Efficient way to ensure that user access is appropriate – or costly and burdensome box-checking exercise?
In theory, conducting regular User Access Reviews is a great way to protect your JD Edwards EnterpriseOne system from unauthorized activity. A well-documented review process also helps you to provide your auditors with evidence of good access controls.
In practice, however, the process is fraught with difficulties, which jeopardizes the success of the operation. Even worse, badly executed access reviews could lull you into a false sense of security if they fail to identify risky access that could be abused if it goes undetected.
So what are the main pitfalls?
Inaccurate review reports
Typically, the review reports are manually compiled by a security administrator / CNC. Because JD Edwards security is very complex, access reporting is difficult – and therefore prone to human error, so the review could be flawed from the outset.
Manual distribution of reports
Once the review data is collated, typically the security administrator will need to manually sort it and send each reviewer a spreadsheet with their relevant review data. Again this is time-consuming and prone to error – particularly if the role owners change over time.
Review data is difficult to understand
Do the reviewers really understand what they are being asked to sign off? Often role names don’t give a meaningful description of the access that they grant, which makes it difficult for reviewers to conduct thorough reviews promptly, making the process vulnerable to both delays and mistakes.
Difficulties in tracking progress and chasing laggards – failure to complete timely can lead to an audit fail
Where review reports are distributed manually, there is no easy way to keep track of which reviewers have / have not completed their reviews, so security administrators can spend a lot of time managing the process and following up tardy reviewers, which can lead to long delays and damaging audit findings.
Processing rejections correctly and in time
It is important that all rejected access actions (i.e. roles that need to be removed from users) are processed promptly. When the review process is managed manually, there is a risk that some actions may be delayed or overlooked.
Auditability
To provide evidence for your auditors, you need to collate all the reviewed data and document the actions taken in once place in a suitable format, and be able to produce a report of the entire review. When reviewed data is returned from multiple sources, that is very difficult to achieve.
How can you avoid these problems?
Automate your User Access Reviews! This is a classic example of a process where automation empowers you to carry it out much more accurately, comprehensively and efficiently, with full documentation.
Our purpose-built Access Review solution enables you to:
- Produce and distribute accurate review reports with the touch of a button
- Present business reviewers with clear information which they can understand and review much more easily
- Capture all data on approvals, rejections and explanatory notes within your JD Edwards system
- Automatically expire rejected role assignments (optional)
- Keep track of progress to ensure that the review is completed on time
- Quickly and easily produce evidence for your auditors.
If you’d like to find out more and see a quick demo, check out our Periodic Review product page.