crawford & company - isaca · crawford & company beating the ... reviewer reviewer reviewer...

Crawford & Company BEATING THE CHALLENGES OF AUTOMATING ACCESS REVIEWS

August 19, 2013

Gretchen Hiley Trevor Jackson Christine Swearengin

Crawford & Company

Topics

Review Process Pre- and Post-Automation

Implementation Challenges

Lessons Learned

Post-Automation Metrics

Q&A

2

Crawford & Company

Access Review Process Pre-Automation

3

App Owner IT Auditor

External Auditor

Reviewer

Reviewer Reviewer

Reviewer Reviewer

Reviewer Reviewer Reviewer

Reviewer Reviewer

Reviewer

Reviewer

Reviewer Reviewer Reviewer

Reviewer Reviewer Reviewer

Reviewer Reviewer

Mailbox

1. App Owner submits Excel or txt files to mailbox

4. IT Auditor compiles each reviewed Excel file into single file and sends back to reviewers for final approval

3. IT Auditor sends Excel file for each reviewer to review

2. IT Auditor compiles files into single Excel file

5. Once Excel file is approved, IT Auditor sends to External Auditor for review/approval cycle

Crawford & Company

Access Review Process Post-Automation

4

Application Tool

External Auditor

Reviewer

Reviewer Reviewer

Reviewer Reviewer

Reviewer Reviewer Reviewer

Reviewer Reviewer

Reviewer

Reviewer

Reviewer Reviewer Reviewer

Reviewer Reviewer Reviewer

Reviewer Reviewer

Secure Website

1. Tool compiles submitted data into application

4. ICT Security confirms and revokes access as needed; Tool maintains documentation of appropriate access review

3. Tool compiles reviewed data; certifications are saved within Tool, revocation list is sent to ICT Security for action

2. All reviewers can directly access and review electronic file via secured website

6. Updated data is available to External Auditors

ICT Security

Application Tool

5. Tool confirms all updates are complete

Crawford & Company

Implementation Challenges

Status quo – past culture and attitude.

Staff turnover pre- and post-implementation.

No formal access review policy.

Significant effort to collect accounts, define access reviews and resolve issues.

Cross-functional enterprise-wide effort and commitment

5

Crawford & Company

Achievable Steps for Success

Manageable scope

Clear Access Review Policy

Management Buy-In

Documentation of Decisions

Testing

User Awareness & Training

Support at each review launch

6

Crawford & Company

Manageable Scope

Consider the size of the company.

Consider a phased deployment approach.

Prioritize the element(s) to be reviewed. User access to network

User access to application(s)

User authority to approve and generate financial transactions

Don’t forget privileged access to infrastructure!

7

Crawford & Company

Clear Access Review Policy

Establish time frame for initial review.

Establish time frame for any escalation(s).

Ensure cooperation and “buy-in” of senior management.

Establish and communicate consequences of delinquent reviews.

8

Crawford & Company

Management Buy-In

Application owners’ input is critical for: Defining review scope and reviewers

Reminding reviewers of outstanding reviews

Providing assistance to reviewers

Processing access removal requests

Executive Management’s support is critical for establishing tone at the top.

9

Crawford & Company

Documentation of Decisions

Document scope of reviews including rationale for any exclusions

Document parties responsible for various activities Collecting accounts and entitlements

Reviewing user access

Escalating incomplete reviews

Creating and updating of review structure

Enforcing of review completion policy

Document how review data is populated Files used, including file type

Query language and source being queried

10

Crawford & Company

Testing

Define access reviews.

Remove access upon request.

Notify and remind reviewers of outstanding access reviews.

Test, test and test again in non-production.

11

Crawford & Company

User Awareness & Training

Take advantage of every opportunity for exposure

Communicate through multiple media forms: Email

Web-based training

Shared PDF of instructions

Contact person for question resolution

12

Crawford & Company

Support at Access Review Launch

Questions from reviewers.

Data collectors / files may fail.

Errors may occur with review components.

Summary of review status for escalation purposes.

13

Crawford & Company

Additional Considerations

Test the completeness of identity source.

Determine completeness of requirements for access reviews.

Account for new in-scope applications (e.g., externally hosted applications).

14

Crawford & Company

Access Review Metrics

15

0

60

31

35

40

27

16

8

0

10

20

30

40

50

60

70

2012 Q3 2012 Q4 2013 Q1 2013 Q2

Total No. Escalated Reviewers

Avg. # Days Outstanding

Crawford & Company

Persistence Pays Off!

70%

80%

90%

100%

Q3 2012 Q4 2012 Q1 2013 Q2 2013

Compliance Achieved

Q3 2012

Q4 2012

Q1 2013

Q2 2013

16

Conclusion

Q&A