Recertification Overview

What is Recertification?

Recertification is a process that involves regularly reviewing and verifying user access rights to ensure they are consistent with the user's role, company policies, and regulatory requirements. For instance, in the context of account validity, a designated person such as a manager or supervisor checks a user's account to determine whether it should continue to be active. This process is a critical aspect of governance, risk, and compliance programs as it helps organizations comply with regulations, reduce security risks, and prevent data breaches. Depending on the industry and applicable regulations, recertification may need to be conducted periodically, such as annually or semi-annually. To carry out the recertification effectively, organizations should establish clear guidelines and procedures and ensure that responsible parties are adequately trained.

Recertification is essential to ensure that only authorized personnel have access to an organization's data, minimize the risk of any risky or unauthorized access, and prevent potential security breaches. However, recertification is not limited to checking and validating unauthorized access. It is also a critical tool for effective risk management, as it helps prevent individuals from acquiring potentially harmful access combinations that could pose a threat to the organization. For instance, an individual might have the ability to both create and approve a purchase order, which represents a toxic access combination that could be detrimental to the company. By conducting recertification, organizations can identify and eliminate these types of access combinations, thereby mitigating potential risks and enhancing their security posture.

EmpowerID offers a powerful Recertification platform that enables organizations to take a proactive approach to mitigate potential security issues before they occur. Through its recertification capabilities, EmpowerID automates the process of collecting data, presenting it to auditors, verifying user access rights, and removing inappropriate access. This helps organizations streamline their recertification process, minimize the risk of unauthorized access, and stay compliant with regulatory requirements. Additionally, EmpowerID's platform provides advanced reporting and analytics features that provide organizations with insights into their access management practices and enable data-driven decision-making. With EmpowerID's Recertification platform, organizations can enhance their security posture, safeguard their sensitive data from security breaches, and operate with confidence.

Recertification Policies and Access Recertification Audits

What are Recertification policies?

Recertification Policies are a collection of guidelines and procedures that an organization establishes to ensure that access rights are regularly reviewed and verified to align with user roles, company policies, and regulatory requirements. Policies outline which users and what access rights will be reviewed, and in EmpowerID's Recertification platform, you can define various aspects of the policy, such as:

• The type of access that needs to be recertified.

• Default decisions for unattended recertification requests.

• Who or what needs to be recertified?

• Which data or access needs to be recertified?

In EmpowerID, you can create different types of recertification policies that are reusable, such as certifying the identity of an external partner or reviewing the access of certain high-risk management roles during an audit. These policies can be specified in one or more recertification policies and later attached to an audit for implementation.

What are Access Recertification Audits?

An Access Recertification Audit is a process of reviewing user access rights to ensure that they are appropriate and comply with an organization's internal policies and regulatory standards. Typically, the recertification process involves conducting audits that collect data based on the configuration of associated recertification policies. This data is then forwarded to authorized auditors, such as managers, role owners, or data owners, for review and validation.

During the Access Recertification Audit, auditors can identify and address any discrepancies or issues with user access rights to ensure compliance with company policies, regulations, and industry standards. EmpowerID generates a business request item for each access, which is presented as a task to auditors to recertify discrepancies and provide access revocation. The data generated in an audit about access is a snapshot, representing the state it was captured, which will not change. EmpowerID maintains an audit trail of these access snapshots and the decisions made concerning the access.

The recertification policy outlines the rules and procedures for reviewing access rights, while the recertification audit is the actual review of access rights against company policies and regulations. Since access recertification is a continuous process, EmpowerID allows organizations to schedule recertification audits to run periodically, such as on a quarterly or monthly basis, weekly, daily, or on demand. By using EmpowerID's Access Recertification Audit, organizations can automate and streamline their access review process, ensuring that access rights are regularly reviewed and validated and comply with regulatory requirements.

Recertification Architecture and Process Flow

This diagram describes the Recertification Architecture of EmpowerID. Detailed information about each process is described below the diagram.

1. The first step in Recertification in EmpowerID is to create recertification policies, which are reusable definitions or rules that allow you to configure who and what types of access should be audited. These policies can be configured based on organizational rules, including the type, scope, and people. They can be used in multiple audits, saving time and effort compared to defining them each time.

   1. Create a Recertification Policy: Create a recertification policy that defines the type of policy and enables it for audit. You can also configure what should be done if any access recertification is unattended by the auditors.

   2. Add Target to Recertification Policy: Adding a target to a recertification policy configures who or what will be recertified. Recertification policies can target multiple resources and objects, such as a specific location, group, or resource type.

   3. Add Item Type Scope (Data) to Recertification Policy: The Item Type Scope in a Recertification Policy allows users to configure what data will be collected for Recertification. The item scope enables users to tailor the recertification process to meet their specific needs, such as specifying the collection of data only for a person's access to a group as a member.

2. Once the policy is defined, Audits will be created by the user. An audit is an end-to-end recertification implementation, meaning the data is collected and certified during an audit.

   1. Create Recertification Audit: In EmpowerID, an audit is a logically named user-defined object for identifying or grouping business requests and running the Recertification policies that generate them. EmpowerID recertification audits can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will.

   2. Add Recertification Policy to Recertification Audit: An audit can have multiple recertification policies enabling you to granularly configure to collect different types of access data in a single audit. 

3. The EmpowerID recertification engine runs the audit on provided schedule, which automatically collects access data and saves it as snapshots, meaning the data represents the state it was captured, which will not change.

   1. The collected data is used to create Business Requests and Their items. In EmpowerID, each access recertification is a Business Request Item or an automatically generated task request which is presented to auditors as a Business request. The background job Attestion Policy Compiler does the collection of data and generation of business requests. You can follow the instructions in Verify Business Requests are Generated to see if the audit generates the requests.

   2. Auditors and responsible managers provide decisions to Certify, Revoke, and other actions in the business requests. Instruction to Provide Business Requests Decisions These business requests contains details about the access for the person that needs to be certified.

   3. Once the auditors provide the decisions on the business request, the fulfillment workflow picks the decision and fulfills it. The background job Business Request Fulfillment does the fulfillment task based on business decisions.