cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Business Process Question: When are companies routing SOD risks to controls organizations?

Go to solution
Former Member

on ‎05-02-2013 7:37 PM

0 Kudos

We are re-evaluating our processes around SOD risks and applying mitigations, and I am wondering what other companies are doing.

We currently have Medium and High risks that we monitor for users.   We have controls defined for all of these risks, and have a handful of risks that we believe should never occur.  This is the result of work from joint meetings between IT/Finance and the internal controls organization.  We're re-evaluating our process around when the controls are applied.

When a user is getting a role group added to their ID, and it creates a SOD risk does your organization:

A) route the security provisioning workflow to a controls organization who then needs to apply the mitigation/reject the request  (thereby adding time until the user gets the security)

B) apply the security, with role owner approval as necessary, and then identify risks and mitigate after security is assigned.  For any requests that should not occur, the security is investigated immediately.

In this scenario any info on whether you follow different paths based on the risk level is appreciated.

Many thanks - Emily

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎05-06-2013 10:44 PM
0 Kudos

Hi Emily

Each organisation is going to be different depending on many factors, including:

  • Size of Organisation as well as the Security/Access Approvers and Controls Team
  • Centralisation/Decentralisation of roles and responsibility (e.g. approvers may be located around the world but the controls team is a central team or regional based team)
  • Knowledge and Competency of staff performing SoD identification, remediation and mitigation, etc
  • Number of users you want on your GRC system
  • Classification or risks
  • How quickly you need to process the access

In your scenario, I would probably send it to the Access Approver based on assumption they may know the user's job description and duties to understand if the access is justified and appropriate. In addition, the Access Approver/Role Owner may know if there is an alternative combination to add/remove access to remediate risk. Where risk has been identified, the Approver is able to add additional information to the request which the Controls team may require to determine if a mitigating control can be assigned.

In MSMP a routing rule would then be against that line item to pick the MEDIUM and HIGH risks and route them to the Control team. Therefore, only a subset of requests would go to the Controls Team whilst all request would go to the Approver to attempt remediation first. And, more importantly, the approver cannot bypass the Controls team as the system would determine if the secondary approval/actions are required.

Your next bit is whether you have Managers, Security and Role Owners performing different checks of the request.

Show replies
Show replies

Answers (0)

Ask a Question