Manage cross application risk of Segregation of Duties With User Access Reviews

SecurEnds
5 min readMay 8, 2021

--

Segregation of duties (SOD), also called separation of duties, refers to a set of preventive internal controls in a company’s compliance policy. Organizations require SoD controls to separate duties among more than one individual to complete tasks in a business process to mitigate the risk of fraud, waste, and error. In the traditional sense, SOD refers to separating duties such as accounts payable from accounts receivable tasks to limit embezzlement. For example, a user who can create a vendor account in a payment system should not be able to pay that vendor to eliminate the risk of fraudulent vendor accounts. In modern IT infrastructures, managing users’ access rights to digital resources across the organization’s ecosystem becomes a primary SOD control.

Segregation of Duties Policy in Compliance

SoD figures prominently into Sarbanes Oxley (SOX) compliance. SOX mandates that publicly traded companies document and certify their controls over financial reporting, including SoD. Following a meticulous audit, the CEO and CFO of the public company must sign off on an attestation of controls. They can be held accountable for inaccuracies in these statements. If it’s determined that they willfully fudged SoD, they could even go to prison!

The Federal government’s 21 CFR Part 11 rule (CFR stands for “Code of Federal Regulation.”) also depends on SoD for compliance. It affects medical research and other industries, where lives might depend on keeping records and reporting on controls. SoD makes sure that records are only created and edited by authorized people.

What are the difficulties with maintaining SOD ?

Segregation of Duties risk is growing as organizations are rapidly adding users to their enterprise applications to execute all major business processes. This risk is further increased as multiple application roles are assigned to users, creating cross-application SoD control violations. Business managers responsible for SoD controls often cannot obtain accurate security privilege-mapped entitlement listings from enterprise applications and, thus, have difficulty enforcing segregation of duty policies. In addition, digital transformation drives cloud adoption. Cloud infrastructures create complex, interconnected digital ecosystems that often lack visibility. With disparate definitions of roles, groups, and identities from one application or cloud service provider to another, managing SOD compliance becomes difficult.

How Does Identity Governance Support Effective SoD Policies and Controls?

Organizations that view segregation of duties as an essential internal control turn to identity governance and administration (IGA) to help them centralize, monitor, manage, and review access continuously. IGA solutions not only ensure access to information like financial data is strictly controlled, but also enable organizations to prove they are taking actions to meet compliance requirements. The following ten steps should be considered to complete the SoD control assessment:

  1. Prepare rule report from the RBAC controls design matrix
  2. Scope and add “sensitive” access rules to detect user access to restricted data
  3. Gather a list of active application users and role entitlements including privileges and data access
  4. Create a list of exceptions by analyzing the security object items that prevent user access violations
  5. Identify application configurations that mitigate the inherent SOD risk
  6. Detect access rule violations by applying security object items rule logic to filter the user access report in step 3 above
  7. Finalize the access violations report by excluding exceptions, and mitigated risks
  8. Perform look-back transaction analysis to detect materialized risks
  9. Create a remediation plan with corrective actions to update the user assignments and role configurations.
  10. Provide an access violation scorecard as evidence of control effectiveness

Segregation of Duties In SecurEnds IGA

Whether it’s an internal or external audit, SecurEnds IGA software allows administrators to generate reports to provide specific information about Segregation of Duties within the company.

Set Up SOD Query. Using natural language, administrators can set up SOD query. Here’s a configuration set up for Oracle ERP. In this particular case SOD violation between Accounts Receivable and Accounts Payable is being checked.

User Access Review: Once administrator has created the SOD, a review of the said policy violations is undertaken. Default roles in enterprise applications present inherent risks because the “birthright” role configurations are not well-designed to prevent segregation of duty violations. Here’s a sample view of how user access reviews for SoD will look like.

SOD Report: SecurEnds produces call to action SoD score card. The scorecard provides the “big-picture” on “big-data” view for system admins and application owners for remediation planning. To facilitate proper and efficient remediation, the report provides all the relevant information with sufficient level of detail. This report will list users who are known to be in violation but have documented exceptions, and it provides important evidence for you to give to your auditor. The final step is to create corrective actions to remediate the SoD violations.

0

Out Of The Box SoD Use Cases Supported By SecurEnds

Enforce SoD For Access Request : Using company access policy, system of record (SOR) and target application data and risk exposure, administrator can set up proactive enforcement of SoD. SoD Module will compare access requests to configured policies, raise a potential-violation and stop provisioning of Access Request.

SoD Driven Access Certification: SecurEnds allows enforcement of SoD by doing User Access Reviews on SoD violations. These regularly scheduled access reviews ensure that users are assigned least privileges'.

--

--