Recertification Overview

Owned by Phillip Hanegan
Feb 29, 2024
4 min read

What is Recertification?

Recertification is a process that routinely assesses and confirms user access rights to align with their roles, corporate policies, and regulatory standards. For instance, a designated authority such as a manager evaluates a user's account validity to ascertain its ongoing activation status. This crucial component of governance, risk, and compliance programs aids organizations in meeting regulatory requirements, diminishing security threats, and averting data breaches. Recertification frequency varies based on industry and relevant regulations, often occurring annually or semi-annually. To effectively execute recertification, organizations must develop well-defined guidelines and processes and guarantee proper training for responsible individuals.

Recertification is not only essential for maintaining authorized access to an organization's data but also for minimizing the likelihood of risky or unauthorized access and averting potential security breaches. It serves as a vital risk management instrument, helping to prevent individuals from obtaining harmful access combinations that could jeopardize the organization. For example, a toxic access combination might allow an individual to create and approve purchase orders, posing a risk to the company. Recertification enables organizations to detect and rectify such access combinations, mitigating potential hazards and strengthening their security stance.

EmpowerID offers a robust Recertification platform, empowering organizations to proactively address potential security concerns. EmpowerID's recertification capabilities automate data collection, auditor presentation, user access rights verification, and inappropriate access removal. This streamlines the recertification process, reducing the risk of unauthorized access and ensuring regulatory compliance. Additionally, EmpowerID's platform boasts advanced reporting and analytics features, providing organizations with valuable insights into their access management practices and fostering data-driven decision-making. Leveraging EmpowerID's Recertification platform, organizations can bolster their security posture, protect sensitive data from breaches, and operate confidently.

Recertification Policies and Access Recertification Audits

What are Recertification policies?

Recertification policies comprise a set of guidelines and procedures that organizations implement to regularly review and verify user access rights in accordance with user roles, company policies, and regulatory requirements. In EmpowerID's Recertification platform, you can tailor various policy aspects, including access type, default decisions for unattended recertification requests, and who or what needs recertification. EmpowerID allows creating different types of reusable recertification policies, such as certifying an external partner's identity or reviewing high-risk management roles during an audit. These policies can be linked to an audit for implementation.

For more information on how Recertification policy types work in EmpowerID, see Recertification Policy Types.

What are Access Recertification Audits?

Access Recertification Audits involve reviewing user access rights to ensure appropriateness and compliance with an organization's internal policies and regulatory standards. Audits collect data based on associated recertification policies, which are then sent to authorized auditors, such as managers or data owners, for review and validation. Auditors can identify and resolve discrepancies or issues with user access rights during an audit, ensuring compliance with company policies, regulations, and industry standards. EmpowerID generates business request items for each access, which are presented as tasks to auditors. The audit data is a snapshot representing the captured state, with EmpowerID maintaining an audit trail of these snapshots and related decisions.

The recertification policy defines rules and procedures for reviewing access rights, while the recertification audit is the actual review against company policies and regulations. EmpowerID enables organizations to schedule recertification audits periodically, such as quarterly, monthly, weekly, daily, or on demand. With EmpowerID's Access Recertification Audit, organizations can automate and streamline their access review process, ensuring compliance with regulatory requirements.

Recertification Architecture and Process Flow

The following diagram illustrates EmpowerID's Recertification Architecture, with detailed explanations of each process provided below.

 

 

  1. Define the Recertification policy

    1. Create a Recertification Policy – Create a recertification policy that defines the type of policy and enables it for audit.

    2. Add a Target to the Recertification Policy – Configure the policy with a target to specify who or what will be recertified. Recertification policies can target multiple resources and objects, such as a specific location, group, or resource type.

    3. Add Item Type Scope (Data) to the Recertification Policy – Configure the policy to specify the data to be collected with item type scopes. Item scopes enable users to tailor the recertification process to meet their specific needs, such as specifying the collection of data only for a person's access to a group as a member.

  2. Create and define an audit

    1. Create Recertification Audit – Audits are needed to trigger Recertification policies.

    2. Add Recertification Policy to Recertification Audit – After creating the audit, you link it to one or more Recertification policies.

  3. Run the audit

    1. The EmpowerID recertification engine executes the audit according to the scheduled timeline, automatically collecting access data and preserving it as snapshots, which represent the state of the data at the time of capture and remain unchanged.

    2. This collected data is used to generate Business Requests and their associated items. In EmpowerID, each access recertification is represented as a Business Request Item, an automatically generated task request presented to auditors as a Business Request. The Attestation Policy Compiler, a background job, manages data collection and business request generation. To verify the audit's effectiveness in generating requests, follow the instructions in "Verify Business Requests are Generated."

    3. Auditors and responsible managers make decisions, such as certifying or revoking access, in response to business requests. Instructions for providing decisions on Business Requests can be found in "Provide Business Request Decisions." These business requests contain details about the access that needs to be certified for each individual.

    4. After auditors make decisions on business requests, the fulfillment workflow processes these decisions. The Business Request Fulfillment background job completes this task based on the provided business decisions.

Recertification Policy Types