Access Certification

Access certification is a regulatory compliance requirement and Data Protection Officers demand in their security policies that organizations perform access review and certification periodically but at least annually to validate who has access to sensitive corporate information and personal data of employees and customers and whether access is appropriate.  Consider the following regarding access controls:

  • Systems must provide appropriate access to the right users and within the right periods of time.
  • Organizations must be able to provide auditable evidence that these controls are in place and effective. For example, Section 404 of the Sarbanes-Oxley Act in the US specifically states that management must assess the effectiveness of internal controls on an annual basis.
  • Organizations must be able to report which users currently have and had in the past, access to sensitive data.

Meeting these requirements can be challenging as users often have access to a variety of systems with unique roles established in each system.

Access Certification Considerations

Access certification is a process by which business stakeholders are periodically invited to review entitlements, sign-off on entitlements that appear to be reasonable and flag questionable entitlements for possible removal. There are several considerations for access re-certification:

  • Discovery - Before entitlements can be reviewed, they have to be collected from systems and applications and mapped to users. Technical information should be replaced by simple descriptions that reviewers can understand. Since entitlements change all the time, discovery process should be a regularly scheduled, automated, and not be a one-time data load.
  • Identify reviewers - A list of reviewers and approvers must be documented for a quick access review turnaround. Options include user managers who are asked to review their subordinates, application or data owners who are asked to review lists of users who can access their applications or data, and, security officers who are asked to review high risk entitlements.
  • Review timing and frequency - The frequency may vary with the business risk posed by the entitlements in question.
  • Types of entitlements - The highest level review is of employment status to make sure users are still employed and whether their access to any systems remain active. More granular reviews may be considered to audit roles and  entitlements.
  • Entitlement review -  The scope of the access audit must be identified in the planning phase. For example, not every entitlement poses a significant business risk. Some determination must be made of the risk level posed by each entitlement, as this forms the basis for deciding whether to review it and how often.
  • Denied entitlements - Reviewers may flag entitlements as inappropriate, in which case action must be taken. The access recertification process must propose a course of action when access attributes must be changed.

Consider a leading access certification from Identity Management Institute.

Identity Theft Courses