Seven steps to great access governance

17 October 2014


 View Richard Mardling’s profile on LinkedIn

It is no longer acceptable to not know who has access to what. With ever-changing security boundaries, increasing collaboration, a widening variety of devices and the continued growth of cloud services, it is paramount that only the right people have approved access to your applications and data. Poor access governance and controls can damage your reputation and ultimately, profit; a number of high profile organisations have lost significant amounts of money in recent years.

1) Conduct independent testing and verification

You need real assurance through independent testing and verification. A service that is separate from your ‘joinermover-leaver’ process and controls (technology) provides you with the assurance that your controls are working or clarifies where there is a deficiency and you need to take action.

2) Work out what really needs to be locked down

You should be aware of your risks and then manage them, not lock down so tightly that you choke the business. As soon as you do this, users will try to circumvent the process, resulting in more issues and unmanaged risk.

3) Access risk is a business mandate, not a function of internal audit or IT

Understanding is key to business ownership and getting the language right is essential if this is to happen. You don’t want a “It’s English Jim, but not as we know it” scenario.

4) Don’t wait for internal audit to be there as a third line of defence

They should identify the extraordinary, rather than the regular.

5) Not all users are equal, therefore employ a risk-based approach to reviewing users’ entitlements

High risk users need to be re-certified frequently, whereas users with low impact entitlements can be subject to annual review thereby saving time and money.

6) Having data in the cloud magnifies the impact of governance flaws

Often, cloud-based access is overlooked in favour of the more tangible onpremise access governance. This has a significant impact when managing leavers and disgruntled employees.

7) Digital trust is vital in an ever-connected world

Protect what matters and feel confident that you are doing it through strong access control and access re-certification.


For related information, search the hashtag #digitaltrust