User Recertification

Recertification is the process of validating a user’s access to an application/system by a suitable authoriser, in most cases, their line manager. User’s entitlements on that application/system must also be checked to make sure that it is set to the minimum level of access to allow them to complete their job role. No user should have any excessive/privileged access to at any time.

This process is completed to ensure that no users have too much access and could potentially do something outside of their job role, such as having the ability to create and then approve a mortgage, which should be done by two separate people. When this process is run, all users on that application must be recertified.

Rectification can be carried out in 2 stages, to make the process much easier – Validation and Certification (V&C). First you can validate that a user should have access to a system/application (regardless of what they can do). Once a suitable authoriser has confirmed this, their actual access to this system/application can then be certified to ensure its correct. Doing this in two stages normally breaks up the work load a little.

Recertification helps to minimise security risks and improve SOX compliancy. It is an essential process that needs to be carried out (at least) every 6 months, on all applications/systems.

I have specialised in many recertification projects, across multiple applications in various banks. My processes include the full life-cycle of a recertification project, broken down into suitable process for high-level management to the people actually running the project on the ground. These projects have resulted in the removal of hundreds of thousands of accounts and entitlements, saving money and greatly reducing risk.

I’ve also developed many of my own custom tools to complete this whole processes, allowing the swift and easy recertification of many applications at once, by BAU security admin teams. These tools include the ability to load up an “Access Control List”, which will then split out all the entitlements and send them to the correct line manager, via individual emails. Other tools then include the ability to process the email replies from the line manager and collate the data back in a useable format.