With
the start of a new year many people are focusing on what lies ahead for 2015.
In cases such as the previous quarters audit we are looking backwards to see
how we did. Sadly when we mention auditors in any capacity people get a sense
of unease in the pit of their stomachs. I on the other hand look to this time
frame to not only reflect on what went well and not so well but to also learn
for these experiences.
One
area where people may have challenges with regards to audits is in the access
management space. For a moment think about how your organization manages access
management as it pertains to your applications.
IT
organizations basically manage the way that access is granted to key systems
through three activities:
Onboarding
– A person is starting new position or role and access is granted via a manual
process, or automated with tools and may be verified through a “source of
truth” authority such as SAP.
Changes
/ Modifications – A person is modifying position or role and will require different
levels of access which again may be done manually or again automated through a
toolset
Offboarding
– A person is leaving a position or role in one way or another and the
termination process drives the removal of access either manually or through
tools
For
the most part validating the onboarding and offboarding (joiners and leavers)
may be simplest to define.
“Gillian
starts on Monday and will need access to application x to do her work” (Onboard)
“Desmond
has quit, remove access” (Offboard).
It is
the “Changes / Modifications” component that may need to be tightened up from a
process perspective. The managing of users and roles across the enterprise,
especially large and diverse ones, can be quite complex when there is no
underpinning process to govern it.
For
example, let’s suppose we have an employee who works in Business Unit “A” and
is moving to work in Business Unit “B”.
Now think again about the way your organization
handles changes or modification in access
When
people change roles does your Access Management process discontinue all access
from role A and then grant access to role B in a seamless way?
How
is access to roles validated – the dreaded “just mirror John Smith” can create
major access issues
Could
lingering access from Business Unit A follow this person to the new role?
Are
there segregation of duties concerns in the role access that we should be
concerned about
You
really need to ask yourself if your overall Access Management process is
checked in a regular time frame (quarterly, annually)? I can already hear some people saying, we have an
automated tool that handles all of this. Just because it is automated does not
mean it is working or still valid. The process governing how the tool works
should be validated just like in the situation above.
Remember
finding gaps in the process and mitigating risk shouldn’t be something that is
discovered as a result of an issue. Regular process checkpoints should allow
you and your organization to proactively move on these before they become
issues. This is why your auditors should be your trusted advisors in the sense
that they are looking to ensure that you are protecting your corporate ass(ets). You shouldn’t be concerned with what your auditors
find, rather it is what they don’t find that you should be concerned about.
Follow me on Twitter @ryanrogilvie or connect with me on LinkedIn
Labels: Access Management, Audit, IT Governance, ITIL, ITSM