Seven steps to great access governance

17 October 2014

 View Richard Mardling’s profile on LinkedIn

It is no longer acceptable to not know who has access to what. With ever-changing security boundaries, increasing collaboration, a widening variety of devices and the continued growth of cloud services, it is paramount that only the right people have approved access to your applications and data. Poor access governance and controls can damage your reputation and ultimately, profit; a number of high profile organisations have lost significant amounts of money in recent years.

1) Conduct independent testing and verification

You need real assurance through independent testing and verification. A service that is separate from your ‘joinermover-leaver’ process and controls (technology) provides you with the assurance that your controls are working or clarifies where there is a deficiency and you need to take action.

2) Work out what really needs to be locked down

You should be aware of your risks and then manage them, not lock down so tightly that you choke the business. As soon as you do this, users will try to circumvent the process, resulting in more issues and unmanaged risk.

3) Access risk is a business mandate, not a function of internal audit or IT

Understanding is key to business ownership and getting the language right is essential if this is to happen. You don’t want a “It’s English Jim, but not as we know it” scenario.

4) Don’t wait for internal audit to be there as a third line of defence

They should identify the extraordinary, rather than the regular.

5) Not all users are equal, therefore employ a risk-based approach to reviewing users’ entitlements

High risk users need to be re-certified frequently, whereas users with low impact entitlements can be subject to annual review thereby saving time and money.

6) Having data in the cloud magnifies the impact of governance flaws

Often, cloud-based access is overlooked in favour of the more tangible onpremise access governance. This has a significant impact when managing leavers and disgruntled employees.

7) Digital trust is vital in an ever-connected world

Protect what matters and feel confident that you are doing it through strong access control and access re-certification.


For related information, search the hashtag #digitaltrust



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.