ComplianceCourier™

Access Certification and Compliance Management

As information availability increases exponentially, the risk that vital information assets may be compromised by users with inappropriate access rights also grows, especially for organizations that need to comply with a growing assortment of industry requirements and government regulations governing access to sensitive information. Using automation to meet access certification and policy verification requirements (e.g., ensure only users with a business need-to-know have access to sensitive data, block segregation-of-duties violations, eliminate orphan accounts) has tangible bottom-line implications for companies in all industries, since manual audit compliance can significantly increase cost of operations.

ComplianceCourier, Courion's access certification, verification and policy compliance software, automates the access certification and compliance process. ComplianceCourier is the industry’s first access certification product that enables authorized business managers to review and certify the access rights of users they are responsible for, using terminology they understand, and take immediate remedial action when they identify entitlements that are inconsistent with policy or regulatory requirements—without requiring an enterprise provisioning solution.

Compliance Courier Access, Audit and Policy Compliance Software Model

Features

Delivers periodic automated user access review and required remediation
Enables a range of remediation options, e.g., email notification, help desk trouble tickets, immediate modification of access rights, or integration with third-party provisioning tools (Courion’s and others).
Powerful, flexible worksheets enable managers to quickly and easily analyze and display user access information, including data collected from sensitive data discovery and user activity log files.
Provides the ability to define, audit, and enforce key access policies, such as segregation of duties (SoD) or orphan account analysis.
Optionally blocks user access to resources until policy awareness testing is passed
Automatically triggers compliance actions based on user provisioning events

Benefits

Enables performance of efficient, repeatable compliance audits for time and cost savings
Creates audit trails of manager attestation actions
Allows delegation of employee access rights review to appropriate business managers
Slashes time, effort and costs of previously manual compliance activities

Sensitive Data Certification and Compliance

ComplianceCourier goes beyond simple certification and remediation by delivering integration with the industry’s leading data loss prevention (DLP) products, adding an identity context to the analysis of sensitive data access. If a DLP solution locates sensitive data (e.g. social security number, credit card numbers, etc.) in a document, a manager uses ComplianceCourier’s Sensitive Data Manager module to identify users who have access to that information, and can either remediate access to the sensitive data, or formally attest that it is within policy. The combination of identity and DLP enables the business to better understand the risk of DLP-raised incidents and violations and enables the appropriate remediation or attestation actions by the business.

User Activity and Compliance

ComplianceCourier also provides the ability to review user activity through integration with leading user activity repositories, such as security incident and event management (SIEM) tools, enterprise single sign-on log files and application logs. Courion’s User Activity Manager module enables business managers to bring a deeper awareness of which users have accessed what resources. This allows them to effectively verify compliance with access policies or flag suspicious user actions—such as significant after-hours activity or unusual transaction volumes—for further action or remediation, based on the identity context provided by Courion. This capability also enables the organization to identify over-provisioned users and avoid paying excess license or maintenance fees on systems that users have access to, but are not using as part of their job.

Advanced Worksheets and Risk Management Analysis

ComplianceCourier delivers powerful, interactive compliance worksheets that advanced users can manipulate to dynamically sort, filter and group user access data, providing the ability to manipulate large data sets (such as from DLP or SIEM tools) and foc us on specific slices of interest.

While the interactive worksheet provides a rich, powerful interface for viewing compliance data and verifying access, it is often desirable to provide end users with a simpler interface that can make it easier to perform specific attestation or reporting functions. ComplianceCourier administrators can customize worksheets to meet end users needs to easily perform review and attestation functions.

Courion also provides advanced analysis and graphing capabilities. The Advanced Analytics framework includes a web interface that organizes and presents graphical charts and a model for defining charts, dashboards and other graphical tools without requiring any programming.

These features allow organizations to create flexible risk management tools that security operations, compliance managers, and line-of-business managers can all use to quickly and easily monitor and manage user access and activity in order to manage and reduce risk. Sample reports deliver regulation-specific overviews and trending information, such as detecting and reviewing sensitive data violations trends.

Automatically Approve Or Remediate Access Rights

If access rights to sensitive data or applications are appropriate, the manager can certify that access is legitimate or approve exceptions to policy, where warranted.

If changes to a user's access rights are required, ComplianceCourier supports a wide range of remedial actions. These include:

Send an email notification to a security officer, compliance officer, application owner, system administrator, etc., for them to take appropriate action.
Open a trouble ticket to initiate and track resolution.
Directly change, disable or delete inappropriate access rights, using Courion’s integrated workflow engine and Connector Framework. Courion is the only vendor to deliver direct remediation without requiring the deployment of a provisioning solution.
If a provisioning product is in place, communicate with the product, whether it is from Courion or another vendor, to trigger appropriate actions to automatically remediate corrections.

Courion is the only vendor to deliver an access certification and compliance management solution that provides this full range of remedial actions.

Proactively Confirm Users' Allocated Resources

ComplianceCourier automates the processes required to comply with federal and industry regulations and business policies.

Automatically notify business managers when it is time to confirm user access rights in compliance with company policy.
Provide security and business managers with compliance information necessary to confirm appropriate user access rights.
Initiate corrective actions automatically.
Track and store managers' attestation for each user.
Administer self-service policy awareness training and testing for end users.
Inform managers which employees have passed policy awareness tests and optionally block access to applications pending a passing score.
Require confirmation and validation of user access rights at scheduled intervals or in real-time.
Map user identities, profiles, and access rights across disparate data sources.

Achieve Compliance Amid Increasing Regulations

ComplianceCourier automates a broad set of processes necessary for organizations to achieve compliance with government and industry regulatory requirements. ComplianceCourier extends the responsibility and accountability for compliance to line of business managers by providing a self-service policy evaluation and awareness testing framework which presents information to the user using business terms, rather than arcane, unfamiliar IT-specific teminology.

ComplianceCourier uses corporate policy guidelines to determine how frequently employees need their access to sensitive resources reviewed and verified. It identifies affected employees for each manager, enabling them to review the employee's access rights, compare them to those designated as appropriate according to policy, and ultimately confirm that the employee’s access is appropriate.

An important aspect of compliance management is to check for policy violations, particularly over-provisioning and segregation of duties. Over-provisioning violates the principle of least privilege, which holds that users should be granted minimal access rights consistent with their business function. ComplianceCourier can also evaluate the accounts and privileges held by a user to determine if any privileges overlap and create a segregation of duties violation.

If changes to a user's access rights are required, ComplianceCourier can package the results so that other applications such as AccountCourier® − Courion’s enterprise user provisioning solution − can trigger appropriate actions to initiate corrections automatically. This allows AccountCourier to supply additional value in overall account provisioning. Providing a separation between security policy and enforcement, ComplianceCourier can enable IT Security to review any or all exceptions to corporate policy.

Contact Courion for more information on how the Courion's Access Assurance solutions can deliver results to your business.

Datasheet: ComplianceCourier Compliance Brief: Demonstrating Regulatory Compliance with Courion Compliance Brief: Provisioning and Sarbanes-Oxley Compliance Brief: HIPAA and Enterprise Provisioning More Resources