In the face of stringent regulatory requirements such as SOX, HIPAA, MAR, SAS-70, GLB, PCI and others, it has become imperative for organizations to automate access certifications to have clear answers to fundamental security-related questions such as ‘Who has access to what?’ and ‘Who approved the access?’, An archive of the certification history is equally critical.
With the decision to automate comes the problem of ‘How to begin?’ and ‘Where to start?’ Following are the step-by-step approach to solving the challenge that this transition presents to organizations:
1. Identify Key Stakeholders:
The Responsibility Assignment (RACI) Matrix provides some recommendations that may be relevant to your organizational structure or culture. The matrix assigns some of the main functional areas to high-level tasks that are performed during the certification process
2. Obtain Senior Management Buy-in:
Automated access certifications are launched at an enterprise level, so the end users will range from middle management to senior executives. Given the magnitude of this project and the audience involved, senior management’s involvement is key to the adoption and success of this effort.
3. Prioritize Your Business Drivers:
Automating certifications for too many applications or target systems all at once may result in project failure. Applications to be included for access certification must be prioritized based on the business drivers or regulatory requirements that need to be addressed.
4. Develop a Communication Plan:
Communicate the changes that are about to occur in your environment. Create a certification management or certification governance team that is responsible for managing the certification process and communicating to key stakeholders and users affected by the changes.
5. Design a Certification Strategy:
Plan each and every step in the certification lifecycle.
6. Understand and manage expected business process changes:
Automation of a manual process is bound to bring various intrinsic changes in the relevant business processes prevalent in the organizations. Therefore, conduct an impact analysis to understand what business processes will be impacted as a result of this automation.
7. Represent data effectively in the access certification tool:
Most tools provide a great deal of flexibility in representing data in their central repositories. Utilize this flexibility to ensure that the data-modeling exercise does not become extremely complex.
8. Configure and launch Access Certifications:
This is the step where certifications and the associated workflows must be configured. Most tools allow designing of custom email templates, automated email notifications based on various events such as new certification launches, periodic escalations to managers’ managers, ability to configure certification views, customize labels for certifying and revoking access, adding custom labels and so on.
9. Conduct Access Clean-up:
This is one of the most critical steps in the certification process. Unless revoked access is cleaned up and terminated users removed from the systems, users will continue to retain unwanted access.
1. Centralized view: Provides an enterprise-view of ‘Who has access to what?’ and ‘Who certified the access?’
2. Quick turn-around: For the end-user, automated certification is simple, easy and fast. Certifiers prefer the look and feel of a UI-driven certification process.
3. Error minimization: Manual errors are eliminated thereby achieving the goals of compliance.
4. Lower costs: Smaller team is involved in the automated process.
5. Repeatable process: Automating access certifications facilitate a repeatable business process. This can be leveraged each time access is to be certified.
6. Providing a business-centric view of user access and their roles: Most manual certifications involve the certification of cryptic access that does not make sense to most business users.
Access certification tools provide the ability to add business friendly descriptions to the cryptic user entitlements that are to be certified. This helps the certifiers understand exactly what they are certifying to make an informed decision.
7. Demonstrating evidence for compliance: By centralizing user access across multiple platforms, and providing options to save reports and archive certifications, access certification tools help to maintain evidence for the purpose of demonstrating transparency and compliance and significantly lowers the cost of demonstrating compliance.