Use Cases

LGPD

It's not just about generating the evidence, it's saving it and finding it.
Within the LGPD, you may be required to submit evidence of compliance with its rules. Will you be prepared?

Whats

The LGPD (General Personal Data Protection Law, No. 13,709/2018) is national data protection legislation. No matter the size of the company, they are all subject to this new legislation. With the advent of the practice of massive disclosure of personal data of users on the internet, the law emerges as a way to provide answers to citizens in what ways their information is being used.

Currently, the body responsible for supervising and regulating the correct use of this information is the National Data Protection Agency (ANPD), with support from bodies such as the Public Prosecutor's Office and other bodies. Failure to comply with established regulations - intentionally or not - fines of up to 2% of all company revenues are expected - which, if high, could mean the loss of millions of reais.

The most responsible and safe way to guarantee requirements for good security practices and data confidentiality, avoiding major losses, is the adoption of an automated system that guarantees the appropriate and instantaneous review of this information.

How access management facilitates compliance with the LGPD and protects your business.

AccessOne bases its actions on Identity Governance and Administration (IGA - Identity Governance Administration), responsible for ensuring that the right people have necessary access to the appropriate corporate resources, at the appropriate time and with legitimate need.

Fast review

The use of the Identity and Access Management (IAM) feature allows you to configure, by requestable profiles, risk levels and/or whether a given profile provides access to personal data (linked to the LGPD).

Questions and Answers

How does the system impact operational efficiency?

AccessOne brings an immediate reduction of manual work and allows the automatic creation of credentials for new employees in the various corporate systems, freeing your team to carry out other tasks.

Do I need to have a hired employee just to handle the system?

Your current team will be trained and accompanied by the AccessOne team to manage the system. We continue to accompany our customers even after the installation season

How automatic can my system be?

You can create policies for automated access by company, unit, department, position. Access to systems and emails are generated at the same time, and there is also self-service password reset in a secure and centralized manner for all corporate systems. The HR sector also suffers from an efficiency impact because there is an automatic update of personal data from HR (company, headquarters, sector, position, telephone, e-mail, etc.) in all integrated systems.

How does installing the system make my data more secure?

AccessOne allows identification of credentials and improper access, excessive permissions, inadequacy between access possessed and function within the company. Disconnected employees and third parties that stop providing services can be removed quickly. It is also possible to identify shared passwords.

Is my data 100% secure with this system?

Any system with human access can be breached, but detecting risks related to access granted and adopting control mechanisms is essential for a company's data security. AccessOne generates visibility of identities and accesses so that it is possible to quickly identify non-compliant access, granted without authorization, orphan accounts (whose owner is unknown), dormant accounts, etc. with the rapid adoption of control measures in a facilitated manner.

How can I use this system to assist with audits?

It provides agile mechanisms for identifying and reviewing non-compliant accesses, allowing access reviews (mass or micro reviews) to be created to adequately certify and prove (for auditing purposes) the actual need for existing accesses;

Do I comply with LGPD requests with this system?

It has several relevant mechanisms regarding privacy legislation (LGPD - General Data Protection Law), standards and good practices.

How does the system impact operational efficiency?

AccessOne brings an immediate reduction of manual work and allows the automatic creation of credentials for new employees in the various corporate systems, freeing your team to carry out other tasks.

Do I need to have a hired employee just to handle the system?

Your current team will be trained and accompanied by the AccessOne team to manage the system. We continue to accompany our customers even after the installation season

How automatic can my system be?

You can create policies for automated access by company, unit, department, position. Access to systems and emails are generated at the same time, and there is also self-service password reset in a secure and centralized manner for all corporate systems. The HR sector also suffers from an efficiency impact because there is an automatic update of personal data from HR (company, headquarters, sector, position, telephone, e-mail, etc.) in all integrated systems.

How does installing the system make my data more secure?

AccessOne allows identification of credentials and improper access, excessive permissions, inadequacy between access possessed and function within the company. Disconnected employees and third parties that stop providing services can be removed quickly. It is also possible to identify shared passwords.

Is my data 100% secure with this system?

Any system with human access can be breached, but detecting risks related to access granted and adopting control mechanisms is essential for a company's data security. AccessOne generates visibility of identities and accesses so that it is possible to quickly identify non-compliant access, granted without authorization, orphan accounts (whose owner is unknown), dormant accounts, etc. with the rapid adoption of control measures in a facilitated manner.

How can I use this system to assist with audits?

It provides agile mechanisms for identifying and reviewing non-compliant accesses, allowing access reviews (mass or micro reviews) to be created to adequately certify and prove (for auditing purposes) the actual need for existing accesses;

Do I comply with LGPD requests with this system?

It has several relevant mechanisms regarding privacy legislation (LGPD - General Data Protection Law), standards and good practices.

How can Identity and Access Management and Governance systems increase your compliance with the LGPD?

There's no question: The arrival of the LGPD completely changes the way most companies do business. The various articles of the law not only formalize rights of holders, but also establish requirements for the processing of personal data whose adoption is a significant challenge.

Privacy is not exactly a new topic, especially in certain segments, such as the financial market and hospitals, which usually deal with sensitive data from numerous people, and therefore already adopt several measures to guarantee the security and privacy of information. However, even more mature companies will have to make adjustments in the way they collect, process, store, or share personal data to comply with the LGPD.

