18 Nov 19 Part 2: Why are access reviews often difficult to perform?
Why are access reviews often difficult to perform?
For most organizations, the process of conducting an access review is a major administrative overhead that is for the most part done manually.
It may involve the moving around of reports and spreadsheets that detail what needs to be reviewed as well as other forms and documents that are passed onto the security administration team who have to take action with the results.
Lots of Data
The review process will likely involve a lot of data; consider an organization with 250 users who on average have access to 8 responsibilities; this means if a full review is done there will be 2,000 user/responsibility combinations to review; if there are 750 users that’s 6,000 lines to review and if there are 7,500 users that is up to 60,000 lines to review.
The review process is going to generate a lot of data and take significant time and effort to work through it all. Then, any access that should be revoked needs to be actioned by a security administrator and probably one at a time, which itself can take some time to complete.
Not Enough Data
To add to the pain of conducting a review, what if the reviewer requires more information during the review to help them make the correct decision in terms of whether access is still appropriate or not.
A reviewer’s decision might be influenced by one or more of the following…
- What access-related risks are associated with the responsibility being reviewed? (i.e. Segregation of Duties)
- Besides the responsibility being reviewed, what else does the user have access to?
- What did past reviewers do when they reviewed the access?
- For the responsibility being reviewed, what functionality does it provide?
Chances are, that much of this type of information will not be available to the reviewer and so they will either need to source the information elsewhere which adds to the problem of the review process being inefficient or else they make a decision without it, which makes the review potentially inaccurate or incorrect.
For whoever is tasked with initiating and managing the review, there is going to be a lot of work involved in ensuring that the review is completed on-time.
By way of the example, let’s say you are performing a supervisor type review, here are some things to consider…
- You have a few thousand EBS users whose access must be reviewed.
- There are 150 different supervisors throughout the business.
- Each supervisor will need a list of all of the users who report to them and which responsibilities they have access to.
- Each supervisor will need to complete the review within a given timescale.
- As the deadline for completion approaches, you will need to chase supervisors who have not completed the review.
- Some supervisors might be unable to conduct the review (i.e. away on vacation); in these scenarios, you will need to have somebody else do the review on their behalf.
- Once complete, you need to gather up all of the information from each supervisor.
- You will need to let the security administration team what access needs to be revoked.
Managing a review and ensuring it is fully completed and on-time is a difficult task and the larger the review, the harder this becomes.
Different Types of Review
Your organization may need to perform multiple types of reviews at different frequencies.
Here are a few examples…
- Business Process Owners review all users who have access to the responsibilities they have authority over.
- Supervisors/managers review access for the users that report to them.
- Targeted reviews that only include access that represents some sort of SoD/SA risk.
- Transfer reviews, i.e. when a person moves from one department to another.
Due to the amount of effort involved, often organizations are limited to performing fewer reviews than they would like.
Beyond the Review
Now consider once a review is complete and you have been asked to work through the review with your auditors to demonstrate that you are performing an appropriate access review; imagine the difficulty in pulling together all of the information in such a way that the auditor leaves happy; all possible of course, but a tall order.
Conducting an access review might sound simple on paper but in practice, they can be a major but necessary headache that all organizations should undertake.
Surely there must be a better way?
Want to know how we can help you streamline and automate your Oracle EBS user access reviews? Get in touch today and ask us about CS*Provisum PAR.
Want a quick overview of CS*Provisum PAR, check out the video below…
Next Week & Early Access
If you want to get access to these articles before anyone else, please subscribe to our newsletter.