• i-confidential

Auditors Love Recertification: How to Handle the Pressure



By Chris Harragan, Security Analyst at i-confidential

 

Access recertification is an easy target for auditors.


It’s one of the simplest parts of cyber security to understand, so audit pick on it frequently.


For those that don’t know what it is, here’s a quick introduction:

  • It reviews the level of access people have to their organisation’s systems.

  • It ensures people have only the minimum access required for their job.

  • It’s required to ensure compliance with data protection legislation and regulation.


The legislative requirements are another reason access recertification receives a high degree of audit scrutiny.


And for an outsider the process is simple to follow. That makes it easy for auditors to poke holes in.


At a high level the access recertification process is:

  1. Obtain system access data.

  2. Get line managers to review their team’s access.

  3. Instruct administrators to remove all access that is no longer needed.


Again, this sounds simple from the outside, but it’s not as easy on the inside.


At each stage of the process you’re dealing with lots of people and data. This provides ample opportunity for things to go wrong.


For example, critical data may not arrive on time, the quality of the data might not be up to standard, and there can be struggles getting adequate responses from line managers.


When you’re under pressure from auditors, you naturally want to consult people who are experts. Internally, you might not have experienced this before and therefore struggle to meet audit expectations. A primary reason many companies contact us to discuss our Access Recert service is the experience we have gained dealing with auditors over many years in a variety of circumstances.


Having survived your audit, you then carry out a recertification of the audited applications. And you feel safe in the knowledge that you got audit off your back.


Wrong!


Audit won’t just look at it once. They’ll review it time and time again. We know. We’ve dealt with countless audits. In one organisation it was 10 audits in a single year. We’ve seen all the common recertification failings that auditors pick up on – it always stems from the data or the process.


What you need to do is stay on top of it so you’re not always chasing your tail. It’s only by consistently proving compliance to audit that you begin to ease the pressure.


And if you do stay on top of it, you start to see some of the long-term benefits of implementing a consistent recertification process.


Our Access Recert service is proven to stand up to audit scrutiny:

  • Our consistent approach accurately identifies the access rights requiring revocation.

  • We review quarterly, so users don’t hold on to inappropriate access for long.

  • It’s easily scalable to increase the coverage of the applications being reviewed.


Want to learn more? Contact us at info@i-confidential.com