Security Control - Risk-based Governance
Description Access enforcement based on risk posture derived from at least one risk engine. (Cloud Access Security Broker, Fraud & Risk, UEBA, SIEM)
Components and Required Capabilities

Identity Governance

  • Must have the ability to initiate attestation campaign
  • Must have the ability to call out to Fraud & Risk to update user status 

Fraud & Risk

  • Must have the ability to send risk status to requesting tool as a defined value (low, moderate, high, extreme)
Best Practice Recommendation

For certifications, when using entitlements only, consider direct manager capability allowing a manager to reviews subordinates at one time, for the period of the certification. Highly restricted apps, privileged access, etc may require 90 day reviews, whereas all other access could be yearly.  

Interaction Diagram