...
What is recertification?
Recertification is the process of continually auditing permissions to make sure the access provided is only the access that is needed. Recertification streamlines and automates the process of revalidating a target type (account or access) or membership (role or resource group) on a regular basis. Access recertification is an information technology control that includes reviewing user access rights to see if they are proper and comply with the company's internal rules and laws.
For its apps, databases, and other resource access, the organization has a periodic recertification procedure in place. As a result of recertification, a manager or responsible party, or system owner certifies users' access to a system to guarantee that they only have access to what they require.
Recertification is a part of an organization’s governance risk and compliance activity. Recertification or attestation are different terms for the same thing. GRC (governance, risk, and compliance) is a collection of rules and procedures that enable firms to achieve their business goals, deal with uncertainty, and behave with integrity. The goal of the recertification is to present the system data to the auditors and to ensure that there are no nonconformity findings during audits.
For example, In the account validity recertification process, a responsible person (manager, supervisor, responsible party, or other designated person) checks the account of the users and decides whether this account should continue to exist or not.
Why recertification is needed?
The implementation of a recertification procedure can safeguard a corporation from potential security breaches and fines. Recertification is already mandated by law in the IAM context.
To guarantee that only authorized personnel has access to the enterprise's data, owners of key business data must verify that all application and database user entitlements and privileges are recertified on a regular basis. With access recertification, it's assured that no users have access to resources that aren't assigned to them.
Depending upon the size of the company and whether they are public or non-pubic, and the industry they are in, such as banking or finance, etc., many companies are required by law to perform recertification or attestation of access. A company would like to have risk management in place to prevent people from getting toxic combinations of access that could be a risk to the company. For example, a person might get access to create a purchase order as well as access to approve the same purchase order. This is a toxic combination of access and is a potential risk for a company.
Therefore, to minimize the risk, for all the risky accesses, we should be able to certify and recertify on a regular basis that the access is still needed. For example, is this user account still needed? if a user has already resigned from the company, the user account should not be active. These kinds of potential risks are checked and minimized with the help of recertification at regular intervals.
What is a recertification audit?
The review of user access rights to see if they are proper and correspond to the organization's internal rules and compliance standards is known as access recertification audit. The recertification is often implemented as an audit.
An audit can be considered as a project with a start date and end date. We might want to audit or certify multiple items using an audit. For example, in a Q1 audit we might want to certify, an external partner identity as well as attest a member of certain high-risk management roles. These items are specified in one or more recertification policies. EmpowerID maintains an audit trail of these access snapshots and the decisions made concerning the access. EmpowerID recertification audits can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will.
What is the recertification policy?
A recertification policy contains actions to ensure that users submit assurance that they have a genuine, continuous need for a particular resource or membership. As a project might have multiple deliverables, a recertification audit can have multiple recertification policies associated with it. We can create recertification policies of different types in the EmpowerID system, and these policies are reusable. For example, in an audit we might want to certify, an external partner identity as well as certify a member of certain high-risk management roles. These items are specified in one or more recertification policies.
Recertification Policies are snapshots of data that reveal the access to resources granted to people and to roles, the assignments of people to roles, and the security assignments that have been made against protected resources like Exchange mailboxes, applications, and groups. These snapshots are routed for review to authorized personnel such as managers, role owners, or data owners. The review process allows the reviewer to verify the access and certify whether it is valid. Internal processes can use this data to remediate and rectify exceptions or certify the exceptions as permitted. EmpowerID maintains an audit trail of these access snapshots and the decisions made concerning the access. This combination of Recertification Policies
EmpowerID provides a collection of useful recertification policy types.
Recertification in EmpowerID
EmpowerID provides a powerful attestation and recertification platform that gives any organization the ability to take a more proactive approach to rectify potential security issues before they occur through crafting EmpowerID audits and recertification policies. The combination of recertification policies with EmpowerID's robust reporting capabilities allows organizations to create a more thorough and effective resource management strategy.
EmpowerID Recertification Policies come in the following types.
...
Recertification Policy Type
...
Description
...
Account Validity
...
Account validity recertification policy is to certify whether an account should exist or not. Possible decisions are: certify, disable and delete.
...
Business Role and Location Membership
...
Business role and location membership policy are to certify the membership of a business role and location. Possible decisions are: certify or revoke the member.
...
Group Membership
...
The group membership recertification policy is used to certify group membership, including user and nested groups. Possible decisions are: certify, revoke or convert to just-in-time membership(pre-approved).
...
Group Validity
...
The group validity recertification policy is to certify whether a group should exist or not in the group. Possible decisions are: certify, disable and delete.
...
Management Role Access Assignment
...
The management role access assignment recertification policy is to certify the access granted to the management role, including any RBAC assignment.
...
Management Role Membership
...
The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location.
...
Management Role Validity
...
The management role validity recertification policy is to certify the current validity of a management role. This recertification determines if the management role should exist, be "disabled,” or deleted.
...
Person Validity
...
The person validity recertification policy is used to certify the person should exist or not. Possible decisions are: certify, disable and delete.
...
Additionally, each Recertification policy runs against resources within a specific location. This allows for even greater flexibility. A policy could include as many or as few objects as desired, such as all Exchange Mailboxes within an organization or only the people assigned to a specific office room, depending on how your location hierarchy is mapped within EmpowerID. While it is possible to create a Recertification Policy that runs against every resource item in your inventory, such a policy could yield potentially millions of objects, creating a daunting and unnecessary workload for your recertification team if access to those objects has no significant security impact.
EmpowerID Recertification Policies can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will. When a policy is run manually or scheduled, a Recertification Review task is created for each object in the SetGroup. This allows authorized staff in an organization to review the access to resources that people within the organization have at any given time and how that access came about, whether by a direct assignment to a specific resource or through being delegated a Management Role with multiple Resources Role assignments.
...
Auditors can also designate audit as either one-time or ongoing audit. A snapshot of user access and entitlements is obtained when the initial audit begins. This first snapshot creates an irreversible record of your company's security at the moment. Business requests are produced as a result of this, and EmpowerID's process-driven approach keeps both users and the work required moving forward in order to ensure timely completion and correct outcomes of the audit.
The primary building blocks of recertification is depicted in the below overview diagram.
...
For recertification to work in EmpowerID following steps are needed.
Pre-requisite jobs should be started and running - The recertification engine jobs must be running for the recertification to complete successfully.
Create recertification policy - The frequency with which users must validate their requirement for a resource or membership is defined by a recertification policy. The policy also specifies what happens if the receiver refuses or does not reply to the request for recertification. Recertification policies employ a set of alerts to kick off the recertification process's workflow operations.
Add target(s) to recertification policy - The targets of recertification policy defines the scope of the recertification. Recertification policies may target many resources and memberships. For example, whether this recertification audit covers employees of a perticular city or entire organization.
Create recertification audit - An audit is nothing but an end to end implementation of recertification.
Add recertification policy(s) to recertification audit - An audit needs a recertification policy and its targets so that compilation of audit can generate at least one business requests.
Enable and compile the audit - The recertification engine requires the created audit to be enabled so that it can be compiled.
Check business requests are generated - There must be at least one business request generated as a result of compilation of a recertification audit.
Check fulfillment is done - The completion of decision made related to access in EmpowerID systems based on an audit outcome is known as fulfilment.
Verify the result of recertification - Need to verify that the end result of the recertification is correct.
| Page Properties | ||
|---|---|---|
| ||
To maintain the integrity of recertification reviews, users cannot recertify themselves. In other words, a user who can create a recertification policy cannot certify that policy. The EmpowerID admin user is prohibited from participating in the review process by this feature. |
...
Related
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|