Fastpath’s Frank Vukovits sat down with Derek Jamieson of the Chartered Institute of Internal Auditors to discuss the evolution of user access reviews and certifications. In case you missed it, you can access the recording of the webinar – here. The webinar gave an overview of the current landscape and how access certifications have evolved to become a key part of your internal control system. Here some of the key takeaways from engaging conversation.
Webinar host Derek explains in his opening remarks ‘as a professional for many, many years user access reviews is one of the basic topics that we should be talking about on a regular basis’. After 30 years’ experience in Internal Audit, both Frank and Derek understand the gaps in user access reviews and the complexities of today’s business application landscape that make this topic an important focus.
One of the questions posed to attendees highlights the core challenge that businesses have with access certifications. 72% of attendees’ organizations has more than ten business applications with some commenting a much higher number. Multiple systems across the organisation and multiple people have access to these different systems. This can create access risks, particularly Separation of Duties (SoD) risks. It is imperative to review who has access to these systems, what can they do with that access and if are there any potential risks.
This problem is not going away and is only increasing with complex business application systems, with lots of variables, and many teams involved. User access reviews have evolved as the use business applications has grown, but a lack of ownership and manual processes represent additional risk. This point highlighted by attendees, when surveyed, 49% responded that security controls in their organizations were owned by multiple departments and 2% were not sure.
Whilst Gartner has been discussing user access reviews for over 15 years, and Fastpath promoting the benefits of an efficient access certifications in internal control systems, when surveyed 46% of attendees said their organization did not perform reviews or were not sure. Only the last few years have IT teams and applications owners been discussing access certifications vs. traditional User Access Reviews (UARs). So why are they needed?
Access certifications are seeking to answer 3 main questions:
Typically, it is a time-consuming exercise to answer those questions and organisations still take a siloed approach to access certifications. IT teams perform the role of answering these questions and provisioning access. IT should only be granting access to systems, not reviewing who has access. This can provide conflicts from an audit perspective, as same group should not be reviewing the access they have granted or provisioned. Moreover, business process owners are not usually engaged, their reviews are ad hoc, not scheduled and left to IT by default. IT departments are often left with the task of both answering these questions and provisioning t access, when they may not fully understand the roles they are approving. As Derek explains, during his career IT is provisioning access based on profiles. As a result, ‘a temporary member of staff was given access to the wrong profile and as a result within 19 minutes, the name Donald Duck appeared on a range of customers’ accounts. This is an example of what can happen, if IT departments are not provisioning the access based off an approved request.
Evolution occurred when Business Process Owners (BPO) took ownership of their applications. BPO’s have started to schedule regular reviews, tying it to general internal controls systems and ensuring separation of duties conflicts are identified, with BPO’s requesting the correct access and in turn, IT provisioning that access.
As organisations deploy best in class solutions for core departments, the business landscape becomes a more complex environment. Companies implementing systems including SAP, Microsoft Dynamics, Workday, Oracle NetSuite, and Salesforce that work across different functions need appropriate BPOs to take ownership of access sign-off and scheduling the user review or certification process.
CISOs or CIOs need a wholistic access security strategy to achieve true enterprise security, and to take a risk-based approach across these traditionally siloed business applications. This strategy should include aligning BPOs to own access certifications across the application landscape. Co-ordination across the application landscape is crucial when staying secure and maintaining compliance and a strong security posture.
What can you do have a successful approach to access certification? Frank laid out a six-point roadmap on what you can do to implement successful access certifications control.
The business application landscape and access risks are constantly evolving and so is the complexity of access certification. No more are one-off user access reviews for audits sufficient to implement a strong access controls. Alignment between BPOs and IT teams is crucial to maintain and schedule periodic, automated review of access at all levels across the multiple systems.
To provide audit-ready access controls, user access data should be pushed to supervisors or business owners for review and confirmation that access is appropriate. These regular reviews need to include periodic reports with any outliers identified, processing any provisioning changes resulting from the reviews. It is also critical the certification reports contain the appropriate level of detail, with descriptions reviewers can understand, so reviews do not become just a ‘check the box’ exercise.
Moreover, including automated access certification scheduling and management, making it more efficient to approve and provision the right access for the right people, aligns with an overall strong security posture. By aligning teams, introducing automated access certifications, your organization can build a robust, continuous monitoring program. Manual access certifications can be a long process that is prone to errors and risk. Implementing an automated system reduces time spent, helps to eliminate errors and maintain compliance.
You can watch the full webinar below, to hear more about access certifications.
Alternatively, if you want to find out more about Fastpath’s automated access certifications module, speak to one of our experts.