ComplianceCourierô Access Compliance Management
Automates the access compliance management lifecycle, enabling authorized business managers to certify or revoke access rights for users they supervise, using business-friendly entitlement definitions, as part of an Access Compliance strategy.
- Improve the security of sensitive or regulated data
- Revoke inappropriate access rights without requiring an enterprise provisioning solution
- Enable demonstration of compliance with key industry and government regulations
- Integrate with DLP and SIEM technologies to improve the accuracy of compliance
- Reduce the effort required for managers to certify or remediate user access
- Leverage powerful, interactive analytical tools for monitoring and managing risk and compliance trends
Access Certification and Compliance Management
As information availability increases exponentially, the risk that vital information assets may be compromised by users with inappropriate access rights also grows, especially for organizations that need to comply with a growing assortment of industry requirements and government regulations governing access to sensitive information. Using automation to meet certification and policy verification requirements (e.g., ensure only users with a business need-to-know have access to sensitive data, block segregation-of-duties violations, eliminate orphan accounts) has tangible bottom-line implications for companies in all industries, since manual audit compliance can significantly increase cost of operations.
ComplianceCourier, Courion's access certification, verification and policy compliance software, automates the access certification and compliance process. ComplianceCourier is the industry’s first certification product that enables authorized business managers to review and certify the access rights of users they are responsible for, using terminology they understand, and take immediate remedial action when they identify entitlements that are inconsistent with policy or regulatory requirements—without requiring an enterprise provisioning solution.
Access Certification Portal
ComplianceCourier implements a comprehensive, end-to-end access certification process using a highly interactive Access Certification Portal. The Access Certification Portal provides a prescriptive approach, based on real world experience and industry best practices, which simplifies the process of reviewing and certifying user access rights. Using the portal, and its embedded processes, enables your organization to streamline the certification process, improve security, reduce risk, and enhance compliance with relevant regulations.
The portal is designed for use by users with distinct roles within an enterprise:
- Compliance Analyst - The portal enables compliance analysts to define, schedule and manage certification tasks for business users and IT resource owners.
- Business User / IT Resource Owner - The portal provides line-of-business managers and IT resource owners with personalized, interactive screens where they can review and correct access rights of employees they supervise or systems they manage, in using business entitlements they understand.
The Compliance Analyst performs three primary tasks using the portal:
- Define business-friendly entitlements: using a new Entitlement Editor, the analyst creates business-friendly descriptions of IT entitlements that can be used by managers who need to understand the business impact of a user holding a specific entitlement.
- Create access certification review: using a new Certification Review Editor, the analyst defines the attributes of a certification review, such as the certification category, start/end dates, status, priority and assigned managers. The review can be launched immediately, or at a scheduled time in the future.
- Manage certification review: using the portal, the analyst monitors the progress of open or completed reviews. When a review is completed, any remediation action designated by the business manager to modify or remove access rights that are out of compliance are automatically initiated.
The Business User/IT Resource Owner performs these tasks:
- "My Certifications" portal: using a personalized portal, the business user views the access certification tasks assigned to them by the compliance analyst and selects a task.
- Review access rights: using an interactive task worksheet the business user reviews the access rights and entitlements for the people or systems they are responsible for, applying their business knowledge to determine the appropriate level of access to the systems.
- Choose actions: the business user then chooses from a configurable set of options, such as: accept and certify current access, modify or remove access or take other corrective action, or refer/delegate decisions to others.
- Submit results: once the user has completed all the certifications, they submit the completed review to the compliance analyst, who then closes the review. The actions selected by the business user can be implemented when the business user completes the review or left to the compliance analyst to complete.
The results of a certification review are then available for any reports required by senior management, auditors, or other interested parties.
Sensitive Data Certification and Compliance
ComplianceCourier goes beyond simple certification and remediation by delivering integration with the industry’s leading data loss prevention (DLP) products, adding an identity context to the analysis of sensitive data access. If a DLP solution locates sensitive data (e.g. social security number, credit card numbers, etc.) in a document, a manager uses ComplianceCourier’s Sensitive Data Manager module to identify users who have access to that information, and can either remediate access to the sensitive data, or formally attest that it is within policy. The combination of identity and DLP enables the business to better understand the risk of DLP-raised incidents and violations and enables the appropriate remediation or attestation actions by the business.
User Activity and Compliance
ComplianceCourier also provides the ability to review user activity through integration with leading user activity repositories, such as security incident and event management (SIEM) tools, enterprise single sign-on log files and application logs. Courion’s User Activity Manager module enables business managers to bring a deeper awareness of which users have accessed what resources. This allows them to effectively verify compliance with access policies or flag suspicious user actions—such as significant after-hours activity or unusual transaction volumes—for further action or remediation, based on the identity context provided by Courion. This capability also enables the organization to identify over-provisioned users and avoid paying excess license or maintenance fees on systems that users have access to, but are not using as part of their job.
