The Path to Access Governance Success: Your 7-Step Plan

The Path to Access Governance Success: Your 7-Step Plan

You are never “done” with access governance. Like going to the gym, it’s a steady discipline that keeps you in excellent condition. The fact that you didn’t experience a hack, data loss, or fraud last year is no guarantee that you will coast through this year. So what’s the solution to this challenge?

The “Habits” Mindset for Security and Access Governance

The path to sustainable access governance requires you to adopt a “habits” approach. Why do habits matter? According to one study, habits account for 40% of our daily behavior. If you and your employees could adopt only a few security habits, your cybersecurity risk profile would decline immediately. To find out more about habits and why they are a powerful force for change, I recommend The Power of Habit by Charles Duhigg.

Introducing the 7 Habits to Improve Access Governance

If your access governance program is nothing more than a policy and an annual training session, you are taking on much more security risk than you might imagine.

  1. Start With the End in Mind

Always start with the big picture when you are seeking to change habits. Why does access governance help? In brief, it reduces both the likelihood and impact of a security event. Robust access controls reduce the impact of any one compromised ID by streamlining what that ID can access. It also reduces the likelihood of an incident because you can eliminate unmonitored IDs more quickly.

  1. Schedule Recurring Access Governance Checks

To install access governance discipline, you need to remind staff that you will check access issues on a recurring schedule. The access review habit you adopt depends on your role in the organization. Here are a few examples to get you started.

  • Manager. On a quarterly basis, review the access profiles of all of your employees. Pay particular attention to staff who have changed jobs; their access is likely to need a change. Use Compliance Auditor to simplify the process.
  • Security Department. Security is responsible for designing the access governance program and identifying improvement opportunities. From a habit perspective, we recommend reviewing the enterprise’s access changes (adds, changes, and deletes) monthly to detect suspicious patterns.
  • Employees. Set a calendar reminder every six months to check your user ID and access. Is there anything you need to add? Can you remove any access?
  1. Practice Robust Employee Offboarding

Every employee at your organization will eventually leave. A departed employee, especially one that is disgruntled or joins a competitor, might be a security risk. Why take chances? To reduce this access governance weakness, we recommend that the Human Resources department adopt a monthly monitoring habit.

The process is simple. Once per month, create a list of all employees who have left the organization. Next, HR will contact the relevant managers to confirm that they’re following company policies, including deleting user access for those employees who are no longer on their teams.

Resource: Are you implementing access governance (or user provisioning) for the first time? In that case, make sure you engage Human Resources as an important stakeholder. Leverage our article, “Win HR Support for Your User Provisioning Project in 5 Steps” to start the project off on the right foot.

  1. Regularly Ask if There Is a Simpler Way to Do Access Governance

With any management process, there are many different ways to achieve your end goal. You could organize one-hour-long meetings each quarter to review each user ID. While that method works, it is so onerous that less security-conscious managers might forget their responsibilities.

Instead, we recommend adopting a continuous improvement habit in which you review the access governance program annually. For example, you might decide to adopt Avatier Single Sign-On to streamline access. By using Single Sign-On, access governance will be a much faster process.

  1. Use the Enhanced Monitoring Habit for Privileged Users

With great power comes great responsibility. That principle isn’t limited to superheroes; it also applies to access governance. Some people in your organization – managers and IT administrators, for instance – have tremendous power to grant, change, and delete access. If their access were to fall into the wrong hands or if they misuse their authority, the impact to your organization could be substantial.

The enhanced monitoring habit is simple. Recommend that the access governance team (or a manager in the IT unit) challenge these users monthly. In essence, ask privileged users to explain the changes they are making and confirm that they understand what changes have been made in their name. If you find certain super users rarely use their privileges, suggest removing their access.

  1. Validate Your Access Governance Records

In security, an undocumented practice is an invisible practice. For access governance to work, you need to have records and documents that back it up. There are two ways to put this habit into action: the easy way and the hard way. Let’s cover the hard way first; each manager creates their tracking document like an Excel file and saved emails. That’s not all though! You also need to keep those records organized.

Whew! What’s the easy way to keep access governance records organized? Use an access governance system that automatically maintains access changes. There’s no need to create the product on your own. You can use Avatier’s Compliance Auditor. In fact, one customer recently saved $300,000 in auditor fees by using Compliance Auditor. How much money can you save?

  1. Proactively Disclose Access Problems to Auditors

I learned a great practice from a finance manager at a bank. A few weeks before the auditors arrived, he carried out a “mini-audit” of his own to find problems. By the time the auditors arrive, he had already found a few risk and control problems. By disclosing these problems and sharing what he was doing to address them in his first official meeting with the auditors, he avoided an unfavorable audit report.

This proactive approach to finding problems, rather than waiting for an auditor to find them, is a great approach to take. It saves you stress and helps you to nip problems in the bud.

Written by Nelson Cicchitto