An essential point of the LGPD is transparency in operations. According to the new law, data subjects have the right to know how their data was collected, what type of treatment is carried out and what is the legal basis for this treatment, and even who has access to their personal data. In fact, the identity of the owner is closely linked to most articles of the LGPD, reinforcing the need for an effective identity and access management program, which guarantees the protection of personal data against unauthorized access and from situations (accidental or unlawful) of destruction, loss, alteration, communication, or even any form of inadequate or illicit treatment.

How can Identity and Access Management and Governance systems increase your compliance with the LGPD?

In its articles 46 and 49, the LGPD is quite clear about the need for technical and administrative controls to protect personal data. An important point towards compliance is to understand that many of the necessary measures are easily adopted when you have Identity and Access Governance:

Segregation of fun

Controlling access profiles, ensuring that conflicting or even excessive permissions are not granted, is essential to prevent unauthorized access, or even illegal situations where company employees make unauthorized use of personal data.

Minimum Privilege:

Adopting the principle of minimum privilege is a vital step in protecting personal data. In this way, it is possible to guarantee that users will have contact with personal data only when this is necessary to carry out their work activities. It's important to remember that excessive access is one of the most common causes of data breaches, and mitigating this type of vulnerability must be a priority in any LGPD compliance program.

Access review:

Of course, if you have already created user profiles adopting measures such as minimum privilege and segregation of functions, the possibility of errors related to access management is already much lower. However, it is important to remember that it is difficult for a user to remain with the same access for long. The dynamism of the business environment implies constant changes in responsibilities, and it is not uncommon that, in mere weeks, a new employee who has just arrived at your company demonstrating growth potential will receive more and more activities to perform and, consequently, new accesses. In the long term, this means that veterans can accumulate roles and responsibilities that, if left unanalyzed, can generate conflicting situations. In addition, of course, there will always be a need to revoke access, such as in the case of vacations, licenses and disconnection. Periodically reviewing the validity of the access granted is essential to avoid errors or even situations of illicit use of personal data.

Privileged access management:

Administrators and other users with advanced or privileged access are a vital consideration when protecting personal data. While it is natural that there are users with administrative or root access to system functions and, consequently, personal data, it is important to maintain strict control of the activities carried out with these accounts. For example, all privileged access must be easily identified, as well as who are the individuals who have this type of access. Unfortunately, cases of using generic accounts such as 'administrator, 'root, 'admin, 'sa are still fairly common. Being able to individualize administrative access, as well as to track the activities performed, helps mitigate risks such as accidental or deliberate misuse of access to personal data.

Record user activities:

Even users with unprivileged access can make regular use of personal data or even sensitive personal data. Having records of user activities helps prevent or even deal with possible incidents. While many corporate applications already have their own auditing tools, a good Access and Identity Management solution must be able to keep records such as information about the last accesses (e.g. date, time, source IP), or even alert when there is anomalous behavior on the part of the user, such as the simultaneous use of the same access account, which may indicate a possible sharing of credentials.

User lifecycle management:

Even users with unprivileged access can make regular use of personal data or even sensitive personal data. Having records of user activities helps prevent or even deal with possible incidents. While many corporate applications already have their own auditing tools, a good Access and Identity Management solution must be able to keep records such as information about the last accesses (e.g. date, time, source IP), or even alert when there is anomalous behavior on the part of the user, such as the simultaneous use of the same access account, which may indicate a possible sharing of credentials.

Identity and Access Management and Governance Errors and Personal Data Breaches

In practice, an Identity and Access Governance process is one of the most important corporate governance tools, especially when it comes to personal data protection and compliance with the GDPR. Numerous recent cases of data breaches can easily be linked to failures in managing user access, and this goes far beyond the employees and third parties that make up your company. Especially in cases where the organization provides services to the general public, systems that are not implemented and/or managed considering the appropriate permissions to access personal data, fatally become protagonists in severe incidents.

Using Identity and Access Management and Governance to Simplify Compliance for the LGPD

Part of the requirements of the LGPD includes the creation of a privacy governance program that clearly demonstrates the organization's commitment to adopting internal processes and policies that ensure comprehensive compliance with standards and good practices regarding the protection of personal data. Like any information security control, the effectiveness of your Identity and Access Management and Governance depends on three basic factors: people, processes, and technologies.

While the importance of having a mature process, in addition to properly qualified people aware of their responsibilities, cannot be minimized, one of the great challenges in this journey is the complexity of the technological aspects, which include the use of multiple solutions, with different characteristics for access management, which most of the time requires manual action by and

Sem uma solução específica para uma Gestão e Governança de Identidades e Acessos, muitas organizações simplesmente deixam de executar passos essenciais para a conformidade com a LGPD, e aumentam significativamente seu nível de exposição a violações de dados pessoais. Organizações que adotaram a plataforma da AccessOne conseguiram implementar um processo completo e maduro em um curto prazo, empregando boas práticas baseadas em padrões internacionais, reduzindo a complexidade dos ambientes de TI, e gerenciando acessos de forma dinâmica, com atividades operacionais automatizadas, permitindo a organização demonstrar seu compromisso com a proteção de dados e conformidade com a lei.

FORTALEZA
Av. Washington Soares, 3663, Tower 1, Rooms 1107/1108, WSTC Building

SÃO PAULO
Alameda Vicente Pinzon, 54 • Vila Olímpia • 04547-130 • São Paulo • SP

* Gartner e Magic Quadrant are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. O documento é acessível para clientes registrados junto ao Gartner.
© ️ AccessOne 2024. All rights reserved. Privacy Policy