OrgChart-Centric Certification

ID-Certify® can leverage organization chart data, to identify relationships between managers and their subordinates. Using this data, managers can be asked to review the access rights of their subordinates. Requests sent to managers, along with reminders, change authorizations, etc. all leverage the ID-Certify workflow engine.

The ID-Certify process for Org-centric certification works as follows:

ID-Certify periodically (e.g., quarterly or biannually according to corporate policy) requires managers to review the access rights of their staff. Certification requests are sent by e-mail and the workflow engine sends automatic reminders and escalates requests above managers who failed to respond.
Managers respond by signing into ID-Certify using their network or directory login ID and password, to start their certification process.
The dashboard interface presents managers with a list of their staff, asking them to identify any staff (user profiles) that no longer work for the organization. These will be removed later.
For each remaining, legitimate user, an access profile is displayed, with a list of login accounts on ID-Certify target systems. Target systems are described by name, a description of their business function and a link to an external HTML page providing further identifying information, such as screen-shots and longer descriptions.
Managers identify no-longer-needed accounts and flag them for later removal.
Managers view a list of security group memberships that their staff have on target systems. As with login accounts, security groups are identified by name, a description of their business function, a link to a pop-up HTML help page. Managers are asked to identify no-longer-appropriate group memberships.
Managers complete the process above for every direct subordinate and provide an electronic signature after reading a statement to the effect that their access review is complete and they certify that the remaining users, accounts and group memberships are appropriate.
After a manager completes his review and certification, any proposed changes (removed users, deactivated accounts, eliminated group memberships) are bundled into security change requests and submitted to the ID-Certify workflow engine. These requests will normally require further authorization, from system owners or higher managers and will ultimately lead to users, accounts and group memberships being deleted from target systems.
Certifications are collected up through the organization's hierarchy. Manager A is unable to sign off on his own certification until all of his subordinate managers (B, C, ...) have likewise signed off on theirs. This creates downward pressure through an organization to complete the review process, since upper managers are motivated to complete by regulatory requirements (e.g., Sarbanes-Oxley, HIPAA, etc.). This motivation leads to global completion of the certification process.
Since no manager can have a very large numbers of direct subordinates, this process scales to even the largest organizations. Time to complete an enterprise-wide audit depends on the depth of the organizational structure, rather than the organization's size.