Monitoring Compliance Requirements with Lumos
Last updated: October 7, 2024
Background
"Are we on track to complete our user access reviews on time?" "How effectively am I managing access to my sensitive applications?" "Am I effectively removing terminated accounts?" "Am I overprovisioning?" "How can I report on the progress of my access review to leadership?"
Lumos has your back - introducing Lumos Analytics for Compliance Reporting.
By leveraging Lumos for managing your applications, you can quickly get the answers you need to report to leadership and identify the biggest opportunities to improve how you manage access to your most sensitive systems.
Quarterly Access Review Snapshot
At a glance, gain quick insights into your in-scope applications and understand how many are in need of review as defined by common SOC2, SOX, ISO 27001, PCI, HITRUST and other standard user access review requirements.
Overall Review Metrics
In-Scope Apps — the number of apps manually selected as in scope. By default, we initially select the apps included in any historical access reviews.
Apps Requiring Review —any in-scope app that has not had an access review completed in the standard audit window of 90 days.
Upcoming Review Deadlines
Stay on top of deadlines for ongoing access reviews involving relevant apps. Easily monitor:
Time left until the next review deadline
Any overdue reviews
Progress with a simple completion bar showing the # of app reviews completed out of the total
Review History
With just one glance, easily determine the last review date of your most sensitive apps, enabling you to identify candidates for user access reviews.
Understanding Trends in High-Risk Access
Track and monitor how effectively you are removing terminated employee access for all in-scope apps.
Identify apps with potential offboarding gaps by reviewing the per-app breakdown of total terminated accounts, enabling you to initiate a user access review and take action to remove unnecessary access.
Understanding the Impact of your Access Review
Report on the volume of work done over the course of your review in terms of # of accounts reviewed and see how that trends over time with Lumos.
Volume of Reviewed Accounts
View the total number of accounts reviewed
For a permission-based review, an account is counted if any permission has been reviewed for that account.
View trend for the Last Month, 3 Months, 6 Months and 12 Months.
View trend as a Weekly or Monthly time series.
Volume of Rejected Accounts
Monitor how the total access that required removal during access reviews changes over time with Lumos.
Report on progress being made to remove unnecessary access and assess whether you're successfully reducing the frequency of unnecessary access cases that require removal over time.
Breakdown of Apps with Rejected Accounts
Analyze the app-specific breakdown of rejected access to pinpoint apps potentially lacking sufficient access controls, leading to extensive access removal during reviews, particularly terminated access.
Review Decision Breakdown
Easily view and report on the overall review progress across your app reviews.
Share the final decision breakdown for recently completed reviews.
Toggle by account/ permission reviews to see the respective decision breakdowns by review types
See the accepted/ rejected/ modified breakdown by the total # of accounts across all account reviews
ORSee the accepted/ rejected/ modified breakdown by the total # of permissions reviewed across all permission based reviews
FAQ
How did Lumos identify my in-scope applications?
When you initially join Lumos, your list of in-scope apps will be empty. Subsequently, we monitor your activity daily to identify whether you have initiated any user access reviews. This ongoing monitoring allows the system to automatically identify potential apps that should undergo compliance review.
It's important to note that after the initial attempt to populate this list of applications, automatic updates do not occur. However, you have the flexibility to manually update or modify the selected applications at any time in the future to ensure their accurate classification.
How are you calculating the counts for accounts reviewed?
In Lumos, we facilitate two primary types of user access reviews: account reviews and permission level reviews. Here's how they contribute to this total count:
Account Reviews: During the chosen time frame, an account is counted in the review process if it was included in the review for any in-scope applications. In other words, if it's considered relevant to the review criteria, it's included in the count.
Permission Level Reviews: Similarly, for permission level reviews during the selected time period, an account is counted if at least one permission associated with that account has been reviewed for any in-scope applications. In essence, any account that has had even a single permission reviewed is considered in the count for permission level reviews.
Why am I not seeing any data for terminated employee access?
Lumos began collecting this data for our customers starting on January 7th. As a result, any information prior to this date is not included in the chart displaying terminated employee access.
Why am I seeing terminated employee access for some accounts that I removed in an access review?
Most likely these accounts were removed in the user access review of a manual application. Today in Lumos, until you upload a new user list for manual applications, we consider those potentially active accounts for the purpose of our reporting.
How do I stop seeing test reviews as upcoming reviews?
Any reviews that are currently in progress are automatically included in your Upcoming Review Deadlines report. You have the option to either complete these ongoing reviews or remove them from the list by deleting them from your in-progress reviews.
How does Lumos determine which apps are requiring review?
Lumos follows the industry norm of a 90-day window for quarterly access reviews, in line with standards such as SOC2, SOX, HITRUST, and ISO27001. If an in-scope application has not undergone a user review within the last 90 days, it is classified as requiring review.