Skip to main content

Planning what to review and by whom it should be reviewed

The determination for what needs to be certified, by whom, and how often will be based on an organization's requirements. For auditing or regulatory compliance purposes, it would generally be entitlements or access that if misused can cause harm to an organization if it is compromised.

Being compromised may be as simple as someone accidentally accessing information they should not have anymore to some malicious. Ensuring users have what they need to and nothing more ensures an organization is in compliance.

The more sensitive information/access is, it maybe more often certification campaigns be performed. Also ensuring the "right" people are certifying the right entitlements can be important as it can be the case the certifier may "rubberstamp" entitlements they are not the owner of or understand why the user should have or not have.

What to certify

Within certification campaigns, what to certify provides the basis to compliance. Entitlements that can be certified can include:

  • Profiles (who the person is)

  • Accounts (the accounts the person has)

  • Groups (what groups an account has)

  • Roles (what roles a user has)

  • Profile attributes (what attribute is set to for given users)

  • Segregation of Duties (what SoD rules a person may fall under)

Review not required

During a certification campaign, some entitlements may be marked as: "Review not required"

Filtered accounts - found by Bravura Security Fabric but filtered by an ID filter - may be presented to reviewers but do not need to be reviewed.

Who to certify

Who is being certified is very important in how a certification campaign created. If the population of users being certified is small, it is very common to assign the certifier a person. However, if the population of users being certified is large, it would make better sense this population is segmented into smaller certification campaigns. A single campaign should be a reasonable size to ensure the certifier is actually certifying what is in the campaign and not "rubberstamping" items.

An alternative method is to have smaller certification campaigns serially. For example: all users whose last name begin with "A to E" is certified first; when that campaign is complete, the next campaign would be: all users whose last being begin with "F to J", and so on. The goal is to keep the certification campaigns a reasonable size to avoid "rubberstamping".

What information to present to the certifier

Depending on what is certified, the administrator can decide what attributes for each user to present to the certifier. The information should be relevant for the certifier to review who this user is and whether or not they require the entitlement(s) being certified or not. It is recommended you try to present just enough information to the certifier and not overload them with too much information. If certifiers have too much information, they may get confused or be overloaded with too much information and end up "rubberstamping" the campaign.

If there is not sufficient information presented to the certifier, the certifier would have to look up details of the user being certified. This can be tedious and cause the certifier to be lazy. Presenting certifiers the sufficient amount of details will lead to the best results.

Remediation

It is very common that remediation in certification to be simply the revocation of the entitlement being certified. For example if user do not require an entitlement, the entitlement is removed from the user. However, the administrator can design what a revocation means. For example, if a user does not need an entitlement, a predefined request (PDR) can be generated to not only remove the entitlement, the PDR can also do something like add another entitlement to the user, update an attribute, and so on.

Understand what revoking the entitlement means during a certification may mean a design of a PDR to meet your objectives.

Reviewers

Who the reviewers are for the certification campaign will differ depending on what is being certified. Sometimes the entitlement or application owner; the manager; HR, or just someone needs to do the certification. If a campaign is segmented to multiple parts, who certifies each part may be required (a segmented campaign can be split into multiple campaigns and certified by a single person).

Peer groups

Within a certification campaign, an administrator can ensure the users to be certified meet a criteria for the certifier to certify. This can streamline the certification where users that meet a defined peer group threshold are visually marked (green) and reviewers can easily make a decision to certify them.

Reviewers can more closely scrutinize users that fail to meet the peer group threshold (yellow or red) before deciding whether to certify or revoke the entitlements.

Defining good peer groups can make the certification process easier for the certifiers.

Additional Information

Once certification campaigns are created and achieve the compliance an organization requires, those campaigns can be scheduled to run as often as required. This can tie closely to the certification validity interval (CERT VALIDITY INTERVAL): "Certification of a user or entitlement is considered to be current if performed within this number of days." Though this number can differ between the entitlements that are certified, it can streamline larger campaigns where users may have been certified previously, the reviwer does not have to re-certify them.

Users within the CERT VALIDITY INTERVAL are automatically certified and can be skipped during a certification campaign. They are included and visually seen by the certifier as they can decided otherwise.

In this section: