access on one system could easily translate into a security
            breach on other systems.

            One of the most substantial challenges is related to password
            management. This includes teaching users to select good
            passwords, keep them private, and not to use the same password
            for online banking as they apply for email. When resetting a
            password, the organization does not want to employ a large staff
            on the helpdesk just to reset user passwords daily. The company
            needs to have processes in place to ensure that a password reset
            is only granted to the correct user, not to someone masquerading
            as the legitimate user.

            There needs to be a clear separation between users of different
            levels of access. This requires a system of multi-level security
            that is hard to design and even harder to preserve in today's
            complex world. There are many opportunities for covert
            channels or ways to bypass the security controls and find that
            information is accessible to people with the wrong level of
            privilege.

            As internal users move around within an organization, we often
            see the development of "access creep" where a user's access
            permissions accumulate over time, and they are just granted
            more and more accessible as they move from one department to
            another. This is why all managers should be required to review,
            sign off, and be accountable for the access levels of their staff on
            an annual basis. The access controls should also be enforced in a
            standard manner so that new users are set up, user permissions
            are maintained and reviewed, and old UserIDs are disabled or
            deleted when no longer required.