Access certification is a regulatory compliance requirement
and Data Protection Officers demand in
their security policies that organizations perform access review and
certification periodically but at least annually to validate who has access to
sensitive corporate information and personal data of employees and customers
and whether access is appropriate. Consider
the following regarding access controls:
- Systems must provide appropriate access to the
right users and within the right periods of time.
- Organizations must be able to provide auditable
evidence that these controls are in place and effective. For example, Section
404 of the Sarbanes-Oxley Act in the US specifically states that management
must assess the effectiveness of internal controls on an annual basis.
- Organizations must be able to report which users
currently have and had in the past, access to sensitive data.
Meeting these requirements can be challenging as users often
have access to a variety of systems with unique roles established in each
Access Certification Considerations
Access certification is a process by which business
stakeholders are periodically invited to review entitlements, sign-off on
entitlements that appear to be reasonable and flag questionable entitlements
for possible removal. There are several considerations for access re-certification:
- Before entitlements can be reviewed, they have to be collected from systems
and applications and mapped to users. Technical information should be replaced
by simple descriptions that reviewers can understand. Since entitlements change
all the time, discovery process should be a regularly scheduled, automated, and
not be a one-time data load.
reviewers - A list of reviewers and approvers must be documented for a
quick access review turnaround. Options include user managers
who are asked to review their subordinates, application or data owners who are
asked to review lists of users who can access their applications or data, and,
security officers who are asked to review high risk entitlements.
timing and frequency - The frequency may vary with the business risk posed
by the entitlements in question.
- Types of
entitlements - The highest level review is of employment status to make
sure users are still employed and whether their access to any systems remain
active. More granular reviews may be considered to audit roles and entitlements.
review - The scope of the access audit
must be identified in the planning phase. For example, not every entitlement
poses a significant business risk. Some determination must be made of the risk
level posed by each entitlement, as this forms the basis for deciding whether
to review it and how often.
entitlements - Reviewers may flag entitlements as inappropriate, in which
case action must be taken. The access recertification process must propose a
course of action when access attributes must be changed.
Consider a leading access certification from Identity Management Institute.