While most companies have structured processes for assigning access rights in place, they tend to neglect the removal of rights that have become obsolete. We therefore often come across organizations with a chaotic access landscape: Access rights, once carefully selected and assigned, become autonomous over time. Employees switching departments, resigning or receiving special rights all contribute to companies losing control over their IT users’ access rights. The saying that an intern will have accumulated more access rights over the 3-year course of their traineeship than an executive will have collected in their entire career is true – because interns pass through so many different departments that they will have collected countless privileges on the way – and these privileges are never removed. This is a cause for alarm because a lack of structure in your access rights landscape poses a high risk for data abuse and theft.
Companies must have structured processes in place for assigning, adjusting and removing privileges, and achieving this requires constant monitoring and re-evaluation of the situation in order to correct errors in time. This is the only way to improve IT security.
What is “Re-certification“?
Maintaining the status quo of your access landscape is challenging – and this is where re-certification comes into play. You can define data owners (e.g. department managers) who are in charge of monitoring and controlling certain privileges on a regular basis (by asking the following questions):
- Do any staff members have special rights?
- Did anyone switch to a different department?
- Did anyone resign?
Data owners are able to remove old and outdated user rights or re-confirm rights that are still necessary and correct.
Why should I re-certify?
The purpose of re-certification is to remove obsolete privileges and thus increase the security of your corporate data. Whether an access right is granted or not should be decided by the responsible data controller. This measure will help you to maintain a good overview (and control) of your IT users and prevent risky, uncontrolled and unstructured growth of your access rights landscape.
Who is responsible for carrying out the re-certification?
Re-certification of access rights is not the responsibility of the IT department. A person in charge of monitoring and controlling roles and access rights must be familiar with the user jobs and tasks involved. Usually, this would be a department manager or someone in a similar position. Whoever is in charge of reviewing and controlling access rights must have knowledge of and access to the relevant data in order to make the appropriate decisions about who is to be granted access and who is not.