|
|
In most of the organizations with growing number of applications and several identity repositories, the need to identify the owners of such accounts and their account privileges has become mandatory. This requirement gets further magnified due to critical data stored in these applications. Applications store data such as customer credit card, customer social security numbers and other health records.
Periodic assessment of these applications, the user accounts with in those applications and their access rights is mandatory for every mid size business. It is required that the user account information is categorized based on the rightful business owners, department, role in the organization. Then these accounts need to be sent for qualification and validation to the managers in the department, responsible parties of the application, CIO and CSO periodically to ascertain that there are no orphan accounts or accounts that violate corporate policies.
|
| |
Todays Scenario
This entire process of qualifying the user accounts in the applications, validating the accuracy of the entitlements for those accounts and qualifying those accounts with respect to the corporate policies is performed manually. These reports are typically generated on paper and there is no cross reference to the role of the employee and corporate policy of the employee. The approvals for these accounts and validation of the access are not logged. In addition, these tasks are performed every quarter repetitively and prone to security challenges and inaccuracies.
|
| |
IMAG Solution
IMAG provides a comprehensive solution to address the needs of access certification in an enterprise. It provides a centralized database to consolidate user access information from all different classes of applications. It builds a relationship between the following
|
|
|
 |
IMAG has the following
Re-Certification features:
|
· |
Administrator, Authorizer, Reviewer, Auditor can visit the IMAG portal to perform the respective functionality. |
· |
IMAG sends the different access reports generated to the authorizer for validation, reviewer and administrator for clarifications and auditor for certification. |
· |
Each of the access reports can be grouped or categorized based on the class of certification such as HIPAA, ISO27001, SOX, PCI, and GLBA etc. |
· |
Actions of all participants of the re-certification process are logged, reported and can be backed up for future references. |
· |
Each Reviewer, Auditor and Authorizer can only view and work on those tasks and certifications that have been assigned to them. |
· |
Security personnel can monitor the current state of certifications and help in expediting the process. |
· |
IMAG can be set to periodically synchronize the access information from the necessary applications. |
· |
IMAG can also be used to schedule to send the certification reports and access reports to the necessary authorizers via email either as a link or PDF. |
|
|
 |
| |
|
|
|
- Employee and employee’s attributes such as Role, Department, Status
- Application and application attributes such as Location , Domain, Criticality, Department
- User accounts and their entitlements such as group information, application privileges
|
| |
IMAG also provides an extensive Reconciliation policy engine that allows the user accounts across applications to be associated to employees and rightful owners in the organization. This comprehensive access relationship database is called Identity Matrix. Identity Matrix enables Organizations and IT security personnel to generate different kinds of reports based on corporate policies and corporate security. These access reports that are generated can be then sent to different owners of these applications for certification.
Access Certification is a process which guarantees that the authorized and responsible personnel of the organization, review the user accounts, qualify the user accounts, validate those user accounts based on the corporate policies and finally send it to the auditor for receiving certification of the user accounts. This kind of re-certification is mandated either internally by audit department for security or by governing standards such as HIPAA, ISO27001, SOX, PCI, and GLBA etc |
IMAG has extensive certification framework which distinguishes the following different individuals in the certification process
- User of the Account
- This is typically an employee who is an account holder to perform the task in the application such as Teller, Cashier etc in a Bank.
- Administrator of the application
- This person typically is a IT administrator who manages the application
- Authorizer
- This person is typically a person who is qualified to authorize an account access or validate the existing accounts in a system.
- Reviewer
- This is typically the owner of the application who is responsible to get the right authorizations before requesting the administrator to create the access with the right entitlements
- Auditor/Certifier
- This person is an independent third party who validates the entire process of the User Access qualification. Certifier checks the implementation of such process and certifies that the access policies and certification process meets corporate security standards and regulatory compliance standards.
|
|
|
|
| |
|
|
|
