In the previous segment, we worked through the non-employee management workflows. These are a special-case of user recertification and relatively less complex, making them a good place to start.
Having built some experience and achieved a quick-win, weâ€™ll now move on to discuss the full user and access recertification workflows. This has become a key control for many audits, and itâ€™s probably the most time-consuming of the controls to execute. Automating user/access recertification using an IAM product can save a lot of time and effort on the part of the access services team(s), and it will also make things easier for the reviewers.
Objective 1: Determine the appropriate scope
There are three decisions that influence scope. The first decision to be made is whether or not user recertification is needed. Sometimes it is sufficient to simply recertify access.
The ability to recertify access is based on the accuracy of the HR data being fed into identity manager. If HR is clean enough (possibly with the help of vacancy management), then it can be assumed that the right people will show up in the right job functions, and the reviewers donâ€™t need to check for this.
The second scope decision pertains to access: the scope for access recertification may be smaller or otherwise different from the scope for de/provisioning. For example, security auditors donâ€™t look at devices de/provisioned to a user, but internal financial auditors who are concerned about how money is being spent might. If automation of recertification were used purely for external audit purposes (e.g., SOX), then equipment would likely be out of scope.
The third scope decision is identifying the appropriate reviewer for the items in scope. For those roles that are well defined with role- or rule-basing, the reviewer might be the individual(s) that helped to design the roles/rules (e.g., the data owners). In the absence of role- and rule-basing, the reviewer should be the line manager.
This determination is important because the data owners tend to be more technically familiar with the system, so they can be presented with a list of permissions and they will understand what that means. Line managers will have no idea what the permissions mean, so they need to be translated into business functionality.
Objective 2: Populate the requirements list
When it comes to recertification, be clear in the requirements about what is important. Consider the following:
- Ability of the system to pull line management information from HR
- User-friendliness of the reviewer interface, including ability to display technical permissions or business translation
- Ability of the system to generate reports (and how customizable those reports are)
- Ability of the system to trigger manual or automated tasks to action the changes requested by the reviewer
- Ability of the system to handle escalations without human intervention
Objective 3: Identify prep-work
The most important prep-work that can be done in preparation for automating recertification is to generate the permission-to-business-function mapping.
Line managers donâ€™t know what MECGRP60 is, nor should they have to learn. A key advantage of a good recertification tool is the ability to translate the techno-babble into meaningful information for a line manager: MECGRP60 grants write permissions to screen X in application Y.
In some systems, this mapping is easy â€“ if there are just a few permissions. But in most database and mainframe systems, the numbers of permissions and groups are enormous. Worse, itâ€™s likely that no one on the business or the IT side knows which permissions go with what access.
It could take a series of working sessions with business and IT working side-by-side to figure it all out. This could take months, but will pay big dividends when itâ€™s done. And just as with the other cleanups weâ€™ve discussed, once itâ€™s done, itâ€™s fairly easy to maintain going forward.
Other prep-work that can be done in this space includes identifying how frequently the recertifications need to be executed, and which data owners will be reviewers for what roles/rules.
In the next segment, we’ll summarize this monthâ€™s activity and wrap up.