What is recertification?
Recertification is the process of continually auditing permissions to make sure the access provided is only the access that is needed. Recertification streamlines and automates the process of revalidating a target type (account or access) or membership on a regular basis (role or resource group).
Recertification is a part of an organization’s governance risk and compliance activity. Recertification or attestation are different terms for the same thing. GRC (governance, risk, and compliance) is a collection of rules and procedures that enable firms to achieve their business goals, deal with uncertainty, and behave with integrity. The goal of the recertification is to present the system data to the auditors and to ensure that there are no nonconformity findings during audits.
Why recertification is needed?
To guarantee that only authorized personnel has access to the enterprise's data, owners of key business data must verify that all application and database user entitlements and privileges are recertified on a regular basis. With access recertification, it's assured that no users have access to resources that aren't assigned to them.
Depending upon the size of the company and whether they are public or non-pubic, and the industry they are in, such as banking or finance, etc., many companies are required by law to perform recertification or attestation of access. A company would like to have risk management in place to prevent people from getting toxic combinations of access that could be a risk to the company. For example, a person might get access to create a purchase order as well as access to approve the same purchase order. This is a toxic combination of access and is a potential risk for a company.
Therefore, to minimize the risk, for all the risky accesses, we should be able to certify and recertify on a regular basis that the access is still needed. For example, is this user account still needed? if a user has already resigned from the company, the user account should not be active. These kinds of potential risks are checked and minimized with the help of recertification at regular intervals.
What is a recertification audit?
The review of user access rights to see if they are proper and correspond to the organization's internal rules and compliance standards is known as access recertification audit.
An audit can be considered as a project with a start date and end date. We might want to audit or certify multiple items using an audit. For example, in a Q1 audit we might want to certify, an external partner, identify as well as a member of certain high-risk management roles. These items are specified in one or more recertification policies. EmpowerID maintains an audit trail of these access snapshots and the decisions made concerning the access. EmpowerID recertification audits can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will.
What is the recertification policy?
A recertification policy contains actions to ensure that users submit assurance that they have a genuine, continuous need for a particular resource or membership. As a project might have multiple deliverables a recertification audit can have multiple recertification policies associated with it. We can create recertification policies of different types in the EmpowerID system, and these policies are reusable. For example, in an audit we might want to certify, an external partner, identify as well as a member of certain high-risk management roles. These items are specified in one or more recertification policies.
Recertification Policies are snapshots of data that reveal the access to resources granted to people and to roles, the assignments of people to roles, and the security assignments that have been made against protected resources like Exchange mailboxes, applications, and groups. These snapshots are routed for review to authorized personnel such as managers, role owners, or data owners. The review process allows the reviewer to verify the access and certify whether it is valid. Internal processes can use this data to remediate and rectify exceptions or certify the exceptions as permitted.
Recertification in EmpowerID
EmpowerID provides a powerful attestation and recertification platform that gives any organization the ability to take a more proactive approach to rectify potential security issues before they occur through crafting EmpowerID audits and recertification policies. The combination of Recertification Policies with EmpowerID's robust reporting capabilities allows organizations to create a more thorough and effective resource management strategy.
Types of recertification policy
EmpowerID recertification policies has following types.
Recertification Policy Type | Description |
|---|---|
Account validity recertification is a method of determining whether or not accounts are still required. Certain actions must be made if the accounts are no longer required. In other words, account validity recertification policy is to certify whether an account should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. In case of account validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable. For more details on how to create an account validity recertification policy visit account validity recertification page. | |
The business role and location membership recertification process validates whether the membership of a business role and location is still required for a valid business purpose. Certain actions must be made if the membership is no longer required. In other words, business role and location membership recertification policy is to certify whether a membership should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the business role and location is the bundle for the business requests and its members are items. The possible decisions for the business requests are generally set to certify or revoke the business role and location membership. However, these decisions are configurable. For more details on how to create a business role and location membership recertification policy visit business role and location membership page. | |
The group membership recertification process validates whether the membership of a group is still required for a valid business purpose. Certain actions must be made if the membership is no longer required. In other words, group membership recertification policy is to certify whether a membership should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the group is the bundle for the business requests and its members are items. The possible decisions are generally set to certify or revoke the group membership. However, these decisions are configurable. For more details on how to create a group membership recertification policy visit group membership recertification page. | |
The group validity recertification is a method of determining whether or not groups are still required. Certain actions must be made if the groups are no longer required. In other words, group validity recertification policy is to certify whether an groups should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. In case of group validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions are generally set to certify, disable or delete. However, these decisions are configurable. For more details on how to create an group validity recertification policy visit group validity recertification page. | |
The management role access assignment recertification process validates whether the access granted to a management role is still required for a valid business purpose. Certain actions must be made if the access is no longer required. In other words, management role access recertification policy is to certify whether an access granted should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the management role is the bundle for the business request and the access already granted are items. For more details on how to create a management role access assignment type recertification policy visit management role access assignement page. | |
The management role membership recertification process validates whether the membership of a management role is still required for a valid business purpose. Certain actions must be made if the membership is no longer required. In other words, management role membership recertification policy is to certify whether a membership should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the management role is the bundle for the business requests and its members are items. The possible decisions are generally set to certify or revoke the management role membership. However, these decisions are configurable. For more details on how to create a management role membership recertification policy visit management role membership page. | |
The management role validity recertification is a method of determining whether or not management roles are still required. Certain actions must be made if the management roles are no longer required. In other words, management role validity recertification policy is to certify whether a management role should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. In case of management role validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable. For more details on how to create a management role validity recertification policy visit management role validity recertification page. | |
The person validity recertification is a method of determining whether or not the person is still required. Certain actions must be made if the persons are no longer required. In other words, person validity recertification policy is to certify whether a person should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. In case of person validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable. For more details on how to create a person validity recertification policy visit person validity recertification page. |
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID query-based collections. These are comprised of sets, which are SQL queries primarily or code-based queries in some cases. These sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people. They can be based on questions written against the EmpowerID identity warehouse or external systems in a customer's environment.
To maintain the integrity of Recertification Reviews, users cannot recertify themselves. In other words, a user who can create a Recertification Policy cannot certify that policy. The EmpowerID admin user is prohibited from participating in the review process by this feature.