3 Reasons Why You Need to Recertify Access
By Chris Harragan, Security Analyst at i-confidential
You may be wondering why you need to recertify access.
After all, shouldn’t access be controlled naturally by your joiners, movers, and leavers process? Unfortunately, no, but it’s an easy assumption to make.
So I'm here to set the record straight! There are some common reasons why you may be facing recertification pressures right now:
· To get auditors off your back.
· Increasing demands from regulation.
· Internal processes are failing, causing access creep.
Whatever your circumstances, you might start shopping around for software that can solve your problem. But that’s misguided and won’t address the pressures you face. I’ll explain why later. First, let’s take a deeper look at those reasons above.
Increasing demands from regulation
Cyber security becomes every industry’s hot topic at some point. All it takes is a high-profile incident before the regulators decide to crack down. And when they do, knowing who has access to what will be a fundamental issue you’ll face.
This time, however, it won’t be your audit colleagues next door you have to worry about. It will be an external team, and the threat of fines and reputational damage for failing to meet regulatory demands.
To get auditors off your back
Access recertification is simple to understand. No matter how you recertify access, it always follows a standard set of steps. This makes it an easy target.
Because the process is simple, auditors don’t need to spend time getting up to speed. They can look at the evidence of your effectiveness and be confident that the report card they give you is correct. This leads to recertification being repeatedly targeted. At i-confidential we know that pain. In one client, we helped them through 10 audits in a single year.
When presented with risks to remediate, you’ll likely have to action them quickly. This is no time to be procuring, installing, and integrating the latest recertification software. It takes too long to get up and running.
Internal processes are failing, causing access creep
I mentioned above that recertification is simple. But simple doesn’t always mean easy.
There are common problems everyone faces – getting business buy-in, poor data quality, and integrating the process. If these aren’t handled properly, there’s a risk of failure.
When recertification isn’t carried out effectively, inappropriate access isn’t removed. This leads to access creep, where people accumulate more and more access because it’s never properly checked.
Consider the example of someone who previously worked in HR, yet retains those rights in their subsequent, unrelated role a year or more later. The risks that presents, especially when multiplied across an organisation, are clear to see. At some point, audit will certainly find out about it.
Want to learn more about recertification? Check out the links below: