Access Management: Going beyond SoD rules
Managing Segregation of duties is not enough to implement an ethos of good practice and build a firm foundational control environment. Most organizations routinely perform access reviews. These verify whether users have appropriate access to the processes and programs necessary for their roles and responsibilities. Although the procedures used to monitor and verify user access will often vary, you must carry out an annual review to reduce organizational risk. It would be best if you addressed the following when conducting such a review:
Inactive User Identification.
Critical Process Access Validation
Alignment of Business Process
Access with Job Responsibilities
Confirmation of Appropriate Sensitive Data Access
Review of Segregation of Duties Conflicts and Implemented Mitigating Controls
Assess Change Management Processes and Ensure Compliance
Failing to de-provision unnecessary or inappropriate access granted over time or for short-term needs is one significant factor contributing to employees having unintended access. The responsibility for performing periodic verification of the appropriateness of access rests with the relevant system and/or business owners.
These reviews should involve cooperation between individuals responsible for defining organizational risk appetite, those who understand current business processes and user job responsibilities as well as those who have system expertise. It is imperative to ensure that the individuals involved understand the significance of what they are involved in and are well-trained.
ALLOut Tip
Always start your user access review process by eliminating inactive users that no longer need to be in the system. With this approach, you will not waste time unnecessarily in each of the next steps. Similarly, performing a critical process access validation before a Segregation of Duties review ensures that you do not spend time in remediation or mitigation for access that is not really needed. Critical process access reviews are most commonly completed based on a review of users with critical roles assigned or by utilizing the lists of programs that allow access to the critical process and reporting on users that have access to them. When determining what critical processes to include, do not forget to include access to inquiry or report over confidential or protected data such as employee personal information.
If you would like to learn more about user access reviews, watch our on-demand webinars – Managing User Access in JD Edwards..
Discover our industry leading expertise
Industry Insights
Compliance 101: Change Control
A defined change management process will go a long way in ensuring that your company’s security environment addresses risk and is compliant in the long run.