Introduction

The frequence and volume of data leakage progresses as technolygy is evolving. On top of IT departments, boards and company decision makers are more than ever focusing on data protection. The control of access to the different systems is key to protect and secure data.

The maintenance and management of access rights across the different systems and applications of a company is key to a company:

”Effective Segregation of Duties (SoD) controls can reduce the risk of internal fraud by up to 60% through early detection of internal process failures in key business systems.”

Le GARTNER, Market Guide for SOD Controls Monitoring Tools-ID: G00293793

Projects around identity and access management (IAM) are usually management by IT départements. Sometime there is a lack of consideration for the business needs when it comes to access management. When thorough roles and authorizations setup is not well handled, end users end up with broader access than what they would need, generating risks for the organization.

We also see a lack of governance and procedures when it comes to roles and authorisations management. As time passes, an initial framework can regress mainly due to:

  • A complex ERP and software environnement with more and more end users
  • Evolution of roles due to business needs generation seggregation of duties (SoD) issues that are not being considered.
  • The technical management of authorisations takes a lot of time for the administrators:
    • They manage a lot of access requests, sometimes without management approval and without,
    • They multiply manual low added value tasks as user access provisioning, password reset etc.

Considering these aspects, the regulators, external auditors and investors expect companies to cover risks related to access management and segregation of duties. This is now also under the radar of internal functions like compliance, internal control and internal audit.

The challenges around these topics are well known of our IAM, authorizations and GRC experts. We are supporting several clients on the implementation of a compliant and secured access rights management process including authorisations management, SoD and user life cycle management.