Last week we looked at issues around managing emergency access to systems. This week I discuss the third major concern around managing access risk which is taking a piecemeal approach which does not address the ongoing risk.
Reactive and fragmented approach to managing risk resulting in recurring audit issues
Clients typically fall into 3 levels of maturity around managing access risk;
1. No process: The auditors will deliver their report and the client will address the issues which existed on that day which is only a short-term, band-aid fix. It is reactive and doesn’t constitute a process.
2. Manual process: Many companies manage their SoD's by extracting data from SAP and manipulating it in spreadsheets. What's wrong with doing this?
- As soon as it is extracted it is out of date
- It is subject to human intervention and is therefore error prone (or worse, manipulation)
- It is very time consuming and not easily repeatable! May not capture all risks.
- Auditors will not generally rely on this for the above reasons
- Unless a process is able to be repeated continuously access issues will creep back into the system over time
3. Automated process: By having a central repository of agreed access risk rules, management of these risks becomes transparent. This enhances the collaboration by providing a common language between the business (who typically do not have enough technical understanding) and IT (who often don’t understand the risks in a business context).
About Turnkey
Turnkey Consulting is helping to make the world a safer place to do business by specialising its expertise across Integrated Risk Management, Identity and Access Management, and Cyber and Application Security. We provide business consulting, technology implementation and managed services to help customers safeguard their application environments - protecting critical ERPs (such as SAP, Oracle and MS Dynamics) and wider enterprise systems.
