Upload
hoanghuong
View
274
Download
0
Embed Size (px)
Citation preview
Crawford & Company BEATING THE CHALLENGES OF AUTOMATING ACCESS REVIEWS
August 19, 2013
Gretchen Hiley Trevor Jackson Christine Swearengin
Crawford & Company
Topics
Review Process Pre- and Post-Automation
Implementation Challenges
Lessons Learned
Post-Automation Metrics
Q&A
2
Crawford & Company
Access Review Process Pre-Automation
3
App Owner IT Auditor
External Auditor
Reviewer
Reviewer Reviewer
Reviewer Reviewer
Reviewer Reviewer Reviewer
Reviewer Reviewer
Reviewer
Reviewer
Reviewer Reviewer Reviewer
Reviewer Reviewer Reviewer
Reviewer Reviewer
Mailbox
1. App Owner submits Excel or txt files to mailbox
4. IT Auditor compiles each reviewed Excel file into single file and sends back to reviewers for final approval
3. IT Auditor sends Excel file for each reviewer to review
2. IT Auditor compiles files into single Excel file
5. Once Excel file is approved, IT Auditor sends to External Auditor for review/approval cycle
Crawford & Company
Access Review Process Post-Automation
4
Application Tool
External Auditor
Reviewer
Reviewer Reviewer
Reviewer Reviewer
Reviewer Reviewer Reviewer
Reviewer Reviewer
Reviewer
Reviewer
Reviewer Reviewer Reviewer
Reviewer Reviewer Reviewer
Reviewer Reviewer
Secure Website
1. Tool compiles submitted data into application
4. ICT Security confirms and revokes access as needed; Tool maintains documentation of appropriate access review
3. Tool compiles reviewed data; certifications are saved within Tool, revocation list is sent to ICT Security for action
2. All reviewers can directly access and review electronic file via secured website
6. Updated data is available to External Auditors
ICT Security
Application Tool
5. Tool confirms all updates are complete
Crawford & Company
Implementation Challenges
Status quo – past culture and attitude.
Staff turnover pre- and post-implementation.
No formal access review policy.
Significant effort to collect accounts, define access reviews and resolve issues.
Cross-functional enterprise-wide effort and commitment
5
Crawford & Company
Achievable Steps for Success
Manageable scope
Clear Access Review Policy
Management Buy-In
Documentation of Decisions
Testing
User Awareness & Training
Support at each review launch
6
Crawford & Company
Manageable Scope
Consider the size of the company.
Consider a phased deployment approach.
Prioritize the element(s) to be reviewed. User access to network
User access to application(s)
User authority to approve and generate financial transactions
Don’t forget privileged access to infrastructure!
7
Crawford & Company
Clear Access Review Policy
Establish time frame for initial review.
Establish time frame for any escalation(s).
Ensure cooperation and “buy-in” of senior management.
Establish and communicate consequences of delinquent reviews.
8
Crawford & Company
Management Buy-In
Application owners’ input is critical for: Defining review scope and reviewers
Reminding reviewers of outstanding reviews
Providing assistance to reviewers
Processing access removal requests
Executive Management’s support is critical for establishing tone at the top.
9
Crawford & Company
Documentation of Decisions
Document scope of reviews including rationale for any exclusions
Document parties responsible for various activities Collecting accounts and entitlements
Reviewing user access
Escalating incomplete reviews
Creating and updating of review structure
Enforcing of review completion policy
Document how review data is populated Files used, including file type
Query language and source being queried
10
Crawford & Company
Testing
Define access reviews.
Remove access upon request.
Notify and remind reviewers of outstanding access reviews.
Test, test and test again in non-production.
11
Crawford & Company
User Awareness & Training
Take advantage of every opportunity for exposure
Communicate through multiple media forms: Email
Web-based training
Shared PDF of instructions
Contact person for question resolution
12
Crawford & Company
Support at Access Review Launch
Questions from reviewers.
Data collectors / files may fail.
Errors may occur with review components.
Summary of review status for escalation purposes.
13
Crawford & Company
Additional Considerations
Test the completeness of identity source.
Determine completeness of requirements for access reviews.
Account for new in-scope applications (e.g., externally hosted applications).
14
Crawford & Company
Access Review Metrics
15
0
60
31
35
40
27
16
8
0
10
20
30
40
50
60
70
2012 Q3 2012 Q4 2013 Q1 2013 Q2
Total No. Escalated Reviewers
Avg. # Days Outstanding
Crawford & Company
Persistence Pays Off!
70%
80%
90%
100%
Q3 2012 Q4 2012 Q1 2013 Q2 2013
Compliance Achieved
Q3 2012
Q4 2012
Q1 2013
Q2 2013
16
Conclusion
Q&A