Access Recertification - An IT Control for Preventing Unauthorized Access

Access Recertification

Access recertification is an IT control that includes reviewing user access rights to verify if they are correct and correspond to the organization's internal rules and compliance standards. Access recertification is often the duty of the organization's Chief Information Security Officer (CISO) or Chief Compliance Officer (CCO), and it is also known as access attestation or entitlements review.

Access recertification can be done manually or automatically. The first stage in a manual recertification process is to collect and compile account information from the organization's IT and business systems and disseminate it in a way that allows each manager to quickly understand what capabilities each of his or her workers has been granted. Managers are then given a timeframe to analyze the material in order to identify problematic access and verify appropriate access. One disadvantage of this strategy is that recertification may be performed relatively seldom, and some managers may overlook the necessity of access recertification and rubberstamp their verifications.

Access governance software may be used in big businesses to automate the recertification process and guarantee that audits are performed on a regular basis. After the data has been retrieved and normalized, the programme issues recertification requests using a message template. If the receiver of the recertification request does not answer within a certain amount of time, the programme suspends the recipient's access credentials and notifies the recipient's management. The expense of the software, as well as the time, effort, and technical expertise required to assure compatibility with legacy systems, are challenges with this method.

Where all Access Recertification Required ?

Access Recertification is done for all the Assets such as ; Applications, Services, Infrastructure Physical Accesses (This involves general building accesses, specific building accesses and server room access. The genaral building accesses are recertified annually but specific building accesses are by yearly recertified as they are highly secure.) This is done so that the users have least accesses which are required for Business As Usual (BAU) activities.

Types of Accesses

There are 2 types of Accesses namely; 1. General Access : The by default access given to any user who joins the organization as per the compliance and security policies of an Organization. Recertification of these access are done on yearly basis. 2.Priviledge Access: A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. These can be admin access, super admin access, System accounts etc. Recertification of these access are done by yearly. For example: If A user has 2 general account access and 1 priviledge account access then that user's accesses should be recertified by annually because he has access to 1 priviledge account. Suppose a user B has all 3 general account access then that use's access will be recertified annually. This means that if a user has atleast 1 priviledge account access then that is critical and should be recertified by annually.

Recertification Process

Campaign is launched as per the criticality of the assets by the recertification tool itself and those asset owners are notified about the recertification. Before campaign is launched one of the main and important thing is to verify all the assets has a owner defined /allocated to it. if not found then the grey list management team is notified so that they can allocate a new owner for that asset and recertification can be carried out. As mentioned above recertification can be done manually and automatically. In case of Manual recertification - asset owners are asked to provide users who have access to their assets which is then compared with the feed where all user accesses are defined. Upon comparison, user are are not supposed to have access are notified and their accesses are removed. In case of automatic recertification - when a campaign is launched ( annually/by annually) all the asset owners are asked to review the present accesses and based on that recertification is done.

Recertification Model

Recertification model basically says that who all will be responsible for recertifying the accesses. So usually this can be done by i. Self(user himself) ii. Line Manager/Manager of the user iii. Asset Owners, Group Owners, Service Owners , Infra owners and Location owners ( Physical security). In case of System accounts or Robo accounts the recertification will be done by service/group owners while for user accounts the above mentioned are responsible.

Revocation Model

This generally means who is authorized to remove the access once recertification is done. The Recertification team is normally responsible for revoking access and this is done by raising a disable request through the access management tool. In case of System/Robo accounts the service/group owners are responsible.