confidential & proprietary segregation of duties: beyond provisioning to real- time access...

Confidential & Proprietary

Segregation of Duties:

Beyond Provisioning to Real-Time Access Management

Segregation of Duties:

Beyond Provisioning to Real-Time Access Management


Mark Stebelton, CPASr. Product Manager

January 17, 2007


Overview

The current notion of Segregation of Duties (SOD) is insufficient to meet its original intent and remain a viable option in today’s environment of more efficient and effective business process requirements. In reality a more holistic approach to address overall access management is necessary. This holistic approach is also known as corporate governance.


Agenda

SOD DefinitionAccess Control Lifecycle

– Detection– Prevention

SOD – A Fallacy in RealityA Holistic Approach


Segregation of Duties

A significant compliance challenge for companies large and small…


Segregation of DutiesObjective of SOD - help reduce to a reasonable level the risk

that…

– Material Misstatements occur in the Financial Statements; and


Segregation of Duties Objective of SOD - help reduce to a reasonable level the risk

that…

– Fraudulent, Malicious or Erroneous Code or Data Changes are made in IT

The Cowboy Coder



Definition of SOD– Wikipedia...”is the concept of having

more than one person required to complete a task”

– ISACA…”A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals”

Note: ISACA – Information Systems Audit and Control

Association



SOD Classifications (Audit Examination Categories)

– Authorization: reviewing and approving transactions or operations – Custody: having access to or control over any physical asset such

as cash, checks, equipment, supplies, or materials

– Record Keeping: creating and maintaining records of revenues,

expenditures, inventories, and personnel transactions

– Reconciliation: verifying the processing or recording of transactions to ensure that all transactions are valid, properly authorized and properly recorded on a timely basis. This includes following up on any

differences or discrepancies identified.


Segregation of Duties Challenges

In an ideal system, no one individual has access to two or more critical phases of a given transaction.

Initially the questions that are asked are 1. How do I know what conflicts exist?2. How do I clean them up?3. How do I maintain the environment?


Segregation of Duties Challenges Manual methods are labor-intensive,

incomplete and error-prone. (Read: costly and risky)

Automated methods have been limited:Monitoring (aka Detective): Identify SoD

violations after the fact and report on them.* Remediation still required

Provisioning (aka Preventive): Intercept the user provisioning process and disallow the user from having conflicting responsibilities.* Complete SoD is impossible* Application SoD is too high-level (breakdown by responsibility and function)


Access Control Lifecycle

Conflict AnalysisConflict

Analysis

Compensating Controls


1. Define SOD conflict business rules

Ex. Enter Receipt Function vs Sales Order Function

2. SOD analysis engine that understands application’s detailed access architecture

Ex. Oracle’s function level, exclusions

3. Faster, easier remediation and analysis via pre-packaged reports and what-if simulation

Ex. Conflict impact of removing a function from a menu

5. Flexibility to handle exceptions through compensating process and transaction analysis controls

Ex. Reason codes, emergency access/auditing and form controls

4. Real-time enforcement of SOD controls during user provisioning

Ex. Hold access requests until conflict approval requests are addressed

Manage SODControls

Manage SODControls

Remediation(Clean-up)


PreventionProvisioning PreventionProvisioning

Det

ectio

nP

reve

ntio

n


Detection Attributes– Occurs AFTER access has been allowed –

These are conflicts that currently exist – Identification of conflicts based on defined

business rules requiring approval action– Cleanup managed based on organizational

needs, compensating controls, etc.– Compensating controls needed where

conflicts are required– Risk exists with pre-cleanup access




Conflict AnalysisConflict

Analysis



1. Define SOD conflict business rules

Ex. Enter Receipt Function vs Sales Order Function

2. SOD analysis engine that understands application’s detailed access architecture

Ex. Oracle’s function level, exclusions

3. Faster, easier remediation and analysis via pre-packaged reports and what-if simulation

Ex. Conflict impact of removing a function from a menu

5. Flexibility to handle exceptions through compensating process and transaction analysis controls

Ex. Reason codes, emergency access/auditing and form controls

4. Real-time enforcement of SOD controls during user provisioning

Ex. Hold access requests until conflict approval requests are addressed

Manage SODControls

Manage SODControls



PreventionProvisioning PreventionProvisioning

Det

ectio

nP

reve

ntio

n



Simplified Prevention Flow

Accept?

NO

Documentation of Process

(Authorization/Rejection)

YES

User Submits Access Request

IT Creates User Responsibility (End Dated)

Conflict Analysis

Performed

Analysis Based on Pre-Established Conflict Rules

Approval Workflow for Access

AuthorizationUser Access

Granted

User Access Denied


Prevention Attributes– Occurs PRIOR to access allowed. This doesn’t

mean a conflict won’t be allowed.– Real-time management of access– Access requests compared to pre-established

business rules and subject to approval– Authorizations (Approvals/Rejections)

managed based on organizational needs, compensating controls, etc.

