In today's dynamic business environment, it's essential for organizations to have an effective access review process that ensures user access privileges align with job functions. Users with unnecessary, excessive or inappropriate access rights increase the risk of data breach, compromising sensitive information. And effective access governance requires organizations to establish policies and procedures to manage access rights, especially if they are subject to industry or government regulations such as SOX, HIPAA, GLBA, PCI DSS, BASEL II and others.
Identify, Modify and Certify Access
Access Certification is an on-going process that allows organizations to manage risk by identifying, certifying, and modifying user access to vital corporate resources, and demonstrate compliance with corporate policies and key industry and government regulations as part of a comprehensive Access Compliance Management strategy. This includes:
- Identifying who has access to what resources
- Displaying access rights in business-friendly terms allowing business managers to determine if user access is consistent with policy
Modifying access where appropriate by automatically changing, disabling or deleting access rights without requiring an enterprise provisioning solution
Organizations need an information security policy designed to:
- Allow only users with a business need access to sensitive and protected data
- Review access privileges to confirm they are aligned with corporate policies and government regulations
- Take immediate action to remediate inappropriate user access
To be effective, organizations need to:
- Identify sensitive data and applications, and who has access them
- Identify users with unnecessary or inappropriate access rights
- Deliver this information to business managers in easy-to-understand terms
- Validate and approve which access rights are appropriate or require modifications
- Automatically modify, disable or delete inappropriate access rights, without requiring a provisioning solution
Eliminate the Rubber Stamp
Many businesses still rely on complex, manual compliance activities — collecting user entitlement information from a myriad of IT systems and applications, and entering the data into massive spreadsheets where overworked managers (who may not understand the business context of what they're certifying) rubber-stamp the results. Even when inappropriate access rights are identified, it may be days, weeks or months after data has been compromised. The result — the lack of automated remediation increases the risk of compromising sensitive and protected data, and makes demonstrating compliance labor-intensive, time-consuming and open to human error.
The Synergy of Identity, Sensitive Data and User Activity
Some companies locate sensitive data on various systems using data loss prevention (DLP) products. Others monitor user activity to flag suspicious user actions — significant after-hours activity or unusual transaction volumes — using security and incident event management (SIEM) and other access logging systems (e.g., enterprise single sign-on, application-specific logs, database activity logs, etc.).
DLP and SIEM tools help identify data or users who represent a higher than normal risk to the business. Combining these data with detailed user profile information and delivered to business managers using business friendly terminology, give organizations the power to respond appropriately and without delay, to the level of risk.
Meeting the Challenge with ComplianceCourier
To meet these challenges, Courion delivers ComplianceCourierTM Access Compliance Management. ComplianceCourier automates the access compliance management lifecycle — enabling organizations to strengthen controls and demonstrate compliance easily, while reducing the time and costs involved.
Entitlements reviews made easy with business-friendly design
Designed for business users and IT or security administrators, ComplianceCourier allows authorized users to review business-friendly entitlements definitions, and easily certify, modify or revoke user access rights. Integration with leading DLP and SIEM tools correlates sensitive data alerts (generated by DLP) or user activity alerts (from SIEM) with user access rights to provide the manager with a comprehensive user profile, including what data the user has access to, as well as previous activity patterns.
Potential access risks highlighted in visually rich, interactive environment
Data is delivered using a visually rich, interactive environment that enables the business manager to filter, sort, and reorganize the information to meet his or her specific analysis needs. ComplianceCourier highlights instances where access rights violate policy such as access to sensitive data that are not part of the individual's business role, or Segregation of Duties (SOD) violations. The manager can then take a number of actions including: approval and attestation, direct remediation, integration with a provisioning engine, initiating a help desk trouble ticket, or sending an email notification to a designated authority.
Inappropriate access quickly evaluated and remediated
Unlike competing products that present user access rights data without the ability to take direct remedial action, Courion delivers the information managers require to effectively evaluate the level of risk, and take direct remedial action to mitigate that risk.
Effective access certification without a provisioning solution
Courion’s access certification solution enables authorized business managers to review user access rights to any enterprise platform or application, and directly change, disable or delete inappropriate rights and entitlements —without requiring an enterprise provisioning solution. Alternatively, if an organization already has a provisioning solution in place, ComplianceCourier can leverage that investment.
Click here to learn more about how ComplianceCourier can help your organization easily and effectively manage access risk and demonstrate compliance.