on 05-02-2013 7:37 PM
We are re-evaluating our processes around SOD risks and applying mitigations, and I am wondering what other companies are doing.
We currently have Medium and High risks that we monitor for users. We have controls defined for all of these risks, and have a handful of risks that we believe should never occur. This is the result of work from joint meetings between IT/Finance and the internal controls organization. We're re-evaluating our process around when the controls are applied.
When a user is getting a role group added to their ID, and it creates a SOD risk does your organization:
A) route the security provisioning workflow to a controls organization who then needs to apply the mitigation/reject the request (thereby adding time until the user gets the security)
B) apply the security, with role owner approval as necessary, and then identify risks and mitigate after security is assigned. For any requests that should not occur, the security is investigated immediately.
In this scenario any info on whether you follow different paths based on the risk level is appreciated.
Many thanks - Emily
Hi Emily
Each organisation is going to be different depending on many factors, including:
In your scenario, I would probably send it to the Access Approver based on assumption they may know the user's job description and duties to understand if the access is justified and appropriate. In addition, the Access Approver/Role Owner may know if there is an alternative combination to add/remove access to remediate risk. Where risk has been identified, the Approver is able to add additional information to the request which the Controls team may require to determine if a mitigating control can be assigned.
In MSMP a routing rule would then be against that line item to pick the MEDIUM and HIGH risks and route them to the Control team. Therefore, only a subset of requests would go to the Controls Team whilst all request would go to the Approver to attempt remediation first. And, more importantly, the approver cannot bypass the Controls team as the system would determine if the secondary approval/actions are required.
Your next bit is whether you have Managers, Security and Role Owners performing different checks of the request.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.