Last week we looked at issues around managing emergency access to systems. This week I discuss the third major concern around managing access risk which is taking a piecemeal approach which does not address the ongoing risk.
Reactive and fragmented approach to managing risk resulting in recurring audit issues
Clients typically fall into 3 levels of maturity around managing access risk;
1. No process: The auditors will deliver their report and the client will address the issues which existed on that day which is only a short-term, band-aid fix. It is reactive and doesn’t constitute a process.
2. Manual process: Many companies manage their SoD's by extracting data from SAP and manipulating it in spreadsheets. What's wrong with doing this?
- As soon as it is extracted it is out of date
- It is subject to human intervention and is therefore error prone (or worse, manipulation)
- It is very time consuming and not easily repeatable! May not capture all risks.
- Auditors will not generally rely on this for the above reasons
- Unless a process is able to be repeated continuously access issues will creep back into the system over time
3. Automated process: By having a central repository of agreed access risk rules, management of these risks becomes transparent. This enhances the collaboration by providing a common language between the business (who typically do not have enough technical understanding) and IT (who often don’t understand the risks in a business context).