Youattest Logo

What is CCM and Access Governance?

Every day, cyberattacks and data breaches affect organizations around the world. Thousands of tools have been deviced to detect and mitigate these attacks. This is where a new category of products and services come in, Continuous Control Monitoring (CCM). And then a question arises about what is CCM and Access Governance?

Image #1:   Continuous Control Monitoring (CCM) is imperative requirement for today’s security environment, as is CCM for Identity.

CCM is considered to be part of continuous auditing where a set of automated procedures monitor the internal controls. Some of the controls monitored by CCM include authorizations, access, system configurations and business process settings.

CCM In the New The World of Constant Hacks

To combat this evolving threat of hacks, the number of regulations requiring organizations to implement internal controls has also grown, resulting in demand for more efficient and effective controls. Continuous control monitoring will help organizations to meet this need and establish effective cybersecurity controls.

Continuous Control Management (CCM) refers to the practice of using automated tools and other technologies to ensure that cybersecurity controls are fully operational and protective of resources. Through CCM, data from security, IT, and business domains are centrally managed so that gaps in security coverage can be identified at their root cause so that they can be eliminated. Controls may never have been deployed or be configured incorrectly, which creates vulnerabilities in cybersecurity that may remain undetected. By receiving real-time insight into cybersecurity gaps, it makes them easier to fill before they can be exploited by hackers and other cybercriminals.

CCM Types

For organizations looking to establish CCM as part of their cybersecurity measures, the process should begin by identifying processes or controls outlined in industry frameworks or regulations. By doing this, organizations can establish which controls are suitable for monitoring through CCM. After identifying controls, the goals of each control should be defined.

The next step is to define which automated tests can measure the effectiveness of controls in meeting the defined objectives. Tests should be able to identify what the data would look like if goals were met or not. ISACA classifies tests at the following, which “correspond to traditional audit processes or evidence types”:

  1. Asset management queries
  2. Electronic transaction confirmations
  3. Electronic statement queries
  4. Re-performance of selected controls
  5. Observation
  6. Analytical procedures
  7. Automating collation of responses

Organizations should then determine the frequency of each process being monitored so that tests can be conducted close to when the processes occur. Through the continuous monitoring of controls, organizations can gain actionable insight into key risk indicators so that they can make changes to their security processes when needed.

What is CCM and Access Governance

The esteemed identity analyst group KuppingerCole, in a Aug-2020 paper on Access Governance & Intelligence sited key areas where CCM can help manage identities and access.   These include:

  • Role Management:  The definition, creation and assigning of roles
  • Attestation:   Periodic access attestation and certification
  • Auditing:   View of access-related events
  • Access Request Mgmt:   Management approval of access request
  • Privilege Management:   Audit of privilege accounts
  • EAG Support:  Entitlement and access governance

YouAttest CCM for Okta and Other Identities

YouAttest exactly follow the KuppingerCole suggested practices of identity governance on CCM.   YouAttest is designed to:

  • Regularly review access control
  • Regularly review access changes
  • Audit by User, Group and application
  • and…
  • Trigger on changes in privilege groups and identity related events (seem image #2)

Image #2:  YouAttest performs identity CCM by setting triggers and forcing attestations on key security controls, including admin security groups. ( What is CCM and Access Governance )

Benefits of YouAttest CCM

Various entities in the enterprise can benefit from YouAttest CCM identity solution.

For the CEO, they can benefit from reduced compliance costs, increased transparency, measurable ROI and business value, and an increased compliance posture. The compliance team can detect compliance issues in real-time for real-time response, as well as benefit from superior risk management and overall compliance. Both internal and external auditors can benefit from better risk assessment, on-demand data, detection of possible management interference, and increased confidence in management review.

With YouAttest, in real-time an enterprise can receive assurance that controls and processes in place are performing as expected. If controls are failing, they can implement corrective actions in real-time before they can result in data breaches, hackers, or other detrimental cybersecurity events.

YouAttest is the only cloud-based IGA platform that deploys in minutes and conduct identity Continuous Control Monitoring for Okta.   YouAttest is ready for your first CCM Attestation – “7 Steps in 7 minutes for your First Access Review“, contact us we will show you how.

Please feel free to write to us if you feel like we are missing out on important info about “What is CCM and Access Governance” in order for us to provide best information to our readers.