While most companies have structured processes for assigning access rights in place, they tend to neglect the removal of rights that have become obsolete. We therefore often come across organizations with a chaotic access landscape: Access rights, once carefully selected and assigned, become autonomous over time. Employees switching departments, resigning or receiving special rights all contribute to companies losing control over their IT users’ access rights. The saying that an intern will have accumulated more access rights over the 3-year course of their traineeship than an executive will have collected in their entire career is true – because interns pass through so many different departments that they will have collected countless privileges on the way – and these privileges are never removed. This is a cause for alarm because a lack of structure in your access rights landscape poses a high risk for data abuse and theft.
Companies must have structured processes in place for assigning, adjusting and removing privileges, and achieving this requires constant monitoring and re-evaluation of the situation in order to correct errors in time. This is the only way to improve IT security.
What is “Re-certification“?
Maintaining the status quo of your access landscape is challenging – and this is where re-certification comes into play. You can define data owners (e.g. department managers) who are in charge of monitoring and controlling certain privileges on a regular basis (by asking the following questions):
- Do any staff members have special rights?
- Did anyone switch to a different department?
- Did anyone resign?
Data owners are able to remove old and outdated user rights or re-confirm rights that are still necessary and correct.
Why should I re-certify?
The purpose of re-certification is to remove obsolete privileges and thus increase the security of your corporate data. Whether an access right is granted or not should be decided by the responsible data controller. This measure will help you to maintain a good overview (and control) of your IT users and prevent risky, uncontrolled and unstructured growth of your access rights landscape.
Who is responsible for carrying out the re-certification?
Re-certification of access rights is not the responsibility of the IT department. A person in charge of monitoring and controlling roles and access rights must be familiar with the user jobs and tasks involved. Usually, this would be a department manager or someone in a similar position. Whoever is in charge of reviewing and controlling access rights must have knowledge of and access to the relevant data in order to make the appropriate decisions about who is to be granted access and who is not.
How does re-certification work?
The requirements for re-certification vary from company to company. To keep all efforts to a minimum, it is advisable to focus on areas that pose a particularly high risk to data security (i.e. where confidential or sensitive data are involved), whereas less critical systems need to be reviewed less frequently.
What are the problems of re-certification?
The problem most companies face is not that they are unaware of the issue itself, but their lack of time to actually implement a re-certification process. Regularly checking the status of access rights means extra work for data owners. It is therefore important to keep the process as simple as possible and to involve only people who are able to give qualified judgment about access rights.
How does re-certification with tenfold work?
As an access management solution, tenfold can be of great benefit to your re-certification process
- It allows you to customize and tailor the re-certification process to the specific demands of your company.
- Data owners are able to obtain an overview of the current status quickly and easily.
- The system sends automated reminders on when re-certification is required.
- It allows you to define the interval of the re-certification process yourself.
- It allows you to determine which areas (profiles, resources, file servers, etc.) should be reviewed in the re-certification process.
- It allows you to determine backup actions that will be triggered if re-certification is not carried out.
- Data owners have access to a simple yet efficient user interface which they can use to confirm and reject all access rights.