20 Feb 19 Part 5: Preventive Controls – A Pro-active Approach to Risk
access related preventive control
Preventive Controls – A Pro-active Approach to Risk
So, you’ve identified and analyzed your access-related risks in Oracle EBS.
You’ve cleaned up the results and either remediated or mitigated as many of the risks as you can.
Job done, right?
Managing Access Related Risk
For most organizations, the process of managing access related risk (segregation of duties and sensitive access) is an on-going process that exists for the lifetime of the applications you are managing. This means that managing access related risk should be part of the typical day to day operational aspects of running and managing a large-scale ERP system.
With the right solution in place, new risks are managed as they are introduced, and some existing risks will be re-visited periodically. A software solution such as CS*Comply can help you manage all of this. With CS*Comply, you can begin to take a more pro-active approach to managing SoD and Sensitive Access Risks by preventing some risks from being introduced in the first place.
Being pro-active in terms of managing access related risk is achieved using preventive controls; this is where the software scans for risk in real-time when any new access to the system is being provisioned.
When risk is detected, the system will prevent access from being granted (or allow it to be granted, once approved).
Let’s walk through a simple use-case when a preventive control might be useful…
Requests for access to Oracle EBS come into the help desk on a regular basis. They are routed to the security administration team who open the standard Users screen in the System Administrator responsibility (or the Users page in User Management); they find the user that needs the new access and they assign the requested responsibility (or role via User Management). The security administrator informs the help desk (or the user directly) that the request for access has been fulfilled.
So far, so good, right?
Consider now that the user who requested access can already create a new supplier; with the request fulfilled, they can also create an invoice. Using the example SoD rule, we’ve used in previous articles (suppliers vs. invoices) this user is now violating this rule; so we have introduced a new risk without even knowing it.
With an SoD solution in place then at some point, the new risk will be identified; it can then either remediated or mitigated if needed.
Now scale this scenario up to be more real-world and imagine you have dozens of access requests coming in all day every day and also imagine you have dozens (or more) critical risks (SoD and Sensitive Access rules) that need to be monitored; before you know it, you are introducing hundreds, probably thousands of new risks every day.
Surely there must be a better way?
Pro-Active Risk Management
How can you prevent new access related risk from being introduced in the first place?
The answer to this question is simple, you need preventive controls.
Preventive controls (as it relates to access provisioning in Oracle EBS) help ensure that new risks are identified in real-time during the provisioning process.
Let us re-write the above use case but now with preventive controls in place…
Requests for access to Oracle EBS come into the help desk on a regular basis; they are routed to the security administration team who opens the standard Users screen in the System Administrator responsibility (or the Manage User page in User Management); they find the user that needs the new access and they attempt to assign the requested responsibility.
At this point, a preventive control is invoked, which scans for potential risks; in this case, it determines that the “Supplier vs. Invoice” rule will be violated and so the assignment is prevented. An approval is routed to one or more approvers who pick up the request; they can see what is being requested as well as see the detail of the risks that will be introduced should the assignment be created. The approver makes a judgment call and, in this case, chooses to reject the request and so no new risks have been introduced.
So far, so good, right?
Adopting this type of preventive, pro-active approach to access related risk will help ensure the risks to the system due to inappropriate access are significantly reduced.
All organizations can benefit from utilizing preventive controls in their access provisioning processes, yet very few choose to do so.
Want to find out how we can help you implement this type of preventive control within your access provisioning process? Get in touch today and ask us about CS*Comply.
Early Access – Newsletter
The next article in this series is “Taking it to the next level with remediation“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.