Organisations of all sizes and industries are increasingly seeking to reduce their risk exposure by performing regular access certifications / reviews. Each implementation is different, with organisations facing varying challenges and project drivers, and correspondingly picking from a menu of technology choices to support their goal.
However, one consistent thread that can be found throughout successful access governance projects – that of having strong business engagement. This engagement is twofold – firstly at a senior executive level, and secondly in 'grass roots' line-of-business interaction Senior sponsorship is critical, and in big organisations this works best from a CEO or equivalent.
This is because access governance can be disruptive, especially a first review cycle in an organisation with applications that date from a time before security was even considered. Resistance is often encountered during implementation – firstly from technology owners or application managers, and then during reviews where business managers feel they have more important things to do. Having CxO engagement means a culture of responsibility and ownership can be adopted, and there is a suitable 'stick' to drive the project to completion.
Similarly, working with end users from your line-of-business is often overlooked until the last minute when deploying an access governance project. Without early and repeated communications and training, users feel that a time consuming task in an awkward tool has been imposed upon them. By consulting groups of users from across the business to capture requirements and having them support testing, users often feel empowered and realise the value of the project.
The biggest successes comes when access reviews form part of a broader security awareness programme driven from senior levels and encompassing the whole organisation, encouraging users to become an active participant in keeping the company's information assets secure. It is this engagement and enthusiasm for the process that reduces risk the most, rather than the specific technology chosen or methodology used.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.