5 minute read time

Assessing Your Access Governance Capabilities (Part 1 of 3)

by   in Cybersecurity

Some of you may remember a few months back where I mapped NetIQ security offerings to NIST zero trust tenets as documented in their 800-207 publication. While zero trust isn’t something you buy off the shelf, the NetIQ platform gives customers a tangible head-start that enables them to implement adaptive technologies to raise either security or usability of a session based on current risk. It does this by bringing together risk and access control capabilities in a way unique in the industry. Like my zero trust blog, these next three will take the same NIST approach for identity governance and administration (IGA). It will use the access control chapter (3.1) in the NIST Special Publication 800-171 and apply it to least privilege security. As can be seen here, Nick Nikols does a great job calling out the importance of least privilege as foundational part of a zero trust architecture. Put together, this three part series as a planning framework: measuring your current least privilege capabilities, assessing the gaps, and applying the NetIQ portfolio to address those gaps.

Assessing Your Access Governance CapabilitiesMeasuring Your Current Least Privilege Capabilities

As you evaluate the maturity of your access governance infrastructure, take a moment to assess the levels of risk that your sensitive resources pose to your organization. It’s quite possible that your IT or Security teams have risk assessment artifacts that list out the vulnerabilities (predisposition and severity) as well as the potential range of impact from improper access (malicious or otherwise) to those resources. The more concrete your understanding of the threat landscape that your digital resources pose to you, the more accurate your ratings to the questions below will be.

Unfortunately, this is not an interactive form, however you can either download the attached word doc to get a form that will add up your answers, or copy and paste it into another document and use the number scale below to total your answers and then assess the results. 

Our security team takes an aggressive least privilege approach to granting access to controlled information and privileged accounts. That is that we ensure that no higher entitlements or permissions are granted beyond what is necessary for individuals to accomplish their functions.


We have applied least privilege principles to the development, implementation, and operation of our organizational systems. In concert with our organizational design, our processes, roles, and accounts are purpose built to achieving least privilege.


We take a wholistic approach to separation of duties (SOD) that spans across the full range of systems and application domains to protect against malevolent collusion.


Our separation of duties (SOD) controls are automated to ensure timely enforcement of access permissions.


We can easily define and enforce policy for who should have access to what and when approval is necessary and have involved our line of business managers.


It is simple for users to request access and for managers to approve access requests.


I am confident that our business managers and application owners have the information they need to make an informed decision on who should be granted access to controlled resources.


I am confident that our business managers and application owners do a thorough and complete job when performing the required scheduled access certification reviews.


Getting the right people, the right access is a fast process that does not consume too much staff time.


For our controlled information and resources (regulated or sensitive), we know who has access to what.


Our digital fulfillment systems are “closed loop;” meaning, that we can attest that we fulfilled and revoked access permissions that enforce government and corporate policy.


Through our application and access management systems, we maintain comprehensive and accurate historical records of when individuals accessed sensitive resources.


All of our governance records and logs are tightly secured and monitor to prevent modification or deletion.




Assessing the Results

Now that you’ve done your best to measure your access governance capabilities, below are the breakouts of where your organization may fit. Of course, these generalized descriptions don’t take into account the industry that your organization is in, nor is it a direct indicator of whether you will be subjected to a find.

< 26

You likely have a solid IGA solution in place. Consider a review of your tools and processes to ensure that your implementation is future-proof.

27 – 38

You have done a good job at putting some key identity and access controls in place, but there is still some work to do to reduce organizational inefficiencies and reduce your risks from access misuse.

39 – 51

You may have a few identity and access management solutions in place, but demonstrating access control and ensuring users get access when they need it is hard if the solutions are not integrated.

52 <

Your organization is likely at risk from outside attack or misuse of access by employees, with a high potential for audit findings. Consider an IGA solution from a trusted vendor.

Scores of 39 and above, an IGA solution can help you reduce your overall attack surface by minimizing access rights to only those essential for the business. It can also help you to streamline access fulfillment, so it is easy for the business to manage, while users get easy and fast access to the assets and applications they need when they need them.

In part 2 of this series I’ll pull key suggestions from NIST Special Publication 800-171 on how to address your gaps in your identity governance posture. Meantime, be sure to check out an increasingly popular extension to IG, Data Access Governance.

More Information

Join our Community. Have technical questions about NetIQ Identity Governance and Administration? Visit the Identity Governance and Administration User Discussion Forum. Keep up with the latest Tips & Info about NetIQ Identity Governance and Administration. Do you have an Idea or Product Enhancement Request about Identity Management? Submit it in the Identity Governance and Administration Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.


Identity & Access Mgmt