Compliance is the most significant reason an organization must deploy Identity Governance & Administration technology. The entire foundation of securing an organization and ensuring that all access is properly governed via oversight mechanisms including assessments, attestation, re-certification, remediation and continuous monitoring which are all a part of Fischer's compliance feature-set. If not deployed at all, organizations risk losing control of their business. Not only in the context of security, but their business process, oversight and related governance of access. If Compliance is absent within an organization it can and most likely will become susceptible to excessive access for unauthorized users, lack of control over when and how access is granted to Identities, and finally without attestation, no real way to double check that everyone is complying with the organization's access policies, security policies and so on. Compliance should be the foundation of how an IGA solution is built, including affecting how Identities are provisioned, how access approved, as well as who is allowed to perform all of the necessary actions to maintain compliance. Without compliance an organization will lose oversight into their application ecosystem and can find themselves in a constant loop of excessive access which can not only intro the risk of breach, but also increase the opportunity for individuals to obtain access outside of the standard mechanisms and authorized procedures built to control access.
Regulatory compliance is driving much of the Identity Management industry. Organizations demand, and experts agree that compliance must be treated as an ongoing process, not an event. Organizations that incorporate compliance in everyday business processes will more easily and cost effectively comply with the Sarbanes-Oxley, GLBA, HIPAA, and other compliance acts and initiatives. Additionally, many benefits will be realized including: cost containment, improved internal controls, better risk management and increased operating efficiency - all leading to an improved bottom line.
Compliance administration enables organizations to automate the collection and comparison of account information. This comparison is actual or current data versus repository data. Exceptions or discrepancies between users’ current information versus what they were originally provisioned can occur due to changes made to user accounts outside the Identity Management solution, or due to unexpected events that disrupt the ability of the Identity Management solution process to proceed normally. The compliance comparison process records any exceptions found, which can then be reconciled manually, or via an automated provisioning approval process.
Every Identity Management activity can be recorded and audited in real-time. Separation of duties (SoD), exception reporting, and other essential compliance events are automatically tracked as part of the execution of everyday business processes. Organizations can configure certifiers and Compliance Administrators, and possible actions that they can perform in the event of a compliance exception. Recertification and approval notifications will be sent to the participants specified by the administrator in the configuration.
The following diagram depicts how Fischer's Compliance feature operates within an organization's ecosystem:
A compliance process can be divided into 3 phases namely,
In this phase, the resources selected are assessed and the compliance status of each of them are reported with a clear indication of the nature of exception if found.
In this phase, the certification actions will be taken by the assigned certifiers after examining the compliance statuses/exceptions reported on each resource.
In this phase, the corrective actions, if any, suggested by the certifier will be performed in order to attain 100% compliance with the company policies.
The resource Types available for the recertification process are Policy, Resource and System.