Formal checking of user access privileges to data and resources within a financial business is wholly sensible. Indeed, it is strongly mandated by a range of regulatory authorities.
But with audits typically required every six months or annually, this does not provide enough access certification oversight and may allow access risks to creep in leaving your your organization open to accidental or deliberate misuse.
What's worrying is that as data breaches increasingly hit organisations that ostensibly have good safeguards in place, this raises the question about whether existing access certification processes are entirely fit for purpose.
In today's SoMoClo (SocialMobileCloud) world, the pace at which access vulnerabilities develop has increased because of the surge in the volume, variety and velocity of information that organisations need their staff to access, share and collaborate on.
Not surprisingly, many organisations are finding it challenging to put into effect high security standards while still providing the open access needed to maintain productivity. At the same time, data breaches are becoming more frequent, and cybercriminals
are becoming smarter in how they target and exploit access vulnerabilities.
The other factor is how workforces are becoming much more flexible. User roles and responsibilities are changing to keep pace with fast moving business imperatives. This means access rights and the resources used by employees aren't fixed and change between
these periodic access reviews, exposing vulnerabilities that can be exploited.
So while users' access information is presented to auditors, this information often lacks context. Auditors do not quite know how, why or when users obtained the access. In fact, a recent survey we conducted found that 43 percent of IT Security executives
agreed that their organisations were unaware of when access privileges are increased or when inappropriate or uncharacteristic access occurs. In addition, the volume of data that is presented in an comprehensive access review is considerable, if not overwhelming.
This invariably drives reviewers to simply 'rubber stamp' access authorizations, which is clearly an ineffective tactic when trying to assess and mitigate access risk within an organisation.
What organisations need is a continuous and comprehensive approach to identifying access risks, while also employing preventative controls to moderate these risks. For example, software that provides organisations with the ability to automatically revoke
inappropriate access, as well as perform risk-based certification reviews when a policy violation occurs or when a threat is detected.
Risk-based certification reviews provide complete context around the information being reviewed, thereby allowing managers to make educated and informed decisions on whether a user's access is appropriate or not. By performing these narrowly focused, risk-based
certification reviews on a continuous basis, organisations can both satisfy audit requirements, but also mitigate potential risks in a more intelligent and efficient manner.