Access certification & attestation: Best practices for avoiding the rubber stamp syndrome

Access certification is an ongoing process where managers and designated approvers review who has access to what to confirm that each user/role has access only to the resources necessary to perform their job function. In doing so, organizations prevent users from accumulating unnecessary privileges and decrease their risk profile.

Accordingly, the risk mitigation benefits of access certification are only as good as how careful the approvers are in examining access rights. However, access certification efforts often suffer from the rubber stamp syndrome - this is when a manager/approver bulk-approves all access rights presented in a review by "selecting all" and clicking "approve." One common reason for rubber stamps is when approvers get constantly swamped with too many access certification requests. This can be avoided by following these recommendations:

* Once a year, have a full certification where each manager certifies all the entitlements of all their direct report team members
* On a quarterly basis, have delta certifications where managers only certify the changes in entitlements for their team in the last quarter
* To help eliminate toxic combinations (i.e., ensure segregation of duties) which might happen when an employee gets transferred to a new position, there needs to be an event-based certification where all the entitlements for this employee get examined

This might sound like more work, but actually as the delta certifications are much smaller and quicker to go through, it helps ensure that the approver actually gives it more attention and completes it properly. The drawback of a quarterly certification (and hence the need to complement it with a full yearly certification) is that the approver cannot see the bigger picture and the business implications without seeing the full set of entitlements for each team member. At the same time, an employee that gets promoted or transferred to a new position might create toxic combinations and pose business risk for an organisation (due to the fact that that the existing entitlements in addition to the new ones that get granted to this employee might allow him/her to carry out a sequence of tasks that are in violation of segregation of duties policies, e.g., raise a purchase order and approve it), it warrants that the approver immediately looks at the full entitlements for this employee. From a workload perspective, managers do not transfer their direct reports to new positions on a regular basis, so it should not be an event that occurs that often to bother the certifying manager.

There are few other reasons for the rubber stamp syndrome, including:

* Approvers don't understand the business context of what they're certifying. This is particularly the case when the certification tool doesn't offer plain-language descriptions clearly explaining the business relevance of the roles, users, access entitlements or resources involved in the process (think SAP and mainframe transaction codes, but similarly Active Directory group names are often guilty too). To create quality descriptions, you'll need to enlist the help of the application and system owners for this as they are the ones that have intimate understanding of their resources (i.e., application and systems) and what the relevant entitlements actually do. To provide business context and descriptions for the users and roles, you'll need to refer to human resources data sources as well as involve line-of-business managers and users. More importantly, you'll need strong sponsorship from the management to ensure the collaboration of all necessary stakeholders.

More Here