User Access Reviews. Access Certifications. Periodic Access Reviews. We all know that the user access certification process is important to identifying and addressing inappropriate or conflicting access to key systems, but IT and Business resources alike will express frustration with the process and end results. (“They take too long”, “I don’t know what I’m reviewing”, “Reviewers are just ‘pencil whipping’ their reviews”, “The Business isn’t incentivized to complete the review in a timely fashion.”)
The latest edition of the ISACA Journal includes a great article about Rethinking User Access Certifications (login required). The author highlights four key items that should be considered when planning your User Access Certification:
- How manual is your account provisioning / de-provisioning process? More automated processes require less frequent (in theory) review as the middle man has been cut out of the process.
- Is there a large user population? Are users geographically dispersed? Is there a high user turnover rate? These are situations that suggest a need for more frequent reviews.
- Are there some access rights that are more significant than others? Not all access is created equal. Read-only or extremely limited access rights don’t need to be reviewed as frequently as power user or system administrator access.
- What is the degree to which access needs to be modified or removed after a review? Reviews that result in lots of change suggest that preventative provisioning / de-provisioning processes aren’t working as expected and that more frequent reviews may be necessary.
[dvlabel]Keep in mind that the degree of change resulting from a review may also indicate that the reviewers aren’t sufficiently reviewing the access in question. You may want to consider my “Brown M&M” approach to determine the adequacy of your reviewer’s analysis.[/dvlabel]
The article is definitely worth a read if your organization is struggling with the user access review process. The author also suggests some ways that an Identify and Access Management solution could be utilized to manage the process and make the it more efficient. IAM solutions can certainly help in this area, but not all organizations have the funds or capabilities to take advantage of the technology.
Image Credit: WolfBlur / Pixabay
Comments are closed.