Chris Harragan
Security Analyst at i-confidential
It’s that time of year again already. You can’t believe it.
You’ve only just got over the headache it caused last time. And now you’ve got to go through it all over again.
Yes, we’re talking about access recertification.
But why does it cause such a headache? The staff complaints, the audit pressure, and the overall frustration you feel all likely have one thing in common. And don’t worry – you’re not alone. This is a problem everyone deals with.
The biggest access recertification issue I see over and over again is data quality. With poor data you can feel like you’re going backwards before you even get started.
The quality of your input determines the quality of your output. Garbage in, garbage out.
Why is data quality so important?
1. You need the right people reviewing access. Even medium-sized organisations have to manage a large number of systems. This leads to staff members having multiple IDs, which can be difficult to track. If you can’t find the correct owner of the account, you can’t review it. And revoking the wrong person’s access is an easy way to kick up a storm!
2. Even once you’ve found the correct account owner, you still need to make sure people understand what you’re reviewing. Often, the data exported from a system isn’t immediately clear. This means you can’t rely on software alone for your recertification process. You need knowledgeable people to interpret the data so that anyone responsible for reviewing access knows what they’re approving.
3. Because the access recertification process is relatively easy to interrogate, it gets a lot of attention from auditors. Therefore, you must ensure you can closely track the data at every stage. From exporting system information, all the way through to certifying or revoking access at the end, a proven process that stands up to rigorous audit scrutiny is essential.
Every organisation needs to control who has access to its data. It’s a fundamental part of cyber security. But in the case of access recertification, the success of your process all comes down to data.
Make sure you can identify a system’s account owner, what any access does, and that you are able to clearly evidence the process. If you can do all that, access recertification won’t be such a headache anymore.