confidential & proprietary segregation of duties: beyond provisioning to real- time access...
TRANSCRIPT
Confidential & Proprietary
Segregation of Duties:
Beyond Provisioning to Real-Time Access Management
Segregation of Duties:
Beyond Provisioning to Real-Time Access Management
Confidential & Proprietary
Mark Stebelton, CPASr. Product Manager
January 17, 2007
Confidential & Proprietary
Overview
The current notion of Segregation of Duties (SOD) is insufficient to meet its original intent and remain a viable option in today’s environment of more efficient and effective business process requirements. In reality a more holistic approach to address overall access management is necessary. This holistic approach is also known as corporate governance.
Confidential & Proprietary
Agenda
SOD DefinitionAccess Control Lifecycle
– Detection– Prevention
SOD – A Fallacy in RealityA Holistic Approach
Confidential & Proprietary
Segregation of Duties
A significant compliance challenge for companies large and small…
Confidential & Proprietary
Segregation of DutiesObjective of SOD - help reduce to a reasonable level the risk
that…
– Material Misstatements occur in the Financial Statements; and
Confidential & Proprietary
Segregation of Duties Objective of SOD - help reduce to a reasonable level the risk
that…
– Fraudulent, Malicious or Erroneous Code or Data Changes are made in IT
The Cowboy Coder
Confidential & Proprietary
Segregation of Duties
Definition of SOD– Wikipedia...”is the concept of having
more than one person required to complete a task”
– ISACA…”A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals”
Note: ISACA – Information Systems Audit and Control
Association
Confidential & Proprietary
Segregation of Duties
SOD Classifications (Audit Examination Categories)
– Authorization: reviewing and approving transactions or operations – Custody: having access to or control over any physical asset such
as cash, checks, equipment, supplies, or materials
– Record Keeping: creating and maintaining records of revenues,
expenditures, inventories, and personnel transactions
– Reconciliation: verifying the processing or recording of transactions to ensure that all transactions are valid, properly authorized and properly recorded on a timely basis. This includes following up on any
differences or discrepancies identified.
Confidential & Proprietary
Segregation of Duties Challenges
In an ideal system, no one individual has access to two or more critical phases of a given transaction.
Initially the questions that are asked are 1. How do I know what conflicts exist?2. How do I clean them up?3. How do I maintain the environment?
Confidential & Proprietary
Segregation of Duties Challenges Manual methods are labor-intensive,
incomplete and error-prone. (Read: costly and risky)
Automated methods have been limited:Monitoring (aka Detective): Identify SoD
violations after the fact and report on them.* Remediation still required
Provisioning (aka Preventive): Intercept the user provisioning process and disallow the user from having conflicting responsibilities.* Complete SoD is impossible* Application SoD is too high-level (breakdown by responsibility and function)
Confidential & Proprietary
Access Control Lifecycle
Conflict AnalysisConflict
Analysis
Compensating Controls
Compensating Controls
1. Define SOD conflict business rules
Ex. Enter Receipt Function vs Sales Order Function
2. SOD analysis engine that understands application’s detailed access architecture
Ex. Oracle’s function level, exclusions
3. Faster, easier remediation and analysis via pre-packaged reports and what-if simulation
Ex. Conflict impact of removing a function from a menu
5. Flexibility to handle exceptions through compensating process and transaction analysis controls
Ex. Reason codes, emergency access/auditing and form controls
4. Real-time enforcement of SOD controls during user provisioning
Ex. Hold access requests until conflict approval requests are addressed
Manage SODControls
Manage SODControls
Remediation(Clean-up)
Remediation(Clean-up)
PreventionProvisioning PreventionProvisioning
Det
ectio
nP
reve
ntio
n
Confidential & Proprietary
Detection Attributes– Occurs AFTER access has been allowed –
These are conflicts that currently exist – Identification of conflicts based on defined
business rules requiring approval action– Cleanup managed based on organizational
needs, compensating controls, etc.– Compensating controls needed where
conflicts are required– Risk exists with pre-cleanup access
Access Control Lifecycle
Confidential & Proprietary
Access Control Lifecycle
Conflict AnalysisConflict
Analysis
Compensating Controls
Compensating Controls
1. Define SOD conflict business rules
Ex. Enter Receipt Function vs Sales Order Function
2. SOD analysis engine that understands application’s detailed access architecture
Ex. Oracle’s function level, exclusions
3. Faster, easier remediation and analysis via pre-packaged reports and what-if simulation
Ex. Conflict impact of removing a function from a menu
5. Flexibility to handle exceptions through compensating process and transaction analysis controls
Ex. Reason codes, emergency access/auditing and form controls
4. Real-time enforcement of SOD controls during user provisioning
Ex. Hold access requests until conflict approval requests are addressed
Manage SODControls
Manage SODControls
Remediation(Clean-up)
Remediation(Clean-up)
PreventionProvisioning PreventionProvisioning
Det
ectio
nP
reve
ntio
n
Confidential & Proprietary
Access Control Lifecycle
Simplified Prevention Flow
Accept?
