Optimizing Access and Audit Outcomes for a Retail Leader

Challenge

The client faced challenges in governing access risks and maintaining compliance. While the organization utilized SAP, SAP Identity Management (IdM), and Microsoft Dynamics BC for enterprise resources, they struggled with oversight of access risks, making it challenging to comply with external audit requirements. Previous engagements with Turnkey focused on implementing role-based access controls within one of the client’s SAP environments. While these efforts significantly improved access management, subsequent reviews revealed opportunities for further enhancement in addressing access risks. External audits also identified areas for attention, including refining user access levels, ensuring effective segregation of duties, and timely management of inactive accounts.

In addition, the client lacked a comprehensive access risk framework to effectively define and manage access risks. The absence of a systematic approach to access risk management left the business vulnerable to security breaches and regulatory penalties. Recognizing these issues, the client approached Turnkey for guidance on strengthening its operational integrity and compliance efforts as well as the effective tools available to enhance their monitoring capabilities. Specifically, the retailer sought solutions to streamline user access reviews and establish a robust access risk management framework tailored to their unique business requirements.

The client’s proactive CFO emphasized the need to control access to sensitive information and critical systems, crucial for mitigating fraudulent activities and maintaining compliance, while also improving the company’s overall security posture to meet both internal and external audit expectations.

Solution

To address the client’s access risk management challenges, Turnkey implemented SailPoint’s Identity Security Cloud (ISC), integrating its IdentityNow module with Active Directory, SAP, and Microsoft Dynamics Business Central (BC). This setup automated user access reviews across these systems and enabled timely revocation of access, thereby enhancing the compliance posture. The implementation also included a Privileged Access Management (PAM) function, enabling workflow-based requests for access, approvals, and reviews of critical activities.

Turnkey configured SailPoint to meet the client’s specific cybersecurity requirements, ensuring alignment with their security protocols and compliance needs. This approach addressed concerns about using an external tool by tailoring the platform to their existing infrastructure and risk management framework. One challenge was the lack of a default rule set for Microsoft Dynamics BC. To overcome this, Turnkey facilitated workshops to define the top 25 access risks which were applied to Dynamics permission sets, allowing for the creation of tailored risk policies within SailPoint. This measure enabled continuous monitoring of sensitive access and segregation of duties within Microsoft Dynamics. 

During the project, Turnkey’s collaboration with the client’s IT management and internal audit teams led to the development of distinct certification processes based on role ownership. This involved segmenting certifications by function and location, covering Australia, New Zealand, Ireland, and Northern Ireland. Turnkey used its golden ruleset to define a custom access risk ruleset for the client’s SAP S/4 environment. Additionally, custom risk rules were developed to address the unique transactions and access risks associated with the client’s customized Franchisor Accounting function. Leveraging SailPoint ISC, Turnkey provided a robust and scalable solution that enhanced the client’s access risk management capabilities and ensured compliance with internal and external audit requirements. 

Results

The implementation of SailPoint’s Identity Security Cloud (ISC) has significantly transformed the client’s access management and compliance efforts.

The automation of user access reviews, along with customized risk rules, has enhanced the company’s ability to manage access risks across SAP, Microsoft Dynamics BC, and other critical systems. As a result, the client now enjoys improved governance, heightened security, and greater operational efficiency.

The newly defined certification processes have streamlined risk ownership, ensuring that access risks are effectively managed and monitored. Additionally, the company’s strengthened IT governance framework has allowed the client to meet external audit requirements with confidence, setting a solid foundation for future audit cycles and compliance obligations.

With Turnkey’s support, the client is now better equipped to mitigate security risks, protect sensitive data, and uphold regulatory standards across its international operations.

Benefits 

• Optimized Security Posture and Compliance Readiness: The SailPoint ISC implementation equipped the client with a proactive, scalable solution for managing access risks, remediating excessive permissions, and reducing risksensitive access across its systems, thus improving compliance and operational efficiency business-wide.
• Streamlined Privileged Access Request Process and Governance: The implementation optimized the tracking of emergency access and automated on-demand requests, allowing the client to monitor and review actions that were previously managed manually. This improved governance, accountability, and overall business efficiency. 
• Improved Risk Ownership: On-demand assessment of access risks enabled the client to conduct biannual reviews and distribute findings to role and risk owners for verification, fueling continuous improvement and ongoing compliance.
•  Improved Visibility and Access Risk Management: The ISC tooling and custom ruleset tailored to the client’s specific needs improved visibility and management of user access within SAP as well as Microsoft Dynamics, providing a comprehensive solution to oversee and control access across all applications.