Risk analysis is more than simply understanding who has access to what services. It’s also about what they are doing with their access. A proper analysis of access risk enables the organization to understand the risks and prioritize risk-resolution activities, because not all risks are equal.
A detailed analysis of segregation of duties (SoD) risks will show business-application owners precisely which users have potentially toxic combinations of access privileges. But more than that, the analysis must go further and identify users who actually conducted transactions that constitute SoD violations. This crucial ability to determine who has the potential to commit an SoD violation vs. who actually committed an SoD violation helps to quickly prioritize the risks that must be addressed first.
If there are SoD concerns about data being updated, you don’t need to see records where the user simply changed a customer’s fax number – an update that has no bearing whatsoever on the company’s risk exposure. But if the employee changed payment terms or credit limits, it has a meaningful impact and could violate company policies. The security administrator needs flexible controls to fetch transactional details to produce mitigation reports and to ensure that only key data correlated with SoD violations is retrieved. A fine-grained understanding of what users are doing with their access privileges enables you to eliminate “false positive” risks.
Powerful analytics and comprehensive reporting are needed to analyze the impact of different scenarios used in managing the “role life-cycle” and satisfy the requirements of line-of-business users, auditors, and IT security professionals. For instance, trend analysis helps us view and understand the enterprise’s compliance posture at any given time, such as viewing violations across users and identifying the applications that embody the highest risks. In many cases, simple drill-down dashboards help the business understand why access risks are occurring. For example, the analytics might show risks by user, role, or risk type so that business users can better understand how to resolve the risk.
In all instances, proper analysis depends on a clean, clear presentation of user-access data in a business-friendly context through an intuitive user interface. Only through this accessibility and legibility/clarity can line-of-business owners take the responsibility for governing user access.
Click here to download the Access Risk Management white paper to learn more.
Share
What Is SAP GRC? SAP Governance, Risk, and Compliance (S...
One employee can do a lot of damage. Just look at the headli...
by Craig Abramson, Pathlock Technologies According to the...
Hear from Jabil, a Fortune 200 global manufacturing services...