One of the things that wasn’t touched on in the article is how important executive sponsorship and oversight fits into attestation. Attestation is useless unless the metrics around it are tracked and clearly visible within the business. I might faithfully review my attestation reports ever quarter but it doesn’t really help if other business owners in the organization don’t. Attestation for attestations sake is bound to fail but attestation as a job, business or company performance indicator has a much greater chance for success.
A great example is Quest’s own corporate policies and how we are each required to attest to the fact that we have read the policies on an annual basis. If you don’t, your manager and our CEO know you haven’t and they let you know you haven’t. Attestation goes hand-in-hand with accountability.
Q: How does attestation help sustain compliance through access accountability?
A: Good attestation software will enable IT to answer an auditor's questions about why access decisions were made to the data owner who made the decisions. By allowing IT to refer the auditor to the accountable person the burden of compliance is placed on the data owner where it should be. Good attestation software will also provide a historical report showing where the data owner granted/revoked access as well as when they completed attestation reviews.
Over time, access will change and periodic attestation reviews are usually conducted. These reviews should be completed quarterly or yearly. This ensures the business treats security and compliance as ongoing requirements rather than one-time events resulting in better security and sustained compliance.