Skip to main content

Skillber v1.0 is here!

Learn more

Governance & Policies

Checking access...

Governance policies translate regulatory requirements, security principles, and business rules into enforceable access controls. A well-defined policy framework provides the foundation for consistent, auditable identity governance across the enterprise.

Policies answer the question: “What are the rules governing access to our systems and data?” Without clear policies, identity governance is ad hoc, inconsistent, and un-auditable.

The Governance Policy Framework

Policy Hierarchy

Regulatory Requirements (SOX, GDPR, PCI, HIPAA)
Enterprise Security Policies
├── Access Control Policy
├── Identity Management Policy
├── Password Policy
├── Remote Access Policy
IAM-Specific Policies
├── User Provisioning Policy
├── Access Certification Policy
├── Role Management Policy
├── SoD Policy
├── Privileged Access Policy
Technical Implementation (IGA rules, RBAC, JIT, PAM)

Policy Components

ComponentDescriptionExample
Policy titleUnique name”Privileged Access Request Policy”
PurposeWhy the policy exists”To ensure all privileged access is approved, time-limited, and audited”
ScopeWho/what the policy applies to”All employees, contractors, and third parties with privileged access”
Policy statementsSpecific, enforceable rules”All privileged access requests must be approved by the system owner”
Enforcement mechanismHow the policy is enforced”IGA platform enforces approval workflow; PAM system enforces JIT elevation”
ExceptionsWhen and how exceptions are granted”Emergency break-glass with post-hoc review”
Compliance referenceWhich regulation the policy supports”Maps to SOX Section 404 and PCI DSS Requirement 7”

Key IAM Governance Policies

Access Control Policy

Defines who can grant, modify, and revoke access:

Policy StatementEnforcementCompliance Mapping
Access requests must be authorised by the requestor’s managerIGA approval workflowSOX 404, ISO 27001 A.9.2.1
Access must be provisioned within 24 hours of approvalAutomated provisioningInternal SLA
Access must be reviewed at least annuallyCertification campaignPCI DSS 7.2, HIPAA §164.308
Terminated employees’ access must be removed within 1 hourAutomated deprovisioningSOX 404, GDPR Art. 17

Password Policy

Defines password requirements and authentication controls:

Policy StatementEnforcementCompliance Mapping
Passwords must be at least 12 charactersIdP policy, password filterNIST SP 800-63B, PCI DSS 8.3.6
Passwords must be checked against breach databasesAzure AD Password Protection, Pwned Passwords APINIST SP 800-63B
MFA must be enabled for all administrative accessConditional Access policyPCI DSS 8.4.2, CISA BOD 24-02
Passwords must not contain common patterns or keyboard walksPassword strength validationIndustry best practice

Access Certification Policy

Defines the access review program:

Policy StatementEnforcementCompliance Mapping
All user access must be certified at least annuallyIGA certification campaignSOX 404, PCI DSS 7.2, HIPAA
Manager is the default certifier for direct reportsIGA reviewer assignmentIndustry best practice
Uncertified access must be revoked within 30 daysAutomated revocation after campaignPCI DSS 10.3
Privileged access must be certified quarterlyMonthly privileged access reviewNIST SP 800-53 AC-2

Policy Lifecycle

Create ──→ Approve ──→ Publish ──→ Enforce ──→ Monitor ──→ Review ──→ Update
Retire
PhaseActivityOwner
CreateDraft policy text, define scope, identify enforcement mechanismPolicy owner (e.g., CISO, IAM architect)
ApproveReview and approve policyPolicy committee, legal, compliance
PublishCommunicate to affected users, update documentationCommunications, IAM team
EnforceImplement enforcement in IGA/PAM systemsIAM operations
MonitorTrack compliance with policy, identify gapsIAM operations, compliance
ReviewAssess policy effectiveness, incorporate lessons learnedPolicy owner
UpdateModify policy based on review findingsPolicy owner
RetireDecommission obsolete policyPolicy owner, compliance

Exception Management

Not every scenario fits within standard policies. Exception management governs when and how policies can be temporarily set aside.

Exception Types

Exception TypeDurationApproval RequiredReview Frequency
Temporary exception< 30 daysManager + policy ownerAt exception expiry
Extended exception30-90 daysManager + policy owner + complianceMonthly
Permanent exceptionIndefiniteCISO or delegate (rare)Quarterly
Emergency bypass< 24 hoursPost-hoc review requiredWithin 5 days of incident

Exception Workflow

Exception Request → Risk Assessment → Approval Decision → Grant Exception → Monitor → Expire/Renew
PhaseDescription
Exception requestUser submits exception with business justification, duration, and proposed compensating controls
Risk assessmentSecurity team assesses the risk of granting the exception and the adequacy of compensating controls
Approval decisionPolicy owner approves or denies based on risk assessment
Grant exceptionException recorded in IGA system, time-limited access granted
MonitorCompensating controls monitored for effectiveness; exception reviewed at defined intervals
Expire/RenewException expires automatically; renewal requires re-approval

Caution

Exceptions are the leading cause of policy erosion. Without strict exception management — documented justification, limited duration, executive approval, and regular review — exceptions become permanent, and the policy becomes meaningless. If more than 5% of access is under exception, the policy is likely too restrictive and should be revised.

Policy Compliance Monitoring

Monitoring MethodFrequencyWhat It Detects
Automated policy checkReal-time or dailyEntitlements that violate policy rules
ReconciliationDailyDifferences between intended and actual access
SoD scanWeeklyNew SoD violations
Access certificationQuarterly or annuallyAccess not validated by managers
Audit log reviewContinuousSuspicious access patterns
Policy attestationAnnualFormal confirmation that policies are still accurate

Key Takeaways

  • Governance policies translate regulatory requirements and business rules into enforceable access controls — they form the foundation of consistent, auditable identity governance
  • The policy hierarchy spans regulatory requirements → enterprise security policies → IAM-specific policies → technical implementation rules
  • Key IAM governance policies include access control, password, and access certification — each with specific policy statements, enforcement mechanisms, and compliance mappings
  • The policy lifecycle (create → approve → publish → enforce → monitor → review → update → retire) ensures policies remain current and effective
  • Exception management governs when policies can be temporarily set aside — strict controls (documented justification, limited duration, executive approval, regular review) prevent policy erosion
  • If more than 5% of access is under exception, the policy is likely too restrictive and should be revised rather than accumulating exceptions