Seven steps to great access governance
17 October 2014
It is no longer acceptable to not know who has access to what. With ever-changing security boundaries, increasing collaboration, a widening variety of devices and the continued growth of cloud services, it is paramount that only the right people have approved access to your applications and data. Poor access governance and controls can damage your reputation and ultimately, profit; a number of high profile organisations have lost significant amounts of money in recent years.
1) Conduct independent testing and verification
You need real assurance through independent testing and verification. A service that is separate from your ‘joinermover-leaver’ process and controls (technology) provides you with the assurance that your controls are working or clarifies where there is a deficiency and you need to take action.
2) Work out what really needs to be locked down
You should be aware of your risks and then manage them, not lock down so tightly that you choke the business. As soon as you do this, users will try to circumvent the process, resulting in more issues and unmanaged risk.
3) Access risk is a business mandate, not a function of internal audit or IT
Understanding is key to business ownership and getting the language right is essential if this is to happen. You don’t want a “It’s English Jim, but not as we know it” scenario.
4) Don’t wait for internal audit to be there as a third line of defence
They should identify the extraordinary, rather than the regular.
5) Not all users are equal, therefore employ a risk-based approach to reviewing users’ entitlements
High risk users need to be re-certified frequently, whereas users with low impact entitlements can be subject to annual review thereby saving time and money.
6) Having data in the cloud magnifies the impact of governance flaws
Often, cloud-based access is overlooked in favour of the more tangible onpremise access governance. This has a significant impact when managing leavers and disgruntled employees.
7) Digital trust is vital in an ever-connected world
Protect what matters and feel confident that you are doing it through strong access control and access re-certification.
For related information, search the hashtag #digitaltrust