IT tells you that you must take responsibility for access governance. So what exactly are you supposed to do with this new task? How can you get it done as quickly as possible? For business managers outside of IT, access governance sounds like an IT issue. To be fair, that is partly true. Let’s explore why access governance is relevant to business managers.
Access Governance: Why It Matters for Front Line Managers
Successful business processes require technology, sound processes, and well-trained people. In practical terms, that means front-line managers are responsible for two-thirds of the equation. If managers do not know how or why to manage access governance, security will be at risk. Don’t worry — there is no need to sign up for cybersecurity night school. Merely learn these tips and install them into your work habits.
1) Seek first to understand your company’s requirements
This advice sets the foundation for the rest of the tips. If you are in a non-technical part of the business like sales or finance, you probably don’t pay much attention to IT security matters. That is why we suggest you schedule an hour on your calendar to review the following:
- Read the policy and procedures for managers. While unexciting, these materials are usually only a few pages long, and you need to know what to expect. Take note of any terms or jargon you do not understand.
- Review upcoming deadlines for access and security matters. Some companies have an annual or semi-annual access governance review process. Find out about such deadlines and note them on your calendar.
- Identify support resources and tools. If you have questions about the process, who can you ask? Start by asking the IT help desk for suggestions.
Time commitment: the whole process should take 1-2 hours once a year.
2) Identify the high-risk assets and information in your department
Some assets and user accounts are more valuable than others. For example, if a hacker gained access to the CEO’s email account and sent out fraudulent emails (here is an example of a “president fraud incident”), you could suffer severe losses. In a public company, leaked financial information can be used to gain an illegal advantage. You do not want to be responsible for losing high-value data!
Managers sometimes struggle to identify these assets because they are far removed from the daily work staff carries out. In that case, there are two ways to get started. First, write down a list of the access rights you have as a manager. Second, set time aside at your next staff meeting to discuss the issue.
Time commitment: 1 hour (may take longer if you have a large department)
3) Adjust your employee onboarding process
New hires will only understand your expectations if you take the time to coach them. That same principle also applies to access governance. Your approach to access governance for new employees will need to be tailored based on what your company provides. Choose one of the following two methods:
- Company Guidance Available. If your company has a mandatory cybersecurity training program that includes access governance, your involvement will be minimal. Simply reinforce the company’s message that access governance manages and you monitor it.
- No Company Support Available. In this situation, the company has no guidance. Yikes! We recommend creating a one page summary of access governance and why it matters (e.g., it protects the company, it reduces the impact of hacking events, etc.) and your expectations. Specifically, ask new employees to seek your approval whenever they add, change, or delete new access.
Resource: Check out our tips to boost new hire productivity with user provisioning.
Time commitment depends on the option selected.
4) Leverage an access governance solution
We have seen managers who manage access governance using an Excel spreadsheet. It is not pretty or efficient, but it does work. There are a few problems with that manual approach:
- Timeliness. How will you keep track of your access governance activities? The spreadsheet will not remind you to carry out updates.
- Audit Reporting. When auditors ask for evidence of your review, you will have to track down and clean up your spreadsheet. Audits are stressful enough without this issue.
- Manual work effort. When you build an access governance spreadsheet, each step must be carried out manually. With an extensive team or broad set of systems, it is easy to miss something.
Using Avatier’s Compliance Auditor is a much faster and reliable way for business managers to carry out their access governance responsibilities. It is one of the best ways to automate IT governance.
Time required: varies depending on the solution
5) Standardize user access based on job roles
Setting up access profiles for each person on your team is time-consuming. There is a way around that problem. Let’s say that you are a sales manager and have a group of 10 sales professionals reporting to you. In that scenario, each of your direct reports likely requires the same type of access. To save time and avoid mistakes, we recommend establishing a profile to cover that job category.
Tip: Use a software solution to standardize access governance for each job type. If you are in a small company without standardized roles, consider engaging a human resources consultant in developing job descriptions.
The time required: A few hours to set up the profiles, and then you will have time savings afterward.
6) Seek out other ways to improve identity, access, and cybersecurity management
If you have all of the other tips in this article fully implemented, what should you do next? Continuous improvement. Take the time to review your responsibilities as a manager. Are there any manual processes that could be automated? Do you have challenges in producing reports and reports for auditors? Finding answers to these questions will make life easier for you and all of the other business managers at your company.
Time required: an hour or two each quarter
Next Steps for Access Governance
Implementing an access governance software solution is the single best way to make life easier for your business managers. Discover how Compliance Auditor can help your organization.