Automating Access Certification Reduces Risk and Improves Compliance


Access certification requires that managers regularly review their employees’ access to financial systems to validate that access privileges align with the employee’s job requirements. Many organizations have implemented access certification processes to comply with the Sarbanes-Oxley Act (SOX) of 2002. Because SOX mandates an annual evaluation of internal controls and procedures for maintaining the integrity of financial reporting, organizations must ensure that only users with a legitimate business purpose can access financial systems.

Recognizing the value of access certification in enhancing cybersecurity, many organizations have expanded that process beyond SOX compliance. That means managers are faced with reviewing all of their employees’ access privileges across dozens of IT systems. What’s more, they must pore over this information in an effort to find the “bad” privileges that represent risk to the organization, which is a tall order.

SOX compliance has compelled many organizations to implement role-based access controls, which help to reduce the number of entitlements to be reviewed. However, a large organization with thousands of users might have hundreds or even thousands of roles. The review process is still going to take an immense amount of time, and busy managers are more likely to overlook problems. Some managers might be inclined to rush through the process or take shortcuts, increasing the risk of security gaps that a malicious insider or external bad actor could slip through.

In light of that, organizations need tools that streamline and automate the access certification process. They also need to ensure the process begins with complete and up-to-date entitlement data and leverages analytics to prioritize high-risk users and accounts.

A tool that meets these needs is the Access Certification Manager feature of RSA Identity Governance and Lifecycle (IGL), which simplifies access certification for business users. It employs a unique unification process to automatically collect, aggregate, and correlate user account, group, and role data from across the enterprise. It then automatically generates reviews and presents them in a business context that is easy for managers to understand. This enables repeatable certification processes.

Workflows can be configured to match an organization’s review and approval requirements. Any changes to user credentials resulting from access certification are tracked for auditing and reporting. Changes can be fulfilled through RSA’s Access Fulfillment Express module or through integration with leading IT service management and operational systems. Either way, Access Certification Manager helps ensure access changes are implemented promptly and accurately.

Access Certification Manager has a highly scalable architecture that can support hundreds of thousands of users and millions of entitlements. It is flexible enough to support organizations at every stage of access governance maturity, whether they have well-defined frameworks for assessing risk and validating privileges or are struggling to complete access certifications quickly enough to meet regulatory requirements. As part of RSA’s comprehensive identity management and governance platform, Access Certification Manager helps support user access controls throughout their full life cycle.

Access certification is more than just a box to check when it comes time for SOX compliance. It can play an important role in enhancing cybersecurity–but only if business managers have the tools they need to review access privileges accurately and efficiently. RSA’s Access Certification Manager addresses this challenge cost-effectively through enterprise-wide visibility and automation.


For more information about RSA’s Access Certification Manager, please send us an email at (

Comments Closed.