Thick in the world of SOX, it seems that many organizations are having a hard time getting their IT and business-sides of the organization to pull together. One such area that has been a particular challenge for me has been in regards to Access Management.
As a key consideration for General Computer Controls (see isaca.org and details regarding use of the COBIT standard to address SOX issues), Access Management means that you restrict the types of access that persons have to your systems. This applies equally to those persons in the business and in IT supporting or developing the applications.
One of the greatest challenges I’m seeing and hearing is that system access privilleges reflect where you’ve been, not what you now do. If you have folks that have moved around the organization, it is quite likely that they have retained their access to a number of applications or networked folders that reflect their past work. Hmm. Not a good thing when you begin your efforts to identify adequate Segregation of Duties.
A few considerations to help clean this up:
Make role definition a priority. This means that, for each functional area, a specific project should be assigned that requires managers to determine what their team needs (and doesn’t need) in terms of access. If it is not on the list, it needs to be approved by exception by both the persons manager AND the targeted system owner. Not only does clear role definition make it easier for managers to review at future dates, it makes it easier to adjust as changes occur in your staff.
Get HR Involved. No one gets hired, fired, or transferred without HR ensuring that payroll details and benefits considerations get updated. A well-run HR process can assure that, before a new person gets put into a vacated role, all rights for that role have been closed out. You are likely thinking “that’s not how our process works” – which is probably right. What you need to ensure though is that changes in the roster are reflected properly in the IT access environment. If you have managers that want to fill vacancies or get an internal candidate into the job, now is the time to task them with cleaning up the access details – while they have a clear motivation for knocking out the work.
Make Managers Accountable. The best laid plans… go up in smoke without clear accountability. Your management structure should reflect a proper span of control, such that every manager should know what their team needs to do their jobs effectively. Make these managers acountable for proper access by pushing out periodic reports (i.e. quarterly) and have them validate that their teams’ access is appropriate.
Any of the efforts around IT really need to be covered off in two specific aspects – clean up of existing access (data), and then building a process that ensures things don’t get off track in the future. Clear processes coupled with a proper level of accountability provide assurance that practices stay on track long after the pain of cleanup has been completed.