– Least amount of risk



SOD – A Fallacy in RealityWhy is pure SOD a fallacy?

– Underlying attribute is RESTRICTION• Separation of 4 classifications (Authorization,

Custody, Recordkeeping and Reconciliation)

– Requirements are too EXPENSIVE• Increased personnel requirements (and related costs)

– HR: Hiring, training, etc.– Operations: Office space, parking, etc.– IT: User management, SOD analysis and Management

– Application is too INEFFICIENT• Hand-off coordination • Knowledge transfer


Objectives of SOD are VALID

Current Approaches to SOD include detective and preventive measures

These measures alone are NOT a viable, long-term solution

Interim Recap

So What’s the Answer?So What’s the Answer?


Controlling what users can do

Managing howthey do it

Reviewing whatthey have done

AccessControlsAccessControls

ProcessControlsProcessControls

MonitorControlsMonitorControls

What is Application Governance?

A Holistic Approach


A Holistic ApproachApplication Governance Components

Prevention

Detection

– Access Monitoring (Emergency Access)

– Transaction Analysis

– Process Controls


What they do– Enforce policies for interacting with forms,

fields or configuration setups• Disable or hide key data elements• Restrict updates to specific values, formats or off-limits

– Identify and process exceptions• Route for approval• Require specific documentation or handling codes

Why they’re needed– Standard application security is not granular

enough and doesn’t consider the context of the transaction

Process/Change Controls

A Holistic Approach


A Holistic Approach Process control options

– Hide fields and buttons; prevent updating

– Disable checkboxes, change field names, or change date formats

– Validate data and require consistency; force data to upper case

– Require approval cycles based on conditions (e.g., a threshold is exceeded)

– Call out to a sub-application for special processing (e.g., generation of a unique ID)

Examples– Require approvals for Credit Memos over $5,000– Prevent updating of Credit Limits for customers that are

currently on a credit hold– Restrict ability to change key setups and require change

routing approvals


A Holistic ApproachAccess Monitoring (Emergency Access) Provision of access that is:

– Allowed for support purposes– Short-Term in nature (time based)– One-time or recurring– In possible conflict of SOD business rules– At either the Application or Database level

Mitigating Controls– Approval requirements– Audit capture of activities for review


A Holistic ApproachTransaction Analysis Argument of True Risk

– Not that resources COULD commit fraud or errors– But that resources DID commit fraud or errors

Analysis based on defined variables– Ex. Purchase invoices exist by same creator of supplier

(SOD conflict)– Ex. Invoice creator different from approver but

combination exceeds statistical value (pattern analysis)

Compensating control when SOD potential exists


Entry

Post

Example: Posting a Bad Debt

ENTERBad-DebtAccount

ENTERBad-DebtAccount

FinancialClerk

FinancialSupervisor

Entry

Post

Post

Enforce SOD

Enforce SOD Bad Debt

LedgerBad DebtLedger

Monitor all entries over time period

Monitor all entries over time period

Require approval if near close

Require approval if near close

FinancialController

Only certain accounts

Only certain accounts

Approve entries over

threshold

Approve entries over

threshold

Reportable Event Risk

Flag pending

reportable events

Flag pending

reportable events

OKOK

Limit on entry

amount

Limit on entry

amount

POSTBad-DebtApproval

POSTBad-DebtApproval


Assessment Remediation Real-time Prevention Monitoring

Implementation ProcessImplementation Process

Access-level DetectionAccess-level Detection

Transaction-level DetectionTransaction-level Detection

Access-level PreventionAccess-level Prevention

Transaction-level PreventionTransaction-level Prevention

The Access Management Spectrum

ConflictMatrix

Exception-Based

ReportingSimulation

ResponsibilityRefactoring

EmbeddedAccessControls

Workflow/Approvals

CompensatingControls

Access PolicyOp

era

tiona

l Effi

cien

cyO

pe

ratio

nal E

ffici

ency


Summary SOD exists to reduce risk of material misstatements,

fraud and error SOD in purest sense is not realistic

– Too restrictive– Too expensive– Too inefficient

Best Approach is Holistic (Application Governance)– Prevent current and future conflicts when possible– Detect existing conflicts and analyze appropriateness– Manage application activities with form, field and

configuration controls– Monitor Emergency Access– Analyze transactions

confidential & proprietary segregation of duties: beyond provisioning to real- time access...

Documents