|Security Control - Risk-based Governance|
|Description||Access enforcement based on risk posture derived from at least one risk engine. (Cloud Access Security Broker, Fraud & Risk, UEBA, SIEM)|
|Components and Required Capabilities||
Fraud & Risk
|Best Practice Recommendation||
For certifications, when using entitlements only, consider direct manager capability allowing a manager to reviews subordinates at one time, for the period of the certification. Highly restricted apps, privileged access, etc may require 90 day reviews, whereas all other access could be yearly.