Access Certification / Review

[Peter Lundstedt <peter.lundstedt () DRAKE EDU>]

Hello everyone,

We are working on an audit finding related to access certifications performed by our data custodians, as well as access 
certifications of the data custodians.  The consensus is that we should not be relying on email and spreadsheets to 
complete these reviews, however most of the systems I've seen are tied to Identity Management systems - we are close to 
starting an IAM project that would probably include access review but are not there yet.  On top of this, the systems 
I've worked with in the past simply presented the access to the reviewer, in most cases a superior who has no idea what 
the information means, mostly just clicking "Maintain".

I'm interested in hearing what others have done for certifications - is an app required, have you built something 
internally, are you relying on the email/spreadsheet type of system that I mentioned above, how do you complete the 
review in a meaningful way?

Vendors may contact me on this - I'm in need of ideas.

Peter Lundstedt
SECURITY ANALYST 2, INFRASTRUCTURE & SECURITY SERVICES

[oit]