(Personas: Compliance Officer, Business Owner, Group Owner, Auditor)
Attestation reviews ensure that the business has a clear statement of employee’s data access and en- sure that access to resource including NTFS and SharePoint data is correct. The process of carrying out attestation on a regular basis is referred to as recertification because at specified time intervals, al- ready certified or approved access are reconfirmed.
To comply with internal policies and industry regulations, managers and data owners need to regularly attest that employees need the access they have been granted. This is a crucial task for organizations in health care, organizations that accept credit cards as forms of payment, government departments, financial institutions, and any publicly traded company.
Since data and the required access and ownership in your environment is constantly evolving, it is im- portant to schedule regular attestation to ensure accuracy, policy adherence, and security. You can then generate detailed reports for auditors to prove adherence to regulations.
Access certification can be a challenge due to a lack of information, understanding, and a well defined process. Business managers understand employees’ roles but not their access rights; IT managers un- derstand employees’ access rights but not their legitimate access needs.
Identity Manager simplifies and automates the attestation process to ensure that every employee has the right access to do their job, nothing more. The attestation process places responsibility for the at- testation review with data/Business owner as they have the best knowledge of the data and its in- tended use.
An auditor can review the attestations procedures through the Web Portal. This enables you to prove and certify that access and ownership compliance rules are being met. For details, see Work with Gov- erned Data through Dashboards and Views on page 33.
For this scenario:
• Through the Web Portal, Sophia Gracer will define a “resource ownership” and a “resource se- curity” attestation policy.
• Through the Web Portal, William Buckley can attest to the access for the data he owns. • Sophia Gracer will also create a Resource Ownership policy that will specify that William Buck-
ley should attest to the owner of the Human Resources Folders. The owner was assigned based on the “calculated perceived owner” based on activity level. In this case, the owner should be Becky Roberts. For details, see Establish Data Ownership on page 27.
To create an attestation policy
1. Sophia Gracer logs in to the Web Portal and selects Compliance | Attestation Policies from the menu. To create a new policy, she selects New attestation policy.
She enters the policy details including the name, type (a template with basic workflow and ob- ject definitions), approval policy (whether the attestation will be performed by the resources owner or a specified user), schedule, and the days within which the attestation must be com- pleted.
2. For the Resource Security policy, she selects the objects for the attestation by clicking the Add condition icon.
For this scenario, we will show how to include specific resources. Sample policy creation form
3. She selects the required resources and clicks OK.
4. When she is satisfied with the policy, she saves it.
The same process will be followed to create the resource ownership attestation policy. This ex- ample shows the creation of a Resource Ownership policy for the Human Resources share, with Sample resource selection
William Buckley being assigned as the Attestor.
Once created, the policy is in place and run according to the selected schedule, and it will be received by the employee who will perform the attestation based on the policy settings. They will see it listed under their Actions when they log in to the Web Portal.
However, as the Compliance Officer, she can choose to force the attestation policy to run im- mediately from the Manager.
To immediately create attestation cases
1. In the Manager, select Attestation.
2. In the Navigation view, select Attestation Policies. 3. Double-click the new attestation policy.
4. In the Tasks view, select Change master data.
5. In the Tasks view, select Run attestation for single objects. 6. Select the object to run the attestation policy against, and click Run.
The attestation policy will immediately run and be received by the employee who will perform the attestation. They will see it listed under their Actions when they log in to the Web Portal. Sample resource ownership policy
To perform an attestation
1. When a user logs in to the Web Portal, they can select to view their pending attestation from the My Actions menu.
When William Buckley logs in to the Web Portal, he will see the pending “resource ownership” attestation.
2. If he is satisfied that he can attest to the resource ownership, he can select Approve and Save
Sample pending attestation view
When an attestation is performed, the Identity Manager creates a report for the attestor re- sponsible.
The attestor checks the report. They verify the correctness of the data and initiate any changes that need to be made if the data conflicts with internal rules. Attestation is rerun once the changes have been made.