Process Map | IAM Process Map |
---|
Parent Process | Recertifications (Process - IAM) |
---|
Title | Line Manager Recertifications |
---|
Version | 1.0 |
---|
Domain | IAM |
---|
Goals | |
---|
Objective | Reduce the accumulated unnecessary privileges of employees and decrease their risk profile. Reduce separation of duties violations. Improve the organization’s general security posture by enforcing least privileges and need-to-know. Fulfill compliance requirements. |
---|
Inputs | Human Resources Information System Applications and systems inventories (including risk profiles) Business Roles (including role model and risk profiles) Identity, access rights and roles data IAM records documentation Compliance requirements Risk information (e.g. risk register) Mover process Events such as identified risks / incidents (to trigger non time-based recertifications)
|
---|
Activities | Fundamental Activities Define the recertification scopes and approach based on compliance requirements, risk tolerance thresholds and available resources Define recertification planning, including deadlines for completion, escalations for non-responders and escalations / backups for absent reviewers Define rules for recertification delegation by line managers to preserve accountability Define rules related to the automatic revocation of non-recertified access rights and roles Define and execute a communication plan to manage stakeholders Determine who is responsible to (re-)certify accesses and roles Route recertification requests to the managers Assure the recertification process informs line managers by providing business context, associated risks and outliers Chase and manage non-responders Have the managers review and confirm the appropriateness of access rights and roles Revoke all roles and accesses that are found inappropriate Integrate the process with provisioning / deprovisioning and reconciliation Conduct regular (quarterly, semi-annually or annually) recertification campaigns Conduct ad hoc recertification campaigns triggered by the Mover process Monitor the execution of recertification campaigns Archive all recertification records and decisions for audit purposes or future inquiry Close out recertification campaigns
Mature activities Engage in active continuous improvement on the process Leverage RBAC to streamline recertification Provide feedback to stakeholders with reports highlighting key issues and appreciating the level of effectiveness and efficiency of recertification Implement a second-level verification step with the possibility to override first-level decisions for sensitive access rights and roles that may cause operational or availability issues if accidentally removed. Manage line manager absences with escalations or backups. Automate the process and reduce the administrative burden for line managers while keeping it effective Trigger recertifications following risk events including incidents through process integration Deploy continuous recertification whereby manager may execute scoped recertifications whenever deemed necessary Assure that the frequency of time-based recertifications is risk-based, i.e. access rights and roles that meet defined risk thresholds are recertified more often Exclude duly approved and documented exceptions from recertifications to avoid inappropriate revocation actions Extend the scope of recertification to privileged accesses and roles Apply data analytics to inform managers of risks, outliers, potentially toxic combinations, past user activity and other relevant information during recertification Apply data analytics to detect and address recertification apathy Apply data analytics / machine learning to automate or semi-automate recertification
Support Activities Conduct awareness campaigns Deliver trainings to stakeholders Provide coaching and support for line managers
|
---|
Methods & Tools | Time-based recertification campaigns (quarterly, semi-annual or annual) Event-based recertification campaigns Continuous recertification campaigns IAM Systems (on-premises, IDaaS or others) supporting the consolidation of IAM authoritative information and recertification workflows Data analytics Artifical Intelligence (AI) is perceived as a possible mean to enhance recertification tools and possibly to replace up to 50% of manual recertifications Risk-based scoring of user accesses
|
---|
Challenges | Absence of a risk-based approach Administrative burden for line managers Access rights and roles not presented in clear and business-friendly terms that do not enable appropriate judgments Inadequate campaign frequency Lack of understanding of system security models Line manager delegation leading to loose accountability Line managers negative perception of the process Manual record consolidation that is labor intensive and error-prone No or inadequate role model Non-standard naming conventions for IAM records Recertification apathy Tool performance issues Unclear recertification responsibilities of line managers
|
---|
Compliance Requirements | - Compile the list of authoritative sources requiring recertification
|
---|
Outputs | Revocation requests Evidences of recertifications and subsequent revocations for audit purposes Data analytic reports Requests to enhance documentation, role models, access models
|
---|
Indicators | |
---|
Scopes | Organizational scope (region, division, unit, …) User populations: permanent employees, contractors, partners Identity categories: humans, robots Account attributes (e.g. include inactive accounts or not) Access type: logical, physical Access sensitivity: normal, privileged IT Systems (business applications, infrastructure, …) IT Systems Sensitivity
|
---|
Risks | Lack of reliable applications and systems inventories leading to inadequate scope definition Lack of reliable access rights and roles clear and business friendly definitions that do not allow informed judgments and lead to fear of revocations to avoid availability issues Recertification apathy leading to failed process objective
|
---|
Opportunities | |
---|
Stakeholders | |
---|
Sources | Allan and Iverson, 2018, p. 5 Cowart, 2013, p. 461-478 Cowart et al., 2013, p. 186-187 Cser and Maxim, 2017, p. 7 Gazos N., 2013 p. 583–590 Gazos and Osmanoglu, 2013, p. 437–459 Iverson and Kampman, 2017, p. 5 Iverson et al., 2016, p. 10 KPMG and Everett, 2009, p. 8, 16 Maxim and Cser, 2017, p. 13 /wiki/spaces/QUOT/pages/107643467 Osmanoglu et al., 2013, p. 49, 52, 83, 126, 583-590 Singh and Gaehtgens, 2017, p. 12 Sussex, 2013, p. 479-519 Uddin and Preston, 2015, p. 150-156 Wells and Martin, 2013, p. 135–137
|
---|
See Also | |
---|