Identity and Access Governance application scenario
Confidently implementing compliance guidelines
Identity and Access Governance – manages the status of permissions, roles, segregation of duties and re-certifications within a company and determines what rights an employee has to specific information. If your company hasn’t yet established a role-based security approach, we can help you create new roles and functions that meet legal requirements. We can advise you on what authorization assignments comply with auditors’ requirements.
NOTE: iC Consult has enjoyed the confidence of Global 500 companies for many years. The projects we support and implement are of strategic value to our customers, both for security reasons and as a business driver. For confidentiality reasons, all use cases shown here are anonymized and obfuscated. However, the individual elements of the solutions are real and used by several of our customers and reflect our project experience.
Customer and Objectives
ACME is a global provider of financial services. The company employs approximately 10,000 people worldwide.
ACME required an identity and access management solution that made the assignment of IT rights and the IT cost allocation transparent, comprehensible, and documented.
Task and challenge
Whereas just a few years ago auditors required financial institutions only to provide a careful approach to granting access, regulators now require extensive evidence documenting how workers gained access to financial systems. For example, at ACME regulators became insistent on tighter controls after they identified more than 100 accounts for persons who were no longer employed by the company.
"The fact that we have paid some SAP licenses for former employees, while not terribly expensive, was still annoying. However, we had to act immediately when the auditor requested a recertification of our accounts and issued an ultimatum " said the CEO of ACME.
The requirements for iC Consult were
- Improved accountability in authorization assignments
- Establishment of a recertification process as mandated by the German Banking Act (KWG) – which requires confirmation of all IT privileges by the corresponding manager
- Automatic deactivation of former employees - based on the data delivery from the personnel management system
- Increased efficiency in the assignment of authorizations: employees should be able to work faster and the burden on system administrators should be reduced
- User-friendly solution
Solution and Implementation
iC Consult convinced ACME to make a product decision based on their specific needs and infrastructure instead of just buying a tool from its strategic suppliers.In addition, the project was divided into several phases.
- Survey of the current processes, in particular of the quality of data in leading systems. It was found that the personnel management system was not able to provide reliable, up-to-date data. In the case of outsourced systems, ACME did not always have rights to manage the applications which made automatic provisioning from a central platform impossible.
- Definition of target processes including coordination with the concerned departments. The auditor was actively involved throughout this process.
- Definition of a set of use cases with as realistic data as possible from the company. For all use cases, it was a goal to utilize unmodified out of the box processes to reduce the need for customization. Additionally, a custom look and feel was requested to aid in system usabilityThe subsequent proof of concept was fully implemented with three vendors.The subsequent proof of concept was fully implemented with three vendors.
- Based on the results of the proof of concept, a vendor was selected and a detailed design was created. This has been reviewed by and agreed with the auditors. Parallel to this, measures have been already taken to ensure the data quality, and first steps made to define enterprise roles – as a vehicle to manage and recertify fewer individual rights.
The implementation was carried out in two phases:
- Phase 1 with "quick wins " within 6 months
- Then: connecting further systems, expanding the role management
In parallel, an internal information campaign was conducted to inform the employees of the benefits of the new solution.
Results and benefits
The requirements of the auditors and accountants have been met. At the push of a button, at any time it could be proved who has (respectively had) what privileges and why. In addition an accurate IT cost allocation was now possible.
User acceptance turned out more positive than expected: many paper forms disappeared, facilitating work. Even the attitude of the originally skeptical system administrators has changed fundamentally: they push now for integration with the workflow system ("IT Shop").
The cost for the audits has been significantly reduced. Before, an employee was busy several weeks every year trying to prepare the necessary documents for auditors. Now the same task takes days.
Moreover, the audit costs have also been reduced. The expenses for an Excel-based recertification have dropped massively and the quality has increased.
There are no inactive accounts any more. Unnecessary software licenses are canceled promptly. This cuts costs and saves time.