Remediation and validation
When change is required to a user's access, ensuring that the change request took effect (entitlement assignment or revocation) is critical. Having an automated, closed-loop remediation and validation process will ensure that application owners and system administrators have executed on the access change request in a timely fashion.
Access review and certification
Whatever the cause, organizations that do not certify access on a regular basis are most susceptible to "entitlement creep" and to prolonged exploitation by system intruders whose access, once established, goes unnoticed. Review and certification provide a set of detective controls that are typically required by many regulations and industry mandates, a few of which are HIPAA, the Sarbanes-Oxley Act (SarbOx), the Payment Card Industry Data Security Standard (PCIDSS), the Federal Information Security Management Act (FISMA), and Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) guidelines.
By putting a roles-based access governance approach in place, an organization will be well on its way to managing the business and regulatory risks of inappropriate access to its information resources. The right solution requires a strategic approach for access governance that is based on automated business processes and controls for managing the constant change to user access, while ensuring visibility and accountability of access across the entire enterprise.
Brian Cleary is Vice President of Products and Marketing at Aveksa. Brian is responsible for all of Aveksa's marketing activities including product marketing and management, marketing strategy and development. Brian brings more than 15 years of success in directing technology marketing initiatives for both emerging technology companies and top-tier enterprise software vendors to his position. Most recently, Brian served as vice president of marketing for OpenPages. He also served as senior vice president of marketing at Computer Associates (CA).
Prior to CA, Brian directed the corporate marketing efforts at Netegrity (acquired by CA in 2004). Brian was also a member of the senior management team at both Allaire Corporation and Macromedia. Brian is an author and frequent speaker at industry events on the topic of governance, risk and compliance management. He can be reached at email@example.com.