The importance of access recertification process was established with the Sarbanes- Oxley Act of 2002 (SOX). Section 404 states: “Registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting”. Simply put, companies are required to maintain the integrity of reports by ensuring the right resources have access to the right systems that generate these reports. Manual access recertifications seemed like a great way to maintain compliance when the law was enacted. Unfortunately, with the proliferation of IT assets and growing sophistication of hackers, manual access recertification is an anti-pattern for security and compliance:
Without exception, we keep hearing about organizations that have their internal audit teams do an assessment of access over spreadsheets spanning hundreds of tabs and then undertaking back and forth emails among stakeholders to capture audit evidence. It is no surprise that many of these organizations have audit findings.
2. Productivity Drain:
The manual process is the tedious execution of repetitive tasks that are nonvalue add to the company and employee morale. A typical quarterly acmes recertification for a 1000 plus employee company requires many paid hours to collect and transform information from applications, databases, and files under review. The process generates endless volumes of data found in excel sheets or unstructured formats such as emails. The same process is repeated every so often. It is not uncommon to see some anti-patterns such as reviewers taking to rubber stamping.
3. High Error Rate:
Today companies have multiple systems, databases, and applications (enterprise, custom, and cloud). Authentication methods typically vary between connected and disconnected applications. Therefore, employees, contractors, and vendors have multiple account IDs across today’s IT eco-system. Without a unique identifier or identity source between these accounts, it is nearly impossible to attribute these to corresponding employee, vendor, or contractor identity information. Reviews just can’t make out with 100% accuracy the abbreviated IDs, roles, and access rights coming out of the systems. We keep hearing about many manual recertifications yielding audit findings.
4. Challenging To Enforce Segregation Of Duty (SOD):
Excel-based recertification of users and privileges can after a very tedious effort yield information on SOD conflicts. However, this manual process cannot be used to proactively enforce SOD with new-onboarding and employee changes. Every time an employee’s job duties change owing to promotion or moving to a different department, the data needs to be manually updated to check for any SOD conflicts.
5. Lack Of Centralized Visibility:
Depending on the company’s risk appetite and internal IT controls, user access recertification process might be needed on a quarterly or semiannual basis. However, managers who need to review and approve user access often don’t take serious ownership owing to their day job. Sieving through the inbox for an access review document is not ideal for anyone. This lack of centralized visibility and review communication that ensures all parties involved understand the significance of access recertifications and the importance of timely closure is missing with a manual process.
6. Non-Integrated Deprovisioning:
Completing the review process is just one aspect of the user recertification. The most critical being removing or de-provisioning access for users with access privileges or deleting orphaned accounts. Getting to that end game in a timely fashion is nearly impossible if upon completion of the reviews there is no tie-up with the task to remove user access.
Manual user Access recertification is not only daunting, inefficient but also a big anti-pattern to achieve continuous SOX, IS0 27001, HIPAA, GLBA, etc compliance. In our survey of 13 CISO’s across Financial Services, Credit Unions, Healthcare, and Manufacturing industries automation of access recertifications ranked among the top three priorities. SecurEnds is leading the market with its lightweight, highly configurable, and industry-first flex-connector product that keeps companies secure while meeting audit and compliance requirements. Our user access recertification software allows you to load user data from multiple systems of record, connect dynamically to applications, match identities with user credentials, manage heartbeat identities across connected and disconnected, schedule one-time or periodic access recertifications and create a proof of compliance for external auditors. In only 30 minutes we can demo why our SAAS software is now a leading choice for identity governance