Any Governance, Risk and Compliance (GRC) program aims to create standardized, measured, controlled, repeatable processes that allow for continual improvement and optimization. As detailed in the first blog in the series, this approach is commonly referred to as Get Clean, Stay Clean, and Optimize. The first phase of this journey, Get Clean, establishes a baseline for the risk environment, including single and cross-application Separation of Duties (SoD) risks, institutes a risk management approach, and addresses the risks detected in the current environment, resulting in a clean GRC environment.
The second step, Stay Clean, involves putting processes and controls in place to protect that clean environment with preventative risk detection, which is achieved by automating access provisioning, certifications, and emergency access requests.
Stay Clean: Instituting Repeatable, Automated Processes with Preventative Controls
In the Get Clean phase, you put your risk environment through detective controls and mitigation/remediation. The next step in your journey to a high-functioning risk management process is to institute repeatable, automated processes with preventative controls that ensure that your clean environment stays clean.
To achieve this step, you will need to implement access request workflows, execute access certification, enable emergency access, and remediate risks based on ongoing usage monitoring.
Implement Access Request Workflows
Access request workflows ensure that all identity events (joiner, mover, and leaver) get addressed – by requiring proper access approvals and preventative risk analysis checks – before access changes are completed in the system. This cuts down on human error associated with the provisioning and deprovisioning process.
Saviynt’s GRC solution, Application Access Governance (AAG), helps you automate provisioning and risk management processes, and implement preventative risk checks during access provisioning. For new users who are onboarding or moving around the business, AAG ensures that you address their risks in a preventative and upfront manner. This way, when you run the next audit, you are still in that clean state of no unmitigated risks, no unaddressed or unknown risks.
Enable Access Certification
Scheduled access certifications keep the environment clean by ensuring no stale access remains for users as job responsibilities change. Access revalidations should be completed in alignment with audit-approved frequency for each application. A solution that allows you to automate access reviews will reduce errors and save time and effort required to conduct manual access reviews. And by using access certifications on a standardized basis, access is reviewed and reapproved or removed, keeping your access clean – and removing anything that’s stale – on an ongoing basis.
Saviynt AAG ensures that no stale access remains assigned for users as job responsibilities change by revalidating user access on an audit-approved frequency with access certifications. The risks associated with identity events – joiners, movers, leavers – are addressed in AAG’s access requests workflows, where you can provision and deprovision access.
Enable Emergency Access
Enforcing a standard of no standing elevated access keeps the environment secure by limiting critical system access and requiring approvals and monitoring for any approved and provisioned temporary emergency access. Because emergency access (often referred to as a firefighter or an elevated access request) must be provided quickly, a solution that enables real-time emergency access and monitors it reduces situations in which the access isn’t rescinded once the emergency is over.
AAG’s real-time emergency access ensures that no standing elevated access is allowed and critical access is limited, which keeps the environment secure.
Remediate Risks Based on Ongoing Usage Monitoring
As users continually use various application functionalities, request access changes, and pass-through access recertifications, their actual usage of different functions should be evaluated to remove any excess (or no longer required) access. A solution that enables continual usage monitoring ensures that user access needs are met with the least privileged access approach in mind. The system can detect risky behavior, allowing personnel to terminate access when necessary.
AAG’s usage tracking enables access requests and access recertifications to be reviewed to determine whether the access is being utilized and is truly necessary, or if removal can reduce the overall risk exposure.
AAG goes beyond traditional GRC tools by providing a single pane of glass for viewing all applications and functionalities. It offers interactive remediation options and recommendations, simplified workflows, and out-of-the-box controls. These capabilities combine to help you maintain your GRC environment with a controlled set of processes for provisioning, access reviews, and elevated access.
Once you’ve instituted the repeatable, automated processes with preventative controls that enable your environment to stay clean, you are ready to move to the third and final step in the application access governance maturity process. In the third step, detailed in the next blog in this series, you will manage and monitor those controls to optimize your GRC environment.