Client Case Study
UK Life & Pensions Provider
Access Recert
Recertification Process Improves
Security and Earns Praise
The Problem
A life and pensions client asked i-confidential to evaluate the competence of the controls they operate. One of the findings highlighted a weakness in the client’s user access reviews. The recertification of user access validates that the entitlements assigned to a user account are evaluated by a line manager against the requirements for that user’s role. Regulators and auditors will often focus their attention on an organisation’s recertification practices, as this introduces a threat to key information assets.
The Approach
Following the review, the client requested that we conduct the recertification activity on its behalf. The i-confidential method employs a tool that can be quickly deployed. In addition, given specific application access and user account information, it will aggregate and distribute validation requests in a business-friendly format. This enables line managers to quickly and easily validate user access permissions.
While preparing for the review, i-confidential coordinated with the client’s IT security team to prepare the required data. The information for the first cycle of applications was acquired, cleansed, matched, and loaded into the recertification tool within a month of engagement. The cyclical nature of this activity means each application periodically repeats the recertification process, at agreed points in the year.
As a consequence of the automated, centralised management of the activity, recertifying the client’s user entitlements was achieved rapidly. The revocation lists for all redundant access were provided within a month of initiating the first recertification cycle. The process is supported by easily understood graphical management information, summarising progress.
The Outcome
Completing the recertification of all 140 applications in scope required i-confidential to engage with c. 500 line managers, who reviewed c. 35,000 user entitlements across multiple cycles in the year. By conducting accurate and consistent reviews in a timely and automated fashion, the operational efficiency of the process was greatly improved.
A central benefit of removing inappropriate and redundant user access rights is reducing information security risk for the organisation. The client’s progress in this area, as highlighted by the recertification service, has since been commended by its auditor.
Volume
Entitlements
Volume recertified increased
Revocations %
Revoking accounts
Orphan %
Identifying orphans