Line Manager Recertifications (Process - IAM)

Process Map

https://open-measure.atlassian.net/wiki/spaces/PROC/pages/91815945

Parent Process

https://open-measure.atlassian.net/wiki/spaces/PROC/pages/107643122

Title

Line Manager Recertifications

Version

1.4

Domain

IAM

Goals

Objective

Reduce the accumulated unnecessary privileges of employees and decrease their risk profile by having line managers review, control and revoke discretionary access rights and roles that are under their sphere of authority and no longer needed. Reduce separation of duties and toxic combinations violations. Improve the organization’s general security posture by enforcing least privileges and need-to-know. Fulfill compliance requirements.

Inputs

  • Human Resources Information System

  • Applications and systems inventories (including risk profiles)

  • Business Roles (including role model and risk profiles)

  • Identity, access rights and roles data

  • IAM records documentation

  • Compliance requirements

  • Risk information (e.g. risk register)

  • Mover process

  • Events such as identified risks / incidents (to trigger non time-based recertifications)

Activities

Fundamental Activities

  • Define the recertification scopes and approach based on compliance requirements, risk tolerance thresholds and available resources

  • Define recertification planning, including deadlines for completion, escalations for non-responders and escalations / backups for absent reviewers

  • Define rules for recertification delegation by line managers to preserve accountability

  • Define rules related to the automatic revocation of non-recertified access rights and roles (e.g. when a recertification campaign is left incomplete)

  • Define and execute a communication plan to manage stakeholders

  • Determine who is responsible to (re-)certify whose access rights and roles

  • Route recertification requests to the managers

  • Assure the recertification process informs line managers by providing business context, associated risks and outliers

  • Chase and manage non-responders

  • Have the managers review and confirm the appropriateness of access rights and roles

  • Revoke all discretionary access rights and roles that are found inappropriate

  • Integrate the process with provisioning / deprovisioning and reconciliation

  • Conduct regular (quarterly, semi-annually or annually) recertification campaigns

  • Conduct ad hoc recertification campaigns triggered by the Mover process

  • Monitor the execution of recertification campaigns

  • Archive all recertification records and decisions for audit purposes or future inquiry

  • Close out recertification campaigns

Mature activities

  • Engage in active continuous improvement on the process

  • Leverage RBAC to streamline recertification

  • Provide feedback to stakeholders with reports highlighting key issues and appreciating the level of effectiveness and efficiency of recertification

  • Implement a second-level verification step with the possibility to override first-level decisions for sensitive access rights and roles that may cause operational or availability issues if accidentally removed.

  • Manage line manager absences with escalations or backups.

  • Automate the process and reduce the administrative burden for line managers while keeping it effective

  • Trigger recertifications following risk events including incidents through process integration

  • Deploy continuous recertification whereby manager may execute scoped recertifications whenever deemed necessary

  • Assure that the frequency of time-based recertifications is risk-based, i.e. access rights and roles that meet defined risk thresholds are recertified more often

  • Exclude duly approved and documented exceptions from recertifications to avoid inappropriate revocation actions

  • Extend the scope of recertification to privileged accesses and roles

  • Apply data analytics to inform managers of risks, outliers, potentially toxic combinations, past user activity and other relevant information during recertification

  • Apply data analytics to detect and address recertification apathy

  • Apply data analytics / machine learning to automate or semi-automate recertification

Support Activities

  • Conduct awareness campaigns

  • Deliver trainings to stakeholders

  • Provide coaching and support for line managers

Methods & Tools

  • Time-based recertification campaigns (quarterly, semi-annual or annual)

  • Event-based recertification campaigns (e.g. triggered by incidents or identified risks)

  • Continuous recertification campaigns

  • IAM Systems (on-premises, IDaaS or others) supporting the consolidation of IAM authoritative information and recertification workflows

  • Data analytics

  • Artifical Intelligence (AI) is perceived as a possible mean to enhance recertification tools and possibly to replace up to 50% of manual recertifications

  • Risk-based scoring of access rights and roles

Challenges

  • Absence of a risk-based approach

  • Administrative burden for line managers

  • Access rights and roles not presented in clear and business-friendly terms that do not enable appropriate judgments

  • Inadequate campaign frequency

  • Lack of understanding of system security models

  • Line manager delegation leading to loose accountability

  • Line managers negative perception of the process

  • Manual record consolidation that is labor intensive and error-prone

  • No or inadequate role model

  • Non-standard naming conventions for IAM records

  • Recertification apathy

  • Tool performance issues

  • Unclear recertification responsibilities of line managers

Compliance Requirements

  • Sarbannes - Oxley (SOX)

Compile the list of authoritative sources requiring recertification

Outputs

  • Revocation requests

  • Evidences of recertifications and subsequent revocations for audit purposes

  • Data analytic reports

  • Requests to enhance documentation, role models, access models

Indicators

Scopes

  • Organizational scope (region, division, unit, …)

  • User populations: permanent employees, contractors, partners

  • Identity categories: humans, robots

  • Account attributes (e.g. include inactive accounts or not)

  • Access type: logical, physical

  • Access sensitivity: normal, privileged

  • IT Systems (business applications, infrastructure, …)

  • IT Systems Sensitivity

Risks

  • Lack of reliable applications and systems inventories leading to inadequate scope definition

  • Lack of reliable access rights and roles clear and business friendly definitions that do not allow informed judgments and lead to fear of revocations to avoid availability issues

  • Recertification apathy leading to failed process objective

Opportunities

  • Use LM Recertification process focused on the crown jewels as a mean to enhance assurance levels for limited costs

Stakeholders

Sources

See Also

 

 


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.