by Diederik Perk.
As the calendar year nears closing, many businesses work on meeting standards of security compliance. Primarily, it entails auditing to get a- more or less- clean bill of health on your user management. Attestation is a method to ensure administrative hygiene by requiring oversight on existing access levels coming from the business in the form of line-managers. Such direct governance over identity and access provides IT staff with better data quality than role-based models built on assumptions of how the business works.
Providing evidence of internal fraud prevention by means of attestation, in which a responsible party within the organization scrutinizes the validity of existing access levels within its span of control, is becoming a more salient part of regulatory standards and compliance efforts such as Sarbanes-Oxley and PCI-DSS. Integrating the points below enables the internal audit to perform without going into avoidable efforts, while the business keeps running without hiccups.
1) Manage and Control
Once the ever expanding searchlight of compliance settled on your organization, it is important to set the stage right from the beginning. In an audit there are many variables you seemingly cannot control, therefore be prudent about those which you determine yourself. Determine the scope by being informed of the focus of the (external) audit and the objective of the compliance regime. When under Sarbanes-Oxley (SOx), for instance, know which applications are getting scrutinized for user access levels, and simultaneously realize the bill is a direct consequence of the Enron scandal.
Next, define a timeline that identifies sub-targets, reminders and an escalation path in case of non-compliance. Setting out such a trajectory cements the approach and underpins progress. Escalation to a supervisor is warranted after one or two missed deadlines (depending on the time path) and subsequent reminders. To forestall misunderstandings, clear communication that builds awareness is pivotal. Done right, management support is guaranteed and it improves the ability of the audit to reach the appropriate stakeholders.
Going through the process, all project management best practices remain applicable. Set up an available contact point, document actions taken, supply relevant status updates, and ultimately evaluate to continue further optimization.
2) Trust but Verify
Conducting a compliance audit of any kind is done to establish certainty that things work the way they are supposed to go. Going over a checklist and mark empty boxes does not satisfy that primary purpose. Complacency is the natural enemy of compliancy.
Cross-checking by peers is one method to optimize the output. Hereby, two separate but similar employees conduct the audit. A helpful distinction is to issue reviews by support team(s), cost center and business owners of applications. Although more time-intensive, such a measure adds a layer of preventative control, increasing the overall quality.
Once the reviews are collected, the internal audit assesses to ensure the output is complete. To perform gap analysis repeatedly identifies potential discrepancies between the dataset as is and as supplied by the reviewer. Whether gaps are actually followed up and corrected can be evidenced by sample checks. Make screenshots to challenge counterclaims and backup your administration. Evidence is everything, and making gaps visual is the best way to cover your bases. To perform re-attestation, and doing so periodically, prevents an overabundance of work at the end of the year.
3) Automation is Elevation
No one likes to plough through stacks of excel sheets without end. Or sending mass mailings one by one. And when the process tolerates no mistakes, it becomes a matter of urgency to get tooling to fulfill the generic work routine for you. The more reviewing is done by hand, the more error-prone it ends up being, and therefore the more time-intensive the process becomes to identify and correct those mistakes.
Automated identity and access governance, IAG for short, offers a solution for attesting to the value of user data. By attributing a span of control to line-managers from the active directory an easy to use dashboard presents choices on the validity of existing authorizations of users within that span of control. Where those are no longer needed, the user is stripped of access or rights within the application automatically. Entering an end-date as a trigger for de-provisioning is another governance functionality easing the overall attestation process and improving the quality of a company’s user management.
When an integrated tool is out of reach due to budget pressure, some partial automation may still be achieved. Use templates and add-ons to the furthest extent possible to standardize and simplify the process, by for instance sending out mass mailings from Microsoft Excel.
4) You got 99 Problems (but some of them aren’t yours to begin with)
Ownership of applications, processes or cost centers is the axis around which the attestation effort turns. On every user account an attribute should be defined to inform who the responsible line-manager is, and similarly for applications a supervisor should be identified on the business and IT side of the organization. Having a dynamic organization means that fluctuations occur around the clock, which underpins the need for a self-service portal to administer ownership to.
However, such dynamics should not erode the structure that is hierarchical in nature- maintaining that all personnel and resources can be traced back to an owner that is accountable. As it goes, people oftentimes assume responsibilities without fully realizing the tasks associated with it. Therefore, it is to be expected that many owners will be ducking responsibility at this time and sign off for the attestation procedure.
This will cause many headaches during an audit, especially when someone holds off until the last moment to drop a casual line saying he’s moved departments and has no idea who’s in charge now. To prevent that, an important principle should be embodied in the audit team that reads: don’t make the owners’ problem your problem. The same principle applies to incomplete reviews, and excuses such as being buried in other workload. If you don’t transfer any issues, problems will multiply and the process becomes too fragmented to oversee. Introducing a simple rule of thumb would be to disable ownership changes after the first deadline has passed.
Communicate this clearly and consistently, then guide the business in sorting out the mess.
5) Relieving the burden
Having said that, it still pays to be serviceable. The mutual objective of fulfilling an audit while at the same time conducting business as usual should prevail. Keep in mind that the risk of antagonizing the responsible party is a potentially inaccurate review, therefore recognize soft skills such as patience and a friendly demeanor in challenging their (in)action for what it is: a necessary risk reduction mechanism (even if unbearably hard to fathom sometimes).
In practice, attestation requires line-managers to go through long lists of potentially 1000+ users. They probably don’t have the mindset to think in terms of segregation of duties as much as a security auditor would like to see. Some preparatory screening work lends a hand and points in the right direction where increased risk may be situated. Proactively highlighting names with multiple accounts or when an IT staff member has the ability to place and approve orders will add weight to the scrutiny of the review process. Design it to be as understandable and usable as possible.
Also, don’t fail to think through the entire identity lifecycle process. Enforcing user administration accuracy in retrospect with attestation is merely a countermeasure to enable improved data quality. Baking in administrative hygiene from the moment a new account is being provisioned delivers valuable returns. Therefore, a feedback loop should be foreseen to ensure that findings of this nature prevent a repetition of flaws, drawing you into a futile exercise of filling a bucket full of holes.
In short, good identity and access governance is the key that puts the enterprise on track for seamless integration of compliancy burdens with business operations. By demonstrating this with valid evidence, you optimize not only your compliance results but levels of security throughout the entire organization. That, in turn, would attest to fitting compliance to purpose.