Reduce the accumulated unnecessary privileges of employees and decrease their risk profile by having line managers review, control and revoke discretionary access rights and roles that are under their sphere of authority and no longer needed. Reduce separation of duties and toxic combinations violations. Improve the organization’s general security posture by enforcing least privileges and need-to-know. Fulfill compliance requirements.
Inputs
Human Resources Information System
Applications and systems inventories (including risk profiles)
Business Roles (including role model and risk profiles)
Identity, access rights and roles data
IAM records documentation
Compliance requirements
Risk information (e.g. risk register)
Mover process
Events such as identified risks / incidents (to trigger non time-based recertifications)
Activities
Fundamental Activities
Define the recertification scopes and approach based on compliance requirements, risk tolerance thresholds and available resources
Define recertification planning, including deadlines for completion, escalations for non-responders and escalations / backups for absent reviewers
Define rules for recertification delegation by line managers to preserve accountability
Define rules related to the automatic revocation of non-recertified access rights and roles (e.g. when a recertification campaign is left incomplete)
Define and execute a communication plan to manage stakeholders
Determine who is responsible to (re-)certify whose access rights and roles
Route recertification requests to the managers
Assure the recertification process informs line managers by providing business context, associated risks and outliers
Chase and manage non-responders
Have the managers review and confirm the appropriateness of access rights and roles
Revoke all discretionary access rights and roles that are found inappropriate
Integrate the process with provisioning / deprovisioning and reconciliation
Conduct regular (quarterly, semi-annually or annually) recertification campaigns
Conduct ad hoc recertification campaigns triggered by the Mover process
Monitor the execution of recertification campaigns
Archive all recertification records and decisions for audit purposes or future inquiry
Close out recertification campaigns
Mature activities
Engage in active continuous improvement on the process
Leverage RBAC to streamline recertification
Provide feedback to stakeholders with reports highlighting key issues and appreciating the level of effectiveness and efficiency of recertification
Implement a second-level verification step with the possibility to override first-level decisions for sensitive access rights and roles that may cause operational or availability issues if accidentally removed.
Manage line manager absences with escalations or backups.
Automate the process and reduce the administrative burden for line managers while keeping it effective
Trigger recertifications following risk events including incidents through process integration
Assure that the frequency of time-based recertifications is risk-based, i.e. access rights and roles that meet defined risk thresholds are recertified more often
Exclude duly approved and documented exceptions from recertifications to avoid inappropriate revocation actions
Extend the scope of recertification to privileged accesses and roles
Apply data analytics to inform managers of risks, outliers, potentially toxic combinations, past user activity and other relevant information during recertification
Apply data analytics to detect and address recertification apathy
Apply data analytics / machine learning to automate or semi-automate recertification
Support Activities
Conduct awareness campaigns
Deliver trainings to stakeholders
Provide coaching and support for line managers
Methods & Tools
Time-based recertification campaigns (quarterly, semi-annual or annual)
Event-based recertification campaigns (e.g. triggered by incidents or identified risks)
Continuous recertification campaigns
IAM Systems (on-premises, IDaaS or others) supporting the consolidation of IAM authoritative information and recertification workflows
Data analytics
Artifical Intelligence (AI) is perceived as a possible mean to enhance recertification tools and possibly to replace up to 50% of manual recertifications
Risk-based scoring of access rights and roles
Challenges
Absence of a risk-based approach
Administrative burden for line managers
Access rights and roles not presented in clear and business-friendly terms that do not enable appropriate judgments
Inadequate campaign frequency
Lack of understanding of system security models
Line manager delegation leading to loose accountability
Line managers negative perception of the process
Manual record consolidation that is labor intensive and error-prone
No or inadequate role model
Non-standard naming conventions for IAM records
Recertification apathy
Tool performance issues
Unclear recertification responsibilities of line managers
Compliance Requirements
Sarbannes - Oxley (SOX)
Compile the list of authoritative sources requiring recertification
Outputs
Revocation requests
Evidences of recertifications and subsequent revocations for audit purposes
Data analytic reports
Requests to enhance documentation, role models, access models
User populations: permanent employees, contractors, partners
Identity categories: humans, robots
Account attributes (e.g. include inactive accounts or not)
Access type: logical, physical
Access sensitivity: normal, privileged
IT Systems (business applications, infrastructure, …)
IT Systems Sensitivity
Risks
Lack of reliable applications and systems inventories leading to inadequate scope definition
Lack of reliable access rights and roles clear and business friendly definitions that do not allow informed judgments and lead to fear of revocations to avoid availability issues
Recertification apathy leading to failed process objective
Opportunities
Use LM Recertification process focused on the crown jewels as a mean to enhance assurance levels for limited costs