What is recertification?
...
...
...
...
...
...
...
The organization has a periodic recertification procedure for its apps, databases, and other resource access. As a result of recertification, a manager, responsible party, or system owner certifies users' access to a system to guarantee they only have access to what they require. Recertification or attestation are different terms for the same thing. GRC (governance, risk, and compliance) is a collection of rules and procedures that enable firms to achieve their business goals, deal with uncertainty, and behave with integrity. The goal of the recertification is to present the system data to the auditors and to ensure that there are no nonconformity findings during audits.
...
...
...
Why is recertification needed?
Implementing a recertification procedure can safeguard a corporation from potential security breaches and fines. Recertification is already mandated by law in the IAM context.
...
...
...
Therefore, to minimize the risk for all the risky accesses, we should be able to certify and recertify regularly that the access is still needed. For example, is this user account still needed? if a user has already resigned from the company, the user account should not be active. These kinds of potential risks are checked and minimized with the help of recertification at regular intervals.
What is a recertification audit?
The review of user access rights to see if they are proper and correspond to the organization's internal rules and compliance standards is known as an access recertification audit. The recertification is often implemented as an audit.
An audit can be considered a project with a start date and end date. We might want to audit or certify multiple items using an audit. For example, in a Q1 audit, we might want to certify an external partner identity and attest a member of certain high-risk management roles. These items are specified in one or more recertification policies. EmpowerID maintains an audit trail of these access snapshots and the decisions made concerning the access. EmpowerID recertification audits can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will.
What is the recertification policy?
...
...
...
...
...
EmpowerID provides a collection of useful recertification policy types to suit the purpose of a Recertification Audit.
Recertification in EmpowerID
EmpowerID provides a powerful attestation and recertification platform that allows any organization to take a more proactive approach to rectify potential security issues before they occur through crafting EmpowerID audits and recertification policies. Combining recertification policies with EmpowerID's robust reporting capabilities allows organizations to create a more thorough and effective resource management strategy.
Auditors can also designate audits as either one-time or ongoing audits. A snapshot of user access and entitlements is obtained when the initial audit begins. This first snapshot creates an irreversible record of your company's security at the moment. Business requests are produced because of this, and EmpowerID's process-driven approach keeps both users and the work required moving forward to ensure timely completion and correct audit outcomes.
The primary building blocks of recertification are depicted in the below overview diagram.
...
For recertification to work in EmpowerID following steps are needed.
...
Pre-requisite jobs should be started and running - The recertification engine jobs must be running for the recertification to complete successfully.
...
Create recertification policy - The frequency with which users must validate their requirement for a resource or membership is defined by a recertification policy. The policy also specifies what happens if the receiver refuses or does not reply to the request for recertification. Recertification policies employ a set of alerts to kick off the recertification process's workflow operations.
...
...
...
...
...
...
...
Add recertification policy(s) to recertification audit - An audit needs a recertification policy and its targets so that the compilation of audits can generate at least one business request.
...
Enable and compile the audit - The recertification engine requires the created audit to be enabled so that it can be compiled.
...
Check business requests are generated - The Audits must generate at least one business request due to the compilation of a recertification audit.
...
Check fulfillment is done - The completion of decisions made related to access in EmpowerID systems based on an audit outcome is known as fulfillment.
...
Verify the result of recertification - You need to verify that the result of the recertification is correct.
Page Properties | ||
---|---|---|
| ||
To maintain the integrity of recertification reviews, users cannot recertify themselves. In other words, a user who can create a recertification policy cannot certify that policy. This feature prohibits the EmpowerID admin user from participating in the review process. |
...
...
Macrosuite divider macro | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|