. As well as reducing the burden on your IT team, it also makes for a much better user experience.

Of course, your CMDB should be updated accordingly with all new starter information.

What should my unenrolment / leavers policy look like?

Establishing an effective leavers policy is often more complicated that running an effective new starters policy. Not least because the sense of urgency from the affected department is much lower. While they want to make a good impression on new starters, they often feel much less onus to let IT know about leavers.

It’s important, therefore, to automate whatever notifications you can and, failing that, make it easy for line managers to report anyone leaving the company. This notification needs to be made in advance of the leaving date, so IT can ensure that all physical assets are returned and all logins and access is switched off at the appropriate moment.

In particular, there should be a “hot button” notification available through which line managers can inform IT quickly about any difficult departures, where the security risk is an issue. This way, systems can be locked down quickly before any data can walk off the premises.

It may also be necessary for IT to put some other processes in place, such as the forwarding of mailboxes, so early notification of leavers is an important norm to establish throughout the organisation.

Finally, your CMDB should be updated accordingly with all relevant information. This way, licences can be reassigned or cancelled where necessary – potentially saving your organisation a lot of money.

Is there anything else I need to think about?

Yes, it’s advisable to instate some kind of movers policy as well. This way, people can’t take their rights and licences with them as they move around the company – potentially building up a huge potential cyber risk.

Your line managers and staff should have an easy way of notifying IT when their roles and requirements change.

Weaving into this – if you haven’t established it already – it’s worth including an easy way for staff to report lost or stolen devices or logins that they think may have been compromised to IT. This might include a self-service password reset.

Furthermore, you’ll need to think carefully about how you operate your joiners, movers and leavers policies for temporary or contract staff.

Do you have any additional tips to consider?

Establishing an effective enrolment and unenrolment policy across your organisation is going to involve a number of stakeholders, including IT, HR, line managers and the staff involved.

Automate whatever you can, so processes are streamlined, and make any manual request or reporting processes as easy as possible.

It is vital to keep your CMDB up to date. One way to assist with this is to run your automated network scan on a monthly basis. However, note that you will likely always require some manual intervention and auditing to ensure optimum data quality.

What next?
If you’d like any help with creating a CMDB or would like to talk to us about any of the topics or tools covered in this blog, please get in touch with our team.

You can call us on: 0808 164 4142

Book a 15-minute chat  >>>

Further reading:

Might you enjoy some of our other recent blogs?

The new password rules: a 2022 update

A guide to making hybrid work over the long term.

What Does the War in Ukraine Mean for Your Cyber Security?