Risk Management, Recertification, SoD and Compliance with internal and external regulations are difficult to achieve without the use of governance programs.

For some time now, Identity Management has not only included provisioning and process automation. Governance and compliance with internal (ICS) and external regulations (DSGVO, VAIT, etc.) have clearly been brought to the fore. Some of these regulations can no longer be implemented without the use of governance programs for existing data volumes. It is simply no longer possible to provide the information required for an audit manually.

TIMETOACT supports you with experience gained during the introduction and implementation of governance projects for various customers. Our strengths are the development and implementation of holistic recertification and SoD concepts and risk assessment in the IT environment. Our offer also includes the creation of role concepts and their elaboration in dialogue with the business departments. 

Your benefit from Governance:

Basis for the fulfilment of legal and internal requirements:

  • Provision of security information for the auditor 
  • Database for forensic prosecution in case of a security incident
  • Standardization and enforcement of security rules  
  • Ensuring that the data is up-to-date
  • Minimizing the risks of security incidents 
  • Enforcement of SoD
  • Guarantee of Least Privilege and Need-To-Know 

All services in the Application Lifecycle:

Analysis and evaluation of suitable products:

  • Professional and technical conception 
  • Technical implementation
  • Maintenance and development
  • Recertification as a Managed Service

Different areas of Identity Governance:

Risk Management

Risiko Management im Bereich der Governance immer wichtiger

The requirements for risk management in the field of governance are multiplying. In the zero trust environment, this becomes relevant on the content level to allow access to sensitive data. 

The risks are considered on different levels in Identity Management and result in a risk index for each identity in the company. This index is the result of the sensitivity of the data to be accessed and the combination of the different access authorizations from role assignments.

We help you to recognize the interrelationships and effects of risks in the environment of a holistic view of cyber security and to mitigate them.


Due to internal company regulations and/or regulatory requirements of legislation, companies often have to ensure that the users of IT systems only receive and possess those rights they need to perform their tasks. Increased requirements demand that rights are only granted once. Otherwise, shared rights represent a business risk (see SoD). The implementation of recertifications helps to meet these requirements.

Process of Recertification

Rights – e.g. in the form of roles or groups – are often initially assigned to a user for an unlimited period of time. The recertification process checks whether the conditions for the assignment of a right still apply and whether a right can be retained or must be withdrawn. In recertification campaigns which recur at regular intervals, the authorizations are presented to the group of people who can assess this – e.g. line managers or specialist managers. The organization and execution of the campaigns are tool-supported, and any withdrawal of authorizations is immediately provisioned after the recertification decision.

Occasional Recertification

Occasional recertifications aside from campaigns are caused when certain events occur. For example, when a user is transferred, existing authorizations may not simply be revoked, but a professional decision must be made on whether to continue or revoke them. As part of the transfer process, the relevant authorizations are automatically submitted to the responsible recertifier – e.g. the previous or future line manager – for review.

Objects of Recertification

Recertifications are applied to various objects. Users and authorizations but also roles are regularly submitted for recertification. In order to counteract an excessive demand on the mostly technically involved departments, comprehensive planning is necessary here as well. Ready-made recertification plans can be adapted to the respective conditions with the customer.

SoD (Separation of functions)

In order to avoid conflicts of interest, the allocation of mutually exclusive rights is monitored and, if necessary, prevented from the very start. The BaFin (banking supervisory authority for insurance companies) demands, for example, a separation of front and back office within the framework of the MaRisk (minimum requirements for risk management) for credit institutions. As a result, critical rights to processes, functions and resources from these two areas may not be combined in one person. Appropriate authorization concepts must be available in order to derive relevant SoD rules.

These rules are evaluated when rights are requested and/or assigned. If rule violations are detected, the further procedure depends on the classification of the SoD conflict in terms of criticality and risk: Either the assignment of rights is rejected because of the rule violation, or the assignment of rights is allowed despite the rule violation. As a third option, the authorization to be assigned is submitted to a corresponding committee for approval within the framework of a workflow. Breaches of rules are documented in any case.

The check for SoD conflicts always includes all authorizations of all digital identities of a person. It also takes any authorization hierarchies (role hierarchies) into account. TIMETOACT checks the underlying legal requirements and advises your company on the practical implementation. 

Such regulatory requirements exist for a variety of industries and companies. For example:


GDPR & IT Basic Protection


MaRisk BA BaFin & BAIT



Critical Infrastructures (KRITIS)

§8a BSIG: BSI-KritisV


The main objective in the use of IGA programs is not only to increase security but also to achieve and fulfill regulatory requirements. These are driven internally either by an ICS or by external requirements. Whether in banks, insurance companies, healthcare or industry, the provision of proof of compliance can only be achieved through Identity Management.

TIMETOACT is able to save a lot of time in the implementation of projects due to its knowledge of the regulatory requirements and its expertise in the use of IGA possibilities.

The right vendor for every project:

Logo IBM Platinum Partner

Our Success Stories:

Sprechen Sie uns zu Governance gerne an!

Karl-Heinz Masser
Sales Director DACHIPG Information Process Group GmbH DeutschlandContact
Kerstin Gießner
Sales Manager GermanyIPG Information Process Group GmbH DeutschlandContact