1 Executive Summary
Even though role concepts have lost much of their fascination since their heyday and enthusiasm has given way to disillusionment in many cases, the use of roles and their management has become daily practice in many organizations. Access Governance is a mandatory, complementary building block for today’s Identity Management and Access Management Infrastructures.
Protecting an organization’s vital assets from unauthorized access and providing evidence for that protection is an increasingly important discipline for information security, for governance and compliance.
Access Reviews are a detective control that, when implemented appropriately, provide an opportunity to evaluate and adjust digital, and occasionally, physical access. Typically, reviews are completed periodically (e.g. semi-annually) or triggered by events making a review necessary (e.g. re-organization of teams, changing job positions or actual incidents). Both provide a ‘point in time’ opportunity for stakeholders to align with the Principle of Least Privilege, assuring every user, process and system has only the minimal amount of access required to perform its tasks.
The continuously increasing number of authorizations and authorized persons (Not only human users but also processes, devices or systems operate today with their own identity and associated authorizations) demand a high degree of automation of Access Review processes. In any case, the necessity of human interaction during the verification of assigned authorizations must be reduced to a minimum.
Common weaknesses and misconceptions in the Access Review procedure (and in upstream processes) can be mitigated or eliminated by observing practical recommendations. These are derived and described below.