Crawford & Company - ?· Crawford & Company BEATING THE ... Reviewer Reviewer Reviewer Reviewer Reviewer…

Download Crawford & Company - ?· Crawford & Company BEATING THE ... Reviewer Reviewer Reviewer Reviewer Reviewer…

Post on 21-Jul-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Crawford & Company BEATING THE CHALLENGES OF AUTOMATING ACCESS REVIEWS

    August 19, 2013

    Gretchen Hiley Trevor Jackson Christine Swearengin

  • Crawford & Company

    Topics

    Review Process Pre- and Post-Automation

    Implementation Challenges

    Lessons Learned

    Post-Automation Metrics

    Q&A

    2

  • Crawford & Company

    Access Review Process Pre-Automation

    3

    App Owner IT Auditor

    External Auditor

    Reviewer

    Reviewer Reviewer

    Reviewer Reviewer

    Reviewer Reviewer Reviewer

    Reviewer Reviewer

    Reviewer

    Reviewer

    Reviewer Reviewer Reviewer

    Reviewer Reviewer Reviewer

    Reviewer Reviewer

    Mailbox

    1. App Owner submits Excel or txt files to mailbox

    4. IT Auditor compiles each reviewed Excel file into single file and sends back to reviewers for final approval

    3. IT Auditor sends Excel file for each reviewer to review

    2. IT Auditor compiles files into single Excel file

    5. Once Excel file is approved, IT Auditor sends to External Auditor for review/approval cycle

  • Crawford & Company

    Access Review Process Post-Automation

    4

    Application Tool

    External Auditor

    Reviewer

    Reviewer Reviewer

    Reviewer Reviewer

    Reviewer Reviewer Reviewer

    Reviewer Reviewer

    Reviewer

    Reviewer

    Reviewer Reviewer Reviewer

    Reviewer Reviewer Reviewer

    Reviewer Reviewer

    Secure Website

    1. Tool compiles submitted data into application

    4. ICT Security confirms and revokes access as needed; Tool maintains documentation of appropriate access review

    3. Tool compiles reviewed data; certifications are saved within Tool, revocation list is sent to ICT Security for action

    2. All reviewers can directly access and review electronic file via secured website

    6. Updated data is available to External Auditors

    ICT Security

    Application Tool

    5. Tool confirms all updates are complete

  • Crawford & Company

    Implementation Challenges

    Status quo past culture and attitude.

    Staff turnover pre- and post-implementation.

    No formal access review policy.

    Significant effort to collect accounts, define access reviews and resolve issues.

    Cross-functional enterprise-wide effort and commitment

    5

  • Crawford & Company

    Achievable Steps for Success

    Manageable scope

    Clear Access Review Policy

    Management Buy-In

    Documentation of Decisions

    Testing

    User Awareness & Training

    Support at each review launch

    6

  • Crawford & Company

    Manageable Scope

    Consider the size of the company.

    Consider a phased deployment approach.

    Prioritize the element(s) to be reviewed. User access to network

    User access to application(s)

    User authority to approve and generate financial transactions

    Dont forget privileged access to infrastructure!

    7

  • Crawford & Company

    Clear Access Review Policy

    Establish time frame for initial review.

    Establish time frame for any escalation(s).

    Ensure cooperation and buy-in of senior management.

    Establish and communicate consequences of delinquent reviews.

    8

  • Crawford & Company

    Management Buy-In

    Application owners input is critical for: Defining review scope and reviewers

    Reminding reviewers of outstanding reviews

    Providing assistance to reviewers

    Processing access removal requests

    Executive Managements support is critical for establishing tone at the top.

    9

  • Crawford & Company

    Documentation of Decisions

    Document scope of reviews including rationale for any exclusions

    Document parties responsible for various activities Collecting accounts and entitlements

    Reviewing user access

    Escalating incomplete reviews

    Creating and updating of review structure

    Enforcing of review completion policy

    Document how review data is populated Files used, including file type

    Query language and source being queried

    10

  • Crawford & Company

    Testing

    Define access reviews.

    Remove access upon request.

    Notify and remind reviewers of outstanding access reviews.

    Test, test and test again in non-production.

    11

  • Crawford & Company

    User Awareness & Training

    Take advantage of every opportunity for exposure

    Communicate through multiple media forms: Email

    Web-based training

    Shared PDF of instructions

    Contact person for question resolution

    12

  • Crawford & Company

    Support at Access Review Launch

    Questions from reviewers.

    Data collectors / files may fail.

    Errors may occur with review components.

    Summary of review status for escalation purposes.

    13

  • Crawford & Company

    Additional Considerations

    Test the completeness of identity source.

    Determine completeness of requirements for access reviews.

    Account for new in-scope applications (e.g., externally hosted applications).

    14

  • Crawford & Company

    Access Review Metrics

    15

    0

    60

    31

    35

    40

    27

    16

    8

    0

    10

    20

    30

    40

    50

    60

    70

    2012 Q3 2012 Q4 2013 Q1 2013 Q2

    Total No. Escalated Reviewers

    Avg. # Days Outstanding

  • Crawford & Company

    Persistence Pays Off!

    70%

    80%

    90%

    100%

    Q3 2012 Q4 2012 Q1 2013 Q2 2013

    Compliance Achieved

    Q3 2012

    Q4 2012

    Q1 2013

    Q2 2013

    16

  • Conclusion

    Q&A

Recommended

View more >