User Account

All Pages

What is kathryn major trying to accomplish working with

Assignment Help Computer Engineering
Reference no: EM133511091

CASE STUDY

An insurance company experiencing access management challenges.

He had tossed and turned the night before, wondering how he would break the news to his team. Sam Hartmann had been given an ultimatum by his director. Sam, the Senior VP of Internal Control for Calpernica Insurance ("Calpernica"), a West coast insurance company, had just called his right-hand-person into his office. Kathryn Major was a rising star at Calpernica, and Sam needed to bring her onboard to assist with some major changes that were coming. Sam and Kathryn talked extensively about how to organize a project months back, Kathryn had approached Sam with a proposal. She had reached out to the IT governance committee and put together a control remediation plan for areas that touched IT access. The subject hadn't been extensively reviewed by the Internal Control team in years and, with the continued push from the business to support each access need, it deserved a look. Kathryn also had a particular interest in starting these projects at Calpernica, as she was closely involved in these projects at her previous employer nearly five years ago. Even back then, she thought, they were farther along than Calpernica.

The Initial Meetings

Kathryn held open-door sessions over multiple weeks with key business and IT personnel. The goal was to get an understanding of where the issues were for IT access and the certification program. Sam didn't want a band-aid solution, and that certainly wouldn't have made his boss happy either, and thought that it is important to get input from outside of Internal Control. Kathryn's first two meetings were largely uneventful, with more than half of the group sitting along the sidelines and saying little. In an effort to re-direct the meeting agenda, Kathryn identified a few topics with which they would start their conversations. She focused primarily on the current "silo" approach in performing access reviews, and whether they were properly removing Segregation of Duties (SoD) issues across multiple functional areas.

The third meeting was more heated than the others. Doug Andersen, a team lead for accounts payable, brought up a complaint with the annual access review process. "I'm handed a huge list of people that I'm supposed to review," he said, "more than half of them don't even work for me. How am I supposed to know whether their access is correct? I've brought this up before, but in the end I just sign it to get it over with." The other managers at the table seemed to nod in agreement. "Why doesn't IT help us out to break up the user lists by each manager? On top of that, I can't tell whether 'John Doe' access is correct for some other application, and I certainly can't tell you if he should or shouldn't have access to both at the same time."

Nate Anderson, a senior database administrator, jumped in. "I really don't think we're dropping the ball here," he said, "If the business team is worried about who has access to what, they should review it on their own and put in modification requests through their normal channels." Almost everyone knew the issue was deeper than that and had built up over years of ignoring the risk across applications, rather than simply in each application as a silo. Nate continued his rebuttal, "the business just doesn't understand what goes into 'IT support' and think it's this magic box that automatically works. I'm almost at my wits end dealing with them." Not surprisingly, Kathryn thought, the business team probably felt the same way.

Regrouping the Team

Kathryn regrouped her team the next day, to debrief the meeting and determine their next steps. Many team members expressed their frustrations with how the meeting had gone, particularly with the pushback-on both sides-regarding ownership of the issue. It was clear that the applications were primarily owned and used by the business; however, IT played a vital role in administering the applications. That was nothing new, yet each side seemed to want to treat the issues as if they were black and white, and the ownership was rarely their own. In the end, it was clear there were some issues with IT and, most concerning were the lack of insight across functional areas.

Managers across functional areas in the business didn't have the insight into other process areas to include these considerations in their access reviews. On top of that, they had little understanding of the roles that were assigned, or what functionality they provided a particular user. IT was able to support the business teams through access modification requests, but they also weren't able to determine whether a particular set of entitlements shouldn't be allowed. Once approved by the business, it was considered acceptable.

The team saw that it was more difficult than having insight across functional areas. The company did have a formal way of identifying transaction-level risk, and how this risk changed when combined with other transactions. They saw some of the key questions to be: What transactions, if combined, posed significant risk to the company? What were the underlying system entitlements that allowed these transactions, and shouldn't co-exist?

