You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Recertification Overview

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Recertification is the process of regularly reviewing and verifying user access rights to ensure they align with the user's role, company policies, and regulations. For example, In the account validity recertification process, a responsible person (manager, supervisor, responsible party, or other designated person) checks the user’s account and decides whether this account should continue to exist. It is an important component of governance, risk, and compliance (GRC) programs, as it helps organizations meet regulatory requirements, mitigate security risks, and prevent data breaches. Depending on the industry and regulations that apply to the organization, recertification may need to be performed regularly, such as annually or semi-annually.

Recertification is necessary to ensure that only authorized personnel has access to the enterprise's data, minimize the risk for all risky accesses, and prevent potential security breaches. Recertification is not just about checking and validating unauthorized access. A company would also like to have risk management in place to prevent people from getting toxic combinations of access that could be a risk to the company. For example, a person might get access to create a purchase order and approve the same purchase order. This is a toxic combination of access and potential company risk.

EmpowerID provides a powerful Recertification platform that allows any organization to take a more proactive approach to rectify potential security issues before they occur. With the help of the recertification features provided by EmpowerID, organizations can automate the process of collecting data, presenting data to auditors, reviewing and verifying, and removing user access rights.

Recertification Policy & Recertification Audit

A Recertification Policy is a set of guidelines and procedures that an organization establishes to ensure that access rights are regularly reviewed and verified to align with the user's role, company policies, and regulations. The outlines what and how the access rights will be reviewed, who is responsible for doing so, and what type of access should be recertified. With a Recertification Policy in EmpowerID, you can define

  • Type of access to recertify.

  • Default decisions for unattended recertification requests.

  • Who/What to recertify?

  • Which data/access to recertify?

We can create recertification policies of different types in the EmpowerID system, which are reusable. For example, we should certify an external partner identity and a member of certain high-risk management roles in an audit. These items are specified in one or more recertification policies. Later these policies can be attached to an Audit.

The review of user access rights to see if they are proper and correspond to the organization's internal rules and compliance standards is known as an Access Recertification Audit. The recertification is often implemented as an Audit that collects the data based on the configurations in recertification policies. EmpowerID collects data about user access rights, including permissions to access sensitive data or systems, and routes the information for review to authorized Auditors such as managers, role owners, or data owners. The auditors can identify and address any discrepancies or issues with user access rights and ensure that access rights are in compliance with company policies, regulations, and industry standards. The data will help to recertify discrepancies and provide access revocation. The data generated in an audit about access are snapshots, meaning the data represents the state it was captured, which will not change. EmpowerID maintains an audit trail of these access snapshots and the decisions made concerning the access.

The recertification policy defines the rules and procedures for reviewing access rights. In contrast, the recertification audit is the actual review of access rights against the company policies and regulations. Since the recertification of the access is a continuous process, EmpowerID recertification audits can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will.

Recertification in EmpowerID

EmpowerID provides a powerful attestation and recertification platform that allows any organization to take a more proactive approach to rectify potential security issues before they occur through crafting EmpowerID audits and recertification policies. Combining recertification policies with EmpowerID's robust reporting capabilities allows organizations to create a more thorough and effective resource management strategy.

Auditors can also designate audits as either one-time or ongoing audits. A snapshot of user access and entitlements is obtained when the initial audit begins. This first snapshot creates an irreversible record of your company's security at the moment. Business requests are produced because of this, and EmpowerID's process-driven approach keeps both users and the work required moving forward to ensure timely completion and correct audit outcomes.
The primary building blocks of recertification are depicted in the below overview diagram.

For recertification to work in EmpowerID following steps are needed.

  1. Pre-requisite jobs should be started and running - Please ensure that the following jobs are enabled and running.

    • Attestation Policy Compiler Job

    • Business Request Fulfillment Job

  2. Create recertification policy - The frequency with which users must validate their requirement for a resource or membership is defined by a recertification policy. The policy also specifies what happens if the receiver refuses or does not reply to the request for recertification. Recertification policies employ a set of alerts to kick off the recertification process's workflow operations.

  3. Add target(s) to recertification policy - The recertification policy targets define the recertification scope. Recertification policies may target many resources and memberships. For example, whether this recertification audit covers employees of a particular city or an entire organization.

  4. Add Item Type Scope (Data) - Adding an Item Type Scope to the Recertification Policy enables users to configure what data should be collected for recertification—adding Target(s) will configure who/what to recertify. In contrast, Item Type Scope will determine which data/access to recertify.

  5. Create Recertification Audit - An audit is nothing but an end-to-end implementation of recertification.

  6. Add recertification policy(s) to recertification audit - An audit needs a recertification policy and its targets so that the compilation of audits can generate at least one business request.

  7. Enable and compile the audit - The recertification engine requires the created audit to be enabled so that it can be compiled.

  8. Check business requests are generated - The Audits must generate at least one business request due to the compilation of a recertification audit.

  9. Check fulfillment is done - The completion of decisions related to access in EmpowerID systems based on an audit outcome is known as fulfillment.

  10. Verify the result of recertification - You need to verify that the result of the recertification is correct.

Recertification Policy Types

  • No labels