Compliance
What is Compliance and Why is it Necessary?
The entire foundation of securing an organization and ensuring all access is properly governed via oversight mechanisms including assessments, attestation, re-certification, remediation and continuous monitoring. If not deployed at all, organizations risk losing control of their business. Compliance should be the foundation of how an IGA solution is built, including affecting how Identities are provisioned, how access is approved, as well as who is allowed to perform all of the necessary actions to maintain compliance.
Regulatory compliance is driving much of the Identity Management industry. Organizations demand, and experts agree that compliance must be treated as an ongoing process, not an event. Organizations that incorporate compliance in everyday business processes will more cost effectively comply with the Sarbanes-Oxley, GLBA, HIPAA, and other compliance regulations. Additionally, many benefits will be realized including: cost containment, improved internal controls, better risk management and increased operating efficiency – all leading to an improved bottom line.
Every Identity Management activity can be recorded and audited in real-time. Separation of duties (SoD), exception reporting, and other essential compliance events are automatically tracked as part of the execution of everyday business processes. Recertification and approval notifications will be sent to the participants specified by the administrator.Governance Framework
Assessment
An assessment is a method of consolidating the data necessary to determine non-compliance.
Attestation
Attestation is the act of reviewing the information compiled because of an assessment. The act of attestation results in a “certified” access profile for a given Identity.
Reconciliation
Reconciliation is the process through which authorized personnel and/or compliance administrators determine if access for an Identity is correct. If the access associated to an Identity is question, then corrective actions are required.
Remediation
Remediation is the act of removing/modifying access from an Identity when it is deemed the user is not authorized to have their existing access.
Certification
Certification is the culmination of the above actions. Organizations may choose to only leverage attestation, reconciliation, or remediation as the actions to take within their access review campaigns. So, defining the flow of the access review should be in scope with the ultimate end result being a certified set of access.
Continuous Monitoring
Continuous monitoring is a form of threat detection which provides the ability for organizations to define a set of resources and/or Identities they wish to monitor constantly for any changes in access from the Identity context.