NO
Documentation of Process
(Authorization/Rejection)
YES
User Submits Access Request
IT Creates User Responsibility (End Dated)
Conflict Analysis
Performed
Analysis Based on Pre-Established Conflict Rules
Approval Workflow for Access
AuthorizationUser Access
Granted
User Access Denied
Confidential & Proprietary
Prevention Attributes– Occurs PRIOR to access allowed. This doesn’t
mean a conflict won’t be allowed.– Real-time management of access– Access requests compared to pre-established
business rules and subject to approval– Authorizations (Approvals/Rejections)
managed based on organizational needs, compensating controls, etc.
– Least amount of risk
Access Control Lifecycle
Confidential & Proprietary
SOD – A Fallacy in RealityWhy is pure SOD a fallacy?
– Underlying attribute is RESTRICTION• Separation of 4 classifications (Authorization,
Custody, Recordkeeping and Reconciliation)
– Requirements are too EXPENSIVE• Increased personnel requirements (and related costs)
– HR: Hiring, training, etc.– Operations: Office space, parking, etc.– IT: User management, SOD analysis and Management
– Application is too INEFFICIENT• Hand-off coordination • Knowledge transfer
Confidential & Proprietary
Objectives of SOD are VALID
Current Approaches to SOD include detective and preventive measures
These measures alone are NOT a viable, long-term solution
Interim Recap
So What’s the Answer?So What’s the Answer?
Confidential & Proprietary
Controlling what users can do
Managing howthey do it
Reviewing whatthey have done
AccessControlsAccessControls
ProcessControlsProcessControls
MonitorControlsMonitorControls
What is Application Governance?
A Holistic Approach
Confidential & Proprietary
A Holistic ApproachApplication Governance Components
Prevention
Detection
– Access Monitoring (Emergency Access)
– Transaction Analysis
– Process Controls
Confidential & Proprietary
What they do– Enforce policies for interacting with forms,
fields or configuration setups• Disable or hide key data elements• Restrict updates to specific values, formats or off-limits
– Identify and process exceptions• Route for approval• Require specific documentation or handling codes
Why they’re needed– Standard application security is not granular
enough and doesn’t consider the context of the transaction
Process/Change Controls
A Holistic Approach
Confidential & Proprietary
A Holistic Approach Process control options
– Hide fields and buttons; prevent updating
– Disable checkboxes, change field names, or change date formats
– Validate data and require consistency; force data to upper case
– Require approval cycles based on conditions (e.g., a threshold is exceeded)
– Call out to a sub-application for special processing (e.g., generation of a unique ID)
Examples– Require approvals for Credit Memos over $5,000– Prevent updating of Credit Limits for customers that are
currently on a credit hold– Restrict ability to change key setups and require change
routing approvals
Confidential & Proprietary
A Holistic ApproachAccess Monitoring (Emergency Access) Provision of access that is:
– Allowed for support purposes– Short-Term in nature (time based)– One-time or recurring– In possible conflict of SOD business rules– At either the Application or Database level
Mitigating Controls– Approval requirements– Audit capture of activities for review
Confidential & Proprietary
A Holistic ApproachTransaction Analysis Argument of True Risk
– Not that resources COULD commit fraud or errors– But that resources DID commit fraud or errors
Analysis based on defined variables– Ex. Purchase invoices exist by same creator of supplier
(SOD conflict)– Ex. Invoice creator different from approver but
combination exceeds statistical value (pattern analysis)
Compensating control when SOD potential exists
Confidential & Proprietary
Entry
Post
Example: Posting a Bad Debt
ENTERBad-DebtAccount
ENTERBad-DebtAccount
FinancialClerk
FinancialSupervisor
Entry
Post
Post
Enforce SOD
Enforce SOD Bad Debt
LedgerBad DebtLedger
Monitor all entries over time period
Monitor all entries over time period
Require approval if near close
Require approval if near close
FinancialController
Only certain accounts
Only certain accounts
Approve entries over
threshold
Approve entries over
threshold
Reportable Event Risk
Flag pending
reportable events
Flag pending
reportable events
OKOK
Limit on entry
amount
Limit on entry
amount
POSTBad-DebtApproval
POSTBad-DebtApproval
Confidential & Proprietary
Assessment Remediation Real-time Prevention Monitoring
Implementation ProcessImplementation Process
Access-level DetectionAccess-level Detection
Transaction-level DetectionTransaction-level Detection
Access-level PreventionAccess-level Prevention
Transaction-level PreventionTransaction-level Prevention
The Access Management Spectrum
ConflictMatrix
Exception-Based
ReportingSimulation
ResponsibilityRefactoring
EmbeddedAccessControls
Workflow/Approvals
CompensatingControls
Access PolicyOp
era
tiona
l Effi
cien
cyO
pe
ratio
nal E
ffici
ency
Confidential & Proprietary
Summary SOD exists to reduce risk of material misstatements,
fraud and error SOD in purest sense is not realistic
– Too restrictive– Too expensive– Too inefficient
Best Approach is Holistic (Application Governance)– Prevent current and future conflicts when possible– Detect existing conflicts and analyze appropriateness– Manage application activities with form, field and
configuration controls– Monitor Emergency Access– Analyze transactions