Compliance

The correct handling of authorizations within IAM is a complex task. Legislators, regulators, auditors and also the internal audit department make high demands, demand far-reaching measures and threaten with sensitive sanctions.

At the same time, there are many hurdles within one’s own company that need to be overcome:

• Heterogeneous administration processes,
• unexplained or changing responsibilities,
• inadequate policies and processes; and
• complex, historically grown system landscapes.

So how can conformity be ensured for the large number of applications, users and authorizations? Different methods have proven themselves in practice.

To ensure that users on the required systems always have the correct authorizations, it is advisable to implement a recertification process (attestation) in which the authorizations are checked at regular intervals or event-driven. A supervisor must confirm the authorizations of his or her employees. Ideally, this should be done with the help of an Access Compliance solution, in which this coordination is implemented in a user-friendly manner. The individual authorizations or assignments of authorizations by roles can be confirmed or rejected quickly and easily via checkboxes. The classification of roles and authorizations according to criticality enables a further increase in efficiency.

Legal regulations such as the EU data protection basic regulation (EU-GDPR), the minimum requirements for risk management (MaRisk) in the financial sector, the audit trail as part of the “Good Manufacturing Practice” (GMP) guideline in the pharmaceutical and food industries or internal compliance guidelines require a clear separation of functions. The front and back office of credit institutions, the recording of vendor invoices and the initiation of vendor payments, the creation/modification of orders and the posting of incoming goods are critical functional separation conflicts in which toxic combinations of authorizations must be prevented in order to prevent misuse. The appropriate Access Compliance solution, which automates exactly this SoD (Segregation of Duties) check, is strongly recommended.

In order to cope with the diverse Access Compliance challenges, companies need the support of an experienced partner who has in-depth know-how and provides consulting, solutions and implementation from a single source. KOGIT advises and supports its customers with a high level of methodological competence in the implementation of a tailor-made access compliance concept. Demands for “Privacy by Design”, “Privacy by Default” or technical and organizational measures (TOMs) are always taken into account in daily work.

An important prerequisite for ensuring error-free allocation and a transparent view of all authorisations and for controlling them efficiently is the automation and harmonisation of the associated processes. The KOGIT experts therefore also advise the customer on the selection of the suitable IT solution and assist him with the implementation as well as the system connection.

At the same time, they ensure that authorizations, authorization workflows and accesses are presented in a uniform, clear and easy-to-understand manner. This enables managers to prevent the assignment of incorrect authorizations from the outset and to completely trace and control every access to critical information and unstructured data.