Term · 4. Roles, Policies & Access Rights
Access Certification AC
Definition
Periodic review process where designated reviewers (managers, role owners, application owners) attest that users still need their assigned access. Required by SOX (annual), PCI DSS, SOC 2 (typically quarterly), and most audit frameworks. Outcomes: approve, revoke, modify access.
- Application
- MidPoint: Access certification helps with management of access rights.
- Standards & regulations
-
- NIST SP 800-53 Rev. 5 «The organization reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].»
- NIST SP 800-171 Rev. 2 «Review accounts for compliance with account management requirements at least annually and when the system is reassigned or decommissioned.»
- Sources
-
- NIST SP 800-53 Rev. 5 (csrc.nist.gov) primary source
Related terms
-
Audit
Independent examination of identity controls, processes, and records to verify compliance with policy and regulatory req …
-
Compliance
Adherence to applicable laws, regulations, standards, and internal policies governing identity and access management. Co …
-
Audit Trail
Chronological record of identity events — authentication, authorization decisions, provisioning actions, configuration c …
-
HR Policy
Policies governing identity lifecycle based on HR data — what triggers provisioning, what role mapping applies, what app …
-
Identity Governance (IG)
Discipline of policies, processes, and oversight ensuring identities have appropriate access — no more, no less — throug …
-
Internal Control (IC)
Process or mechanism implemented by management to provide reasonable assurance regarding effectiveness of operations, re …