Security Assessment: a quick and affordable way to identify the problems and prioritize remediation
The complexities of JD Edwards EnterpriseOne security, and the challenges around managing Segregation of Duties (SoD) can make it very difficult to implement effective controls and achieve (and evidence) compliancy.
Many JD Edwards users sense that they have issues with their security model or SoD set-up, but they don’t know how to work out what’s wrong, let alone how to start putting it right. You can waste a lot of time trying to get to the root of the problems, but end up going round in circles. But if you don’t do something about it, you could be exposed to the risk of fraud or audit findings.
Getting help from experts such as the Big 4 consultancies can be protracted and very expensive. Now there is a low-cost way to analyze your security and SoD, have the results examined by JDE security and audit experts, and receive prioritized recommendations for remediation, directly tied to ITGC activities – in less than two weeks.
In this blog, we’ll discuss three common scenarios where a security assessment can be a great starting point to pinpointing and resolving problems in your security model and/or SoD set-up.
1. Your JD Edwards user and security administration costs and turnaround times are spiralling out of control
If you find that your highly skilled CNCs/system administrators are spending more and more time carrying out day-to-day security admin tasks, that could be a sign of an inefficient security model.
Perhaps User Onboarding is becoming complex and untimely? I’ve seen situations where many users have 30-50 roles, involving maybe 15 different approvers. It’s no wonder that it takes far too long to fulfil access requests.
Even minor security changes can be problematic, such as granting a new privilege to an existing user. With an efficient security model, that should take no more than 15 minutes, but recently I came across a site where making such a simple change produced so many conflicts, the turnaround time was two weeks!
It can become really messy – if people can’t easily work out what’s causing the conflicts, they may waste a lot of time taking stabs in the dark – or there’s a danger that they may even resort to granting *ALL access because they can’t figure out how to overcome the issues and grant the right access. Eventually this will impact on your audit and lead to findings.
These signs may indicate that you need a security re-design. You may well have many SoD violations, but in this scenario it is likely to be the existing security design and structure that’s causing the problem. A security assessment will enable our experts to assess your security and recommend the right approach to remediation.
2. You’ve experienced audit findings around logical access controls
If you’ve already experienced audit findings around your SoD controls, you may be under time pressures as the auditors have given you, say, six months to sort it out.
Some people try to produce SoD violation reports using spreadsheets or standard reporting tools that make it difficult to get accurate results. But even if you’re using automated SoD reporting, you may find that you have a HUGE number of violations – where on earth do you start?
The challenge here is to understand the data. Our Security Assessment automates the SoD analysis, but then our experts classify and categorize the results, breaking them down into prioritized, manageable chunks so that you can work through them in a sensible order.
3. You find it difficult to understand your SoD ruleset and how it relates to managing risk in your business
In some cases, it is the SoD rules themselves that are causing the problems.
Sometimes, it’s hard to ascertain which access combinations are risky within your business, so an organization may take a standard set of, say, 200 rules, from an external source.
But then it can be difficult to understand what risks the rules relate to, and determine whether they really do constitute a significant risk in your environment. Or in other words – is this set of SoD rules appropriate for the main risks in your business? It’s better to create a small set of rules geared to your specific risks.
In other cases, violations can be caused by the way the rules are designed; poor rule design can produce spurious violations and waste a lot of time.
Some people find that their SoD reporting identifies a lot of violations that they just can’t make sense of – no matter how much they try, they can’t work out how the users in violation could break the rules. But they could be testing for the wrong condition. It is crucial to design rules which fit with the way your applications work, especially if you have custom applications.
A security assessment can help you to ascertain whether your current SoD ruleset is appropriate for your business.
At last: an affordable, achievable route to efficiency and compliancy
Such problems can feel overwhelming, and it can be very difficult to figure your way out of them. A security assessment is a great place to start!
If you’d like to find out more, watch this Security Assessment webinar to find out if a security assessment could help you achieve efficiency and compliancy for an affordable cost.