mailing list archives
Re: User access certification
From: "gig" <gigabit () satx rr com>
Date: Mon, 24 Dec 2007 12:12:14 -0600
Take a look at
The nutshell is that the Identify Warehouse takes input in the form of text
files to aggregate user access information. It then correlates the data and
allows for application owners to validate security using a web-interface.
It's not cheap, but if your company is serious this is the way to go...
----- Original Message -----
From: "sphinx white" <sphinxwhite () gmail com>
To: <security-basics () lists securityfocus com>
Sent: Monday, December 17, 2007 10:25 AM
Subject: User access certification
In our company we are currently conducting "user access certification"
The purpose of the project is to:
* review user accounts by their direct managers and make sure they
have appropriate access rights and privileges are granted on "least
privilege" principle according to their responsibilities;
* get rid of shared accounts;
* cleanup accounts that belong to people that left the company;
This is one of the SOX requirement and has to be done periodically.
Right now the process is not automated and all information and
evidence exchange are organized simply via email and excel docs which
is very inefficient since we have about 40 business critical systems
and thousands of users.
My question is does anybody use any software packages that automate
the process like id-certify for example for the purpose?
I appreciate your input on this.