Calpernica didn't have an easy way to answer these questions. Their best attempt to date was to take the individual application reviews, attempting to match roles that would conflict with each other. However, the roles were another issue in themselves. There was very little standardization in how the roles were setup, and the name barely told the whole truth about what underlying entitlements might there be.

CASE STUDY QUESTIONS

1. What are some of the issues related to effectiveness of access reviews at Calpernica?

2. What is Kathryn Major trying to accomplish working with the Governance Committee?

3. Why should duties be segregated? How can management determine if duties are properly segregated?

4. Why is it important to address the resource (application and entitlements) ownership issue?

5. How can Calpernica prevent rubber stamping issue Doug Anderson was referring to in access reviews?

6. What IAM data management practices would help Calpernica, managing user-list data, roles and entitlements data?

Reference no: EM133511091

Questions Cloud

What was a recent technology change that took place : What was a recent technology change that took place in your work? If you are unaware, speak with your manager or the IT department to find out what system
Which classes should implement the publisher interface : Consider the online auction site described in Problem. Suppose you want to employ the Publish-Subscribe (also known as Observer) design pattern in your design
Monitored individuals behaviour : Consider the times when you have monitored individuals' behaviour, What formal and informal methods did you use to observe and monitor individuals?
Describe digital convergence and its impact on organizations : Describe digital convergence and its impact on organizations and society. Provide a personal example of how digital convergence has impacted you.
What is kathryn major trying to accomplish working with : What are some of the issues related to effectiveness of access reviews at Calpernica? What is Kathryn Major trying to accomplish working with the Governance
How could each control be used in a company : How could each control be used in a company (the company can be either your current company, a company that you previously worked at, or a company
Medicalization of sex and sexual behaviors : Drawing from the reading "Sociology and Sexual Deviance", what are the pros and cons to the medicalization of sex and sexual behaviors,
Distribution of wealth and income is social problem : Do you think such a distribution of wealth and income is currently a social problem within the United States?
What is demand-withdraw form of communication : What is demand-withdraw form of communication? Do you think it develops from gender role socialization or the relative power of each partner?

Reviews

Write a Review

Computer Engineering Questions & Answers

  Developing system for the classification problem

client asks your company in order to develop a system for classification problem (for example: medical insurance fraud detection). Because of user requirements, he requires the final developed system to be able to offer the explanations about syst..

  How can you divide the screen into quadrants

How can you divide the screen into quadrants and Is the process called as 'viewing transformations'

  Consult one or more of references for software heuristics

Consult one or more of the references for software heuristics. Extract several heuristics and use them to evaluate a software-intensive system.

  How the tools could be used to develop policy

As indicated above, select two tools described in chapter 7 from different categories, and describe how these tools could be used to develop policy for.

  How many different codes can be formed following stephan

He decides that he will only use single-digit prime numbers in his code to make it easier to remember. He also wants to make sure that he never uses the same

  Describe how the program supports relevant governance

Describe how the program supports relevant governance, risk, and compliance strategies and policies for improving information security within the organization.

  A program which appears to display a vertical bar character

Write a program which appears to display a vertical bar character ‘|' moving left to right in 79 positions across the screen.

  Ai and intelligent agents supporting knowledge management

Explain how the AI and intelligent agents provide support to the knowledge management. Explain it in the 1 paragraph with source.

  Produce new file which contains the first and second fields

From the file download as above, produce a new file which contains the first and second fields, plus the fourth to the sixth fields. So, the files contains the following: Note that fields 1 and 2 are on the left and followed by the fields 4, 5 and ..

  Describe how are the topics of the two articles related

Prepare a brief synthesis and summary of the two articles. Describe How are the topics of the two articles related? What information was relevant and why?

  Determine the requirements of the new system

Create a list of questions that you would use to determine the requirements of the new system so you can define the development project.

  Design and write an algorithm which accepts as input

Design and write an algorithm which accepts as input a Richter scale reading and then prints a message.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd