Segregation of Duties and Access Analysis walk through look like?

In this guide, we'll look at the process for reviewing access for users in your environment, the key points that will help generate better identity controls, and improve the overall health of your security.

Heal your applications

Step 1 - risky decisions.

Assuming you have identified the applications/services that are in-scope, the first step is to align risks that your organization wants to address. If you don't have a Risk and Control Matrix (RACM) or it is not adequate enough for this process, rest assured there is a solution (a small plug for predefined rules we have available).

This step is arguably the most labor intensive part as the permissions or privileges within the application should be reviewed for risk. If you have an SoD/Access matrix with rules such as: "Create Supplier Vs Pay Supplier" or "Create Payroll Vs Approve and Run Payroll" it is easier to start to find these permissions/privileges in the chosen application.

It is important from a risk perspective to not only evaluate transactional segregation of duties, but also to look at transactions vs configurations. Why? A user that can configure a transaction should not be able to run it without excellent controls, what is to stop them changing how a transaction processes to their benefit, and then running it?

When preparing rules, try and "tag" them for easier analysis once the results come in, for example, if a rule relates to Accounts Receivable, tag the rule so that when reviewing with that department (and they will have to be involved to help solve any access issues in their departments) the data can be grouped to make the review more productive.

Lastly, any existing controls that exist should be factored in such as workflow approval and other compensating controls. If a user has access to permissions that may allow approval, it could be a false positive, in other words the user has access, but cannot approve because they do not have the approval that comes in a workflow.

Step 2 - gathering the evidence.

Evaluating the rules you have against the permissions and settings. This can be done via the delivered reports in the application, and this is an easier approach than creating your own as then you have to evaluate the reports that are custom for any issues.

There are key questions and considerations:

Are both active and inactive users included in the report? We should only be looking at active users for the period of review.

Are there any settings that would make a user read-only? If the user has access to sensitive information, it may be negated by the read only which prevents them from

Can workflow approval and any other controls be easily reported on and understood? Many older applications relied on developers writing code or database queries to execute workflows.

If a process spans several applications, and or services can the processes be easily matched up? For example a user might be able to Open and Close Accounting Periods in one application, and then enter Journals in another (inflating Financial information). Could this conflicting access be easily reported on?

Step 3 - the results are in!

The results may prove overwhelming at first, with many "violations" of rules, there could be spreadsheets with thousands, tens of thousands or more rows of users and violating access. At this point we should be looking to break this information down in a number of ways to make it easier to understand. Based on step 1 where we "risk ranked" the risks we want to review, we can start with the critical risks. These should be the ones that demand immediate attention.
Here are a number of ways the analysis can be made easier:

* Work your way through the rules by risk ranking.

* Break the data down, look at roles and their combinations rather than users. 200 users could all have one role that is causing the issue that has been identified. This is where Role Based Access Control delivers, because it helps break down the audit/analysis process. We can fix the Role and in turn change the access for 200 people.

* Ensure the relevant department managers are available and the data is easy to read, while some have the application knowledge and skills, some won't.

We can't solve the decision making as to who should have what access, but we can solve:

* A comprehensive list of rules for each of your applications and services, aligned to your own risks - saving you the time to do so.

* Analysis within and across applications and services, all without your staff/resources and time.

* Results with actions and insights, broken down for easy understanding and where necessary, guidance through the remediation process.

Save time, money, and gain assurance - let us help you to gain better confidence over the security and controls in your environment.

To discuss your requirements, you can schedule a call with us: