Recertification Health Check – 6 Steps
The regulatory push toward formal recertification of entitlements and privileges finds many enterprises in new compliance territory. PathMaker Group Chief Architect Jerry Castille shares six critical best practices to ensure strong governance.
1) Identify Target Applications: Collecting an inventory of applications that fall within the scope of a certification campaign’s requirements is the first step in a successful certification process. This inventory will detail application information relevant to the execution of your campaign.
2) Gather Accounts & Grants: For each application identified, I work with your team to determine the optimal approach for the extraction of accounts and group/role memberships from each target. If necessary, we will work with your team to develop a process for the normalization of this data into machine consumable output.
3) Entitlement Definition Workshop: Using our guided workshop format, we will work with your team of application and business process owners to define the set of entitlements within each application that will need to be certified. At the end of these workshops, your team will be enabled to define and maintain an inventory of items within each application that require access certification.
4) Gather Authoritative User Data: At this step of the process, PathMaker works with your organization to identify the individuals that will be included in the certification process. This includes individuals whose access is being certified, individuals approving access, as well as system owners that will be approving accounts that can not be directly associated with a human user (orphan and service accounts.)
5) Import Campaign Data: All of the work up to this point has been to develop a reusable set of processes that can be re-used to facilitate the adoption of a robust enterprise governance product. During this step, import the data gathered during previous exercises into the PMG Certification Toolkit for analysis. Upon completion, execute your certification campaign.
6) Execute Campaign: Using the parameters defined during our workshop, a good toolkit will produce actionalble analytics for approvers and system owners within your organization. Participants will then “Certify”, “Revoke”, or “Modify” each entitlement that requires their approval. Once an approver completes their certification tasks, the data is imported back into the toolkit.
7) Measure Results: After importing analytics into the toolkit, a report is generated with any entitlements that will need to be revoked or modified. This report can be used by your organization to drive administrative activities required to remove any unnecessary entailments from your user population.