USE CASE
Simplified Compliance and Auditing
Account and access management processes that are by design demonstrably compliant with relevant information security and privacy guidelines.
How to Ensure Demonstrable Compliance in a Complex, Dynamic It Landscape
In organisations that sometimes have hundreds or thousands of different users, working with dozens of applications and data sources, managing individual user accounts and access rights is a complex task. How can we address this so that the organisation is not only certain of its compliance with current information security guidelines, but can also easily demonstrate that compliance?
Identity-Driven Security, With Zero-Trust as the Starting Point
Thanks to its automated and fully role-based account and rights management, the HelloID platform aligns with the ‘least privilege’ concept. This principle is at the core of modern information security guidelines. Combined with fully automated exception processing and extensive audit trail and reporting capabilities, following the ‘least privilege’ principle ensures that HelloID is easily auditable and demonstrably compliant.
Automated and business-driven account management
- The account lifecycle (onboarding, transitioning, offboarding) is fully automated and driven by business systems.
- When employment is terminated, accounts are automatically cleaned up. No more risk of data breaches due to active, forgotten accounts.
- Access rights are managed based on an individual’s user role. Access is on a ‘need to know’ basis, eliminating an unwanted accumulation of rights.
- Rights adjustments as a result of organisational changes are easily processed by modifying business rules.
Automated exception management
- Automated request process for additional and/or temporary access rights.
- Configurable approval processes to guarantee separation of duties for every type of rights request.
- Adjustable duration for service requests, in order to prevent unwanted accumulation of rights.
Monitoring
- Attempts to access systems and data are centrally logged and can be quickly analysed for the purpose of reporting and audits.
- Reports listing all granted access rights, which can be grouped based on users (or user groups), departments, roles, etc.
- Overview of applied business rules and changes to these rules.
- Reports of rights requests, including information regarding applicants and evaluators.
Features
How We Establish a Compliant and Auditable Identity and Access Management System
7 steps that can each be configured using low-code or no-code solutions
- Source system: Integration of HelloID with source systems such as HR, SIS and/or scheduling systems. This way, changes in the source data are automatically available in HelloID.
- People: Conversion of data about people/roles from source systems to a common representation within HelloID using an ‘identity vault’.
- Business rules: Determining rules that determine which roles are granted which types of accounts and access rights, and under what conditions.
- Target systems: Linking HelloID to on-premises and/or cloud-based applications. This can be executed step by step per application.
- Service processes: Automating processes, including online approval flows and activation in target systems. This can be carried out step by step for each process.
- Access management: Set up access procedures, such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA), in conjunction with — for example — Active Directory.
- Reporting and auditing: Configuring standard and client-specific reports and monitoring functions for analysis and audits.
Frequently Asked Questions
The ISO 27001 standard is a widely applied standard for information security. This standard is focused on establishing a risk-driven information security plan that we keep up to date with a so-called Plan, Do, Check and Act cycle (PDCA). In addition, there are sector-specific standards such as the BIO (Baseline Information Security Government) and NEN 7510 (Information security in healthcare). BIO and NEN 7510 both use ISO 27001 as a starting point, but they refine it with specific guidelines and recommendations for their respective sectors.
HelloID uses an automated and fully role-based account and rights management system that aligns with the ‘least privilege’ concept, a fundamental principle of modern information security guidelines. In addition, thanks to HelloID’s extensive audit trails and reporting capabilities, your organisation’s compliance is easy to audit and easy to demonstrate.
Not strictly speaking, but the GDPR does directly impact your information security. The GDPR (General Data Protection Regulation) is privacy legislation, and it has a broader scope that extends beyond just information security. The GDPR dictates which personal data about citizens organisations and individuals may and may not collect, and how they may use this data. It also includes strict rules on how to secure such personal data to prevent unwanted dissemination (a data breach). Information security guidelines such as ISO 27001, BIO and NEN 7510 help you comply with GDPR requirements.
When an employee leaves the organisation, their user account is automatically cleaned up by HelloID, eliminating the chance of data breaches due to active, forgotten accounts. This process is automatic and driven by business systems, such as the HR system.
HelloID has an automated request process for additional and/or temporary access rights. This process is configurable and uses approval processes to ensure separation of duties. Moreover, an adjustable duration can be set for service requests, in order to prevent unwanted accumulation of rights.