Nurture your Security Model with Proactive Segregation of Duties Controls
In the UK, the Dogs Trust charity has a well-known advertising slogan, “A dog is for life, not just for Christmas.”
I feel very strongly that the same attitude should apply to your ERP security model. It isn’t a one-off event, it is forever. And if you don’t feed it, it will bite.
Many companies find it so difficult to build their security model that once it’s completed they never want to touch it again. But security creep is inevitable. As you add new users and responsibilities, introduce new sub-systems, or upgrade your system, holes in your access will start to appear. The result is that fraudsters may see an opportunity, and when they run off with $½ m, your job is no longer secure for a month, let alone for life.
Which brings me to my subject today, Segregation of Duties, and more particularly, the proactive part of it.
Segregation of Duties (SoD) is a commonly used device to prevent fraud, as well as accidental data entry errors. By looking at the processes within the business, and analyzing the risk areas, you can break the processes down into tasks and segregate them between more than one employee.
Auditing how well your SoD policies are implemented within your system is known as Detective SoD; the objective is to identify users in the system with access rights which allow them to violate your SoD policies. The good news is that now there are simple tools which enable you to analyze your live system with no effort at all (if you’d like to find out more about that, register for our webinar Audit Your ERP Security in under 4 hours.
But when you have a stable security model, with all the risks closed down, and a good SoD matrix in place, how do you stop security creep?
Keep Your System Clean with Proactive Segregation of Duties
Proactive (or preventive) SoD is the answer. It is the ability to check for potential SoD violations before new access rights are assigned to a user. By understanding the impact of proposed new access on your SoD policies, you can take proactive steps to avoid SoD violations and thereby keep your system clean.
Many companies have attempted to achieve this with spreadsheets, using them to check whether giving a user a new responsibility or role is going to create an SoD violation. But this method is very difficult to maintain. The XLS drifts away from the live system, and analyzing the actual effect of a second responsibility can be very difficult.
But managers need to know if changes to access rights will create an SoD issue before they approve the new access. Which is where tools embedded into your ERP come in.
With a workflow to handle access requests, the system can automatically analyze the “net effect” of the proposed change and present the results to the approver before the access is granted. He or she can then decide on the appropriate course of action, which would normally to be change the request, or to put in place mitigating controls. The other advantage of this approach is that the system automatically maintains a full audit trail, making it easy to provide documentation for your auditor.
The result? Much less security creep and no new unknown violations; less ongoing remediation work and better protection against fraud.
To coin another well-known phrase: You know it makes sense…
Find out more about tools for both Proactive and Detective Segregation of Duties.