Creating Reviews Based on Risk

Some clients prefer to review users that have high risk access on a more frequent basis than their standard reviews. In this situation, it's helpful to set up reviews so that only people who have high-risk permissions are reviewed.

NOTE: These instructions assume you're already comfortable with the process of creating and managing reviews. If you're not already comfortable with creating reviews, refer to the review checklist for a high-level overview of the process. Then, dig into the details within the Creating a New Review and Manage Reviews sections.

 

Step 1 - Risk rate permissions

Make sure that the critical and high-risk permissions within each application are rated appropriately.

 

Step 2 - Create your review

To create a review that shows only people with high or critical risk permissions, complete the following steps:

  1. Go to the Manage menu and select Reviews.

  2. Select the Create Review button in the upper, right corner of the page. The Create Review page is displayed as shown below:

  3. Select the Start a new review from scratch link (below the "Choose a Priority" button).

  4. Enter the review information such as name, diligence, review type and so on as you normally would.

  5. Within the Reviewers area, add a conditional rule for each reviewer.

    1. Select the Insert review requirement for [ Security Team] field and then pick a role from the list and select the Add Rule link.

    2. Select the always field and pick conditionally.

    3. Select the application field and pick privileges.

    4. Select the None field and pick the level of risk you want to review. For example, if you only want to review critical permissions, pick Critical. If you want to review any user that has high or critical permissions, pick High.

      When your rule is complete, it should look something like this:

      With a rule like the example above, only users that have high or critical risk permissions would be reviewed by application managers.

  6. Select comment, timeline, and notification options as usual.

  7. Select Save to save your changes. The review will be set to "Draft" status.

  8. Select the Applications tab, and add your applications as usual. 

    Friendly Reminder! :)

    If you haven't already imported the latest application data, don't forget to do that before the review is started.

  9. When all changes have been made, you can start the review whenever you're ready.