Every large enterprise has employees who need some level of access to its critical information resources, and many also provide a wide variety of types and levels of access to contractors, partners, vendors, and customers. Each of these points of access represents a source of potential business and compliance risk.
W H I T E P A P E R Beyond the Checkbox: A Sustainable
Approach to Access Certification
DECEMBER 2007AbstractEvery large enterprise has employees who need some level of access to its critical information resources,and many also provide a wide variety of types and levels of access to contractors, partners, vendors, andcustomers. Each of these points of access represents a source of potential business and compliance risk.
The process by which access entitlements and roles are authorized, reviewed, certified, and periodi-cally recertified is critical to an organization's ability to meet compliance standards and to protect itselfagainst access-related business risks. These are both continuing challenges that require a sustainableprocess. But establishing a genuinely sustainable access certification process has proven to be difficultfor many large enterprises.
While it is relatively easy to provision new users with initial access to applications and other informa-tion resources, it is not so easy to ensure over time that their access entitlements are changed appro-priately as their duties, employment status, or contractual status changes. Today's provisioningsystems are able to handle onboarding and offboarding efficiently, but they are typically not designedto ensure that each user has just the right level of access at any given time (what is needed to do hisor her job, no more no less) or to ensure that each user's access conforms to all applicable compliancerequirements and internal policies, even as the user's functional responsibilities and relationshipswithin the organization change.
Many enterprises are still trying to manage access certification with resource-intensive or homegrownspreadsheet-based systems that are error-prone and time-consuming to develop and maintain. Withsuch systems in place, IT managers are hard-pressed to keep up with who has access to what. Busi-ness managers find themselves asked to certify user access rights without a clear understanding ofcurrent entitlements. Furthermore, the information provided to business managers to use in certifica-tion provides no context for determining whether user entitlements are appropriate for their businessroles. And internal audit and compliance teams struggle to make sure that a complex web of regula-tory requirements and company policies is adhered to, in a consistent fashion.
The result is often an unnecessarily high cost of compliance and an increased risk of compliance viola-tions, security breaches, and operational errors that can have serious consequences for an organization.
Any system capable of managing the risks associated with information access must not only be accu-rate, but also simple and manageable enough to make compliance sustainable. Fortunately, technol-ogy is now available that can enable large enterprises to achieve a successful, sustainable process by:
1.Establishing Full Visibility of User Entitlements & Roles2.Automating Authorization and Access Certification3.Providing a Business-Centric View of Entitlements in Relationship to Roles4.Maintaining a System of Record for Evidence of Compliance5.Automating Change Management and Entitlement Remediation
The benefits of such a process include:. Cost Avoidance through Access Risk Management. Cost Reduction from Process Automation. Accountability for Governing Access is Driven into the Organization
2 | A Sustainable Approach to Access CertificationIntroductionHere's a scenario that occurs every day - in one form or another - throughout the business world:
XYZ Financial Services Company, a major brokerage company, creates a new Wealth Managementdivision. XYZ staffs the new division by hiring 100 new employees and transferring 100 currentemployees from the brokerage operation. Each of the newly hired Wealth Management employ-ees is issued a desktop computer, a set of applications associated with his or her job title, and cer-tain levels of functionality within those applications, including access to the appropriatefunctionality within XYZ's new investment management system. The employees transferred fromthe brokerage side of the business are issued the same entitlements, but their access to the bro-kerage-side functionality remains active even though it is no longer needed.
This now represents not only a separation-of-duties compliance violation under GLBA, but a po-tential security problem as well.... [download for more]
