IAM Process Map

Recertifications (Process - IAM)

Line Manager Recertifications

1.3 READY FOR PEER REVIEW

IAM

• Compliance Assurance (IAM Goal) +++

• Information Security Resilience (IAM Goal) +++

• Costs Efficiency (IAM Goal) -

• Productivity Gains (IAM Goal) -

Reduce the accumulated unnecessary privileges of employees and decrease their risk profile by having line managers review, control and revoke discretionary access rights and roles that are under their sphere of authority and no longer needed. Reduce separation of duties and toxic combinations violations. Improve the organization’s general security posture by enforcing least privileges and need-to-know. Fulfill compliance requirements.

• Human Resources Information System

• Applications and systems inventories (including risk profiles)

• Business Roles (including role model and risk profiles)

• Identity, access rights and roles data

• IAM records documentation

• Compliance requirements

• Risk information (e.g. risk register)

• Mover process

• Events such as identified risks / incidents (to trigger non time-based recertifications)

Fundamental Activities

• Define the recertification scopes and approach based on compliance requirements, risk tolerance thresholds and available resources

• Define recertification planning, including deadlines for completion, escalations for non-responders and escalations / backups for absent reviewers

• Define rules for recertification delegation by line managers to preserve accountability

• Define rules related to the automatic revocation of non-recertified access rights and roles (e.g. when a recertification campaign is left incomplete)

• Define and execute a communication plan to manage stakeholders

• Determine who is responsible to (re-)certify whose access rights and roles

• Route recertification requests to the managers

• Assure the recertification process informs line managers by providing business context, associated risks and outliers

• Chase and manage non-responders

• Have the managers review and confirm the appropriateness of access rights and roles

• Revoke all discretionary access rights and roles that are found inappropriate

• Integrate the process with provisioning / deprovisioning and reconciliation

• Conduct regular (quarterly, semi-annually or annually) recertification campaigns

• Conduct ad hoc recertification campaigns triggered by the Mover process

• Monitor the execution of recertification campaigns

• Archive all recertification records and decisions for audit purposes or future inquiry

• Close out recertification campaigns

Mature activities

• Engage in active continuous improvement on the process

• Leverage RBAC to streamline recertification

• Provide feedback to stakeholders with reports highlighting key issues and appreciating the level of effectiveness and efficiency of recertification

• Implement a second-level verification step with the possibility to override first-level decisions for sensitive access rights and roles that may cause operational or availability issues if accidentally removed.

• Manage line manager absences with escalations or backups.

• Automate the process and reduce the administrative burden for line managers while keeping it effective

• Trigger recertifications following risk events including incidents through process integration

• Deploy continuous recertification whereby manager may execute scoped recertifications whenever deemed necessary

• Assure that the frequency of time-based recertifications is risk-based, i.e. access rights and roles that meet defined risk thresholds are recertified more often

• Exclude duly approved and documented exceptions from recertifications to avoid inappropriate revocation actions

• Extend the scope of recertification to privileged accesses and roles

• Apply data analytics to inform managers of risks, outliers, potentially toxic combinations, past user activity and other relevant information during recertification

• Apply data analytics to detect and address recertification apathy

• Apply data analytics / machine learning to automate or semi-automate recertification

Support Activities

• Conduct awareness campaigns

• Deliver trainings to stakeholders

• Provide coaching and support for line managers

• Time-based recertification campaigns (quarterly, semi-annual or annual)

• Event-based recertification campaigns (e.g. triggered by incidents or identified risks)

• Continuous recertification campaigns

• IAM Systems (on-premises, IDaaS or others) supporting the consolidation of IAM authoritative information and recertification workflows

• Data analytics

• Artifical Intelligence (AI) is perceived as a possible mean to enhance recertification tools and possibly to replace up to 50% of manual recertifications

• Risk-based scoring of access rights and roles

• Absence of a risk-based approach

• Administrative burden for line managers

• Access rights and roles not presented in clear and business-friendly terms that do not enable appropriate judgments

• Inadequate campaign frequency

• Lack of understanding of system security models

• Line manager delegation leading to loose accountability

• Line managers negative perception of the process

• Manual record consolidation that is labor intensive and error-prone

• No or inadequate role model

• Non-standard naming conventions for IAM records

• Recertification apathy

• Tool performance issues

• Unclear recertification responsibilities of line managers

• Sarbannes - Oxley (SOX)

• Compile the list of authoritative sources requiring recertification

• Revocation requests

• Evidences of recertifications and subsequent revocations for audit purposes

• Data analytic reports

• Requests to enhance documentation, role models, access models

• Revocations per Line Manager (Indicator - IAM)

• Organizational scope (region, division, unit, …)

• User populations: permanent employees, contractors, partners

• Identity categories: humans, robots

• Account attributes (e.g. include inactive accounts or not)

• Access type: logical, physical

• Access sensitivity: normal, privileged

• IT Systems (business applications, infrastructure, …)

• IT Systems Sensitivity

• Lack of reliable applications and systems inventories leading to inadequate scope definition

• Lack of reliable access rights and roles clear and business friendly definitions that do not allow informed judgments and lead to fear of revocations to avoid availability issues

• Recertification apathy leading to failed process objective

• Use LM Recertification process focused on the crown jewels as a mean to enhance assurance levels for limited costs

• Business Line (Stakeholder - IAM)

• CISO (Stakeholder - IAM)

• Employee (Stakeholder - IAM)

• External Auditor (Stakehodler - IAM)

• Help Desk (Stakeholder - IAM)

• IAM Management (Stakeholder)

• Information Security (Stakeholder - IAM)

• Internal Control (Stakeholder - IAM)

• IT System Business Owner (Stakeholder)

• IT System Technical Owner (Stakeholder - IAM)

• Line Manager (Stakeholder - IAM)

• Reviewee (Stakeholder - IAM)

• Reviewer (Stakeholder - IAM)

• Risk Management Department (Stakeholder - IAM)

• Top Management (Stakeholder)

• Allan and Iverson, 2018, p. 5

• Cowart, 2013, p. 461-478

• Cowart et al., 2013, p. 186-187

• Cser and Maxim, 2017, p. 7

• Gazos N., 2013 p. 583–590

• Gazos and Osmanoglu, 2013, p. 437–459

• Iverson and Kampman, 2017, p. 5

• Iverson et al., 2016, p. 10

• KPMG and Everett, 2009, p. 8, 16

• Maxim and Cser, 2017, p. 13

• /wiki/spaces/QUOT/pages/107643467

• Osmanoglu et al., 2013, p. 49, 52, 83, 126, 583-590

• Singh and Gaehtgens, 2017, p. 12

• Sussex, 2013, p. 479-519

• Uddin and Preston, 2015, p. 150-156

• Wells and Martin, 2013, p. 135–137

• Recertification (Dictionary Entry)