Joiners/Movers/Leavers (JML)

The “Joiners/Leavers/Movers” (JML) process is one that should be applied in any organisation and is a simple and easy way to maintain good access control, on a daily basis. This process involves creating a BAU method for dealing with the access of any user who either joins, leaves or moves within a company. This process is a daily effort to counter all kinds of excessive authority. As talked about in my other sections, this process fits in nicely with user recertification. User recertification will check the access of all users on a system, every 3/6 months. However the JML process will help ensure that the numbers of users with the incorrect access are kept to a minimum as an ongoing process.

When you first complete a recertification of an application, if this has never been done before you could expect to see up 90% of the user population removed, on average its about 40%.  When this is run again in 6months, you would hope that this number has come down to about 5% (ideally 0%), due to a good JML process. The JML process will ensure that when a user leaves the company, that all their access is removed. If a user moves within a company, this should be treated as a “remove” and then an “add”, so that all their old access is fully removed, then their new access is created. This process will stop “Segregation Of Duties” occurring. Recertification is a “back-up” to a good JML process that will capture anyone who has slipped though the net during the JML process.

I’ve setup large scale JML processes in many banks, across multiple applications and systems. This involves working with both the business and technical teams. With the business I have helped educate them as to the importance of this process and how it is their responsibility to do this task along with supplying tools and methods to make this task as easy as possible for them. With the technical teams, I have worked with them to again educate them about the importance of setting up users and also the risks that are created if not followed, so that they can understand themselves the importance of the process. This process works really well on its own, however when matched up with full RBAC it is a very robust access control method.