Advanced Worksheets and Risk Management Analysis
ComplianceCourier delivers powerful, interactive compliance worksheets that advanced users can manipulate to dynamically sort, filter and group user access data, providing the ability to manipulate large data sets (such as from DLP or SIEM tools) and focus on specific slices of interest.
While the interactive worksheet provides a rich, powerful interface for viewing compliance data and verifying access, it is often desirable to provide end users with a simpler interface that can make it easier to perform specific attestation or reporting functions. ComplianceCourier administrators can customize worksheets to meet end users needs to easily perform review and attestation functions.
Courion also provides advanced analysis and graphing capabilities. The Advanced Analytics framework includes a web interface that organizes and presents graphical charts and a model for defining charts, dashboards and other graphical tools without requiring any programming.
These features allow organizations to create flexible risk management tools that security operations, compliance managers, and line-of-business managers can all use to quickly and easily monitor and manage user access and activity in order to manage and reduce risk. Sample reports deliver regulation-specific overviews and trending information, such as detecting and reviewing sensitive data violations trends.
Automatically Approve Or Remediate Access Rights
If access rights to sensitive data or applications are appropriate, the manager can certify that access is legitimate or approve exceptions to policy, where warranted.
If changes to a user's access rights are required, ComplianceCourier supports a wide range of remedial actions. These include:
- Send an email notification to a security officer, compliance officer, application owner, system administrator, etc., for them to take appropriate action.
- Open a trouble ticket to initiate and track resolution.
- Directly change, disable or delete inappropriate access rights, using Courion’s integrated workflow engine and Connector Framework. Courion is the only vendor to deliver direct remediation without requiring the deployment of a provisioning solution.
- If a provisioning product is in place, communicate with the product, whether it is from Courion or another vendor, to trigger appropriate actions to automatically remediate corrections.
Courion is the only vendor to deliver a certification and compliance management solution that provides this full range of remedial actions.
Proactively Confirm Users' Allocated Resources
ComplianceCourier automates the processes required to comply with federal and industry regulations and business policies.
- Automatically notify business managers when it is time to confirm user access rights in compliance with company policy.
- Provide security and business managers with compliance information necessary to confirm appropriate user access rights.
- Initiate corrective actions automatically.
- Track and store managers' attestation for each user.
- Administer self-service policy awareness training and testing for end users.
- Inform managers which employees have passed policy awareness tests and optionally block access to applications pending a passing score.
- Require confirmation and validation of user access rights at scheduled intervals or in real-time.
- Map user identities, profiles, and access rights across disparate data sources.
Achieve Compliance Amid Increasing Regulations
ComplianceCourier automates a broad set of processes necessary for organizations to achieve compliance with government and industry regulatory requirements. ComplianceCourier extends the responsibility and accountability for compliance to line of business managers by providing a self-service policy evaluation and awareness testing framework which presents information to the user using business terms, rather than arcane, unfamiliar IT-specific terminology.
ComplianceCourier uses corporate policy guidelines to determine how frequently employees need their access to sensitive resources reviewed and verified. It identifies affected employees for each manager, enabling them to review the employee's access rights, compare them to those designated as appropriate according to policy, and ultimately confirm that the employee’s access is appropriate.
An important aspect of compliance management is to check for policy violations, particularly over-provisioning and segregation of duties. Over-provisioning violates the principle of least privilege, which holds that users should be granted minimal access rights consistent with their business function. ComplianceCourier can also evaluate the accounts and privileges held by a user to determine if any privileges overlap and create a segregation of duties violation.
If changes to a user's access rights are required, ComplianceCourier can package the results so that other applications such as AccountCourier® − Courion’s enterprise user provisioning solution − can trigger appropriate actions to initiate corrections automatically. This allows AccountCourier to supply additional value in overall account provisioning. Providing a separation between security policy and enforcement, ComplianceCourier can enable IT Security to review any or all exceptions to corporate policy.
- Delivers periodic automated user access review and required remediation
- Enables a range of remediation options, e.g., email notification, help desk trouble tickets, immediate modification of access rights, or integration with third-party provisioning tools (Courion’s and others).
- Powerful, flexible Access Certification Portal and interactive worksheets enable managers to quickly and easily analyze, review and certify user access entitlements.
- Access certification capabilities include reviewing access to sensitive data collected from data loss prevention tools, as well as user activity captured by security incident and event management products.
- Provides the ability to define, audit, and enforce key access policies, such as segregation of duties (SoD) or orphan account analysis.
- Optionally blocks user access to resources until policy awareness testing is passed
- Automatically triggers compliance actions based on user provisioning events
- Enables performance of efficient, repeatable compliance audits for time and cost savings
- Creates audit trails of manager attestation or remediation actions
- Allows delegation of employee access rights review to appropriate business managers
- Slashes time, effort and costs of previously manual compliance activities