Reference no: EM133511091
CASE STUDY
An insurance company experiencing access management challenges.
He had tossed and turned the night before, wondering how he would break the news to his team. Sam Hartmann had been given an ultimatum by his director. Sam, the Senior VP of Internal Control for Calpernica Insurance ("Calpernica"), a West coast insurance company, had just called his right-hand-person into his office. Kathryn Major was a rising star at Calpernica, and Sam needed to bring her onboard to assist with some major changes that were coming. Sam and Kathryn talked extensively about how to organize a project months back, Kathryn had approached Sam with a proposal. She had reached out to the IT governance committee and put together a control remediation plan for areas that touched IT access. The subject hadn't been extensively reviewed by the Internal Control team in years and, with the continued push from the business to support each access need, it deserved a look. Kathryn also had a particular interest in starting these projects at Calpernica, as she was closely involved in these projects at her previous employer nearly five years ago. Even back then, she thought, they were farther along than Calpernica.
The Initial Meetings
Kathryn held open-door sessions over multiple weeks with key business and IT personnel. The goal was to get an understanding of where the issues were for IT access and the certification program. Sam didn't want a band-aid solution, and that certainly wouldn't have made his boss happy either, and thought that it is important to get input from outside of Internal Control. Kathryn's first two meetings were largely uneventful, with more than half of the group sitting along the sidelines and saying little. In an effort to re-direct the meeting agenda, Kathryn identified a few topics with which they would start their conversations. She focused primarily on the current "silo" approach in performing access reviews, and whether they were properly removing Segregation of Duties (SoD) issues across multiple functional areas.
The third meeting was more heated than the others. Doug Andersen, a team lead for accounts payable, brought up a complaint with the annual access review process. "I'm handed a huge list of people that I'm supposed to review," he said, "more than half of them don't even work for me. How am I supposed to know whether their access is correct? I've brought this up before, but in the end I just sign it to get it over with." The other managers at the table seemed to nod in agreement. "Why doesn't IT help us out to break up the user lists by each manager? On top of that, I can't tell whether 'John Doe' access is correct for some other application, and I certainly can't tell you if he should or shouldn't have access to both at the same time."
Nate Anderson, a senior database administrator, jumped in. "I really don't think we're dropping the ball here," he said, "If the business team is worried about who has access to what, they should review it on their own and put in modification requests through their normal channels." Almost everyone knew the issue was deeper than that and had built up over years of ignoring the risk across applications, rather than simply in each application as a silo. Nate continued his rebuttal, "the business just doesn't understand what goes into 'IT support' and think it's this magic box that automatically works. I'm almost at my wits end dealing with them." Not surprisingly, Kathryn thought, the business team probably felt the same way.
Regrouping the Team
Kathryn regrouped her team the next day, to debrief the meeting and determine their next steps. Many team members expressed their frustrations with how the meeting had gone, particularly with the pushback-on both sides-regarding ownership of the issue. It was clear that the applications were primarily owned and used by the business; however, IT played a vital role in administering the applications. That was nothing new, yet each side seemed to want to treat the issues as if they were black and white, and the ownership was rarely their own. In the end, it was clear there were some issues with IT and, most concerning were the lack of insight across functional areas.
Managers across functional areas in the business didn't have the insight into other process areas to include these considerations in their access reviews. On top of that, they had little understanding of the roles that were assigned, or what functionality they provided a particular user. IT was able to support the business teams through access modification requests, but they also weren't able to determine whether a particular set of entitlements shouldn't be allowed. Once approved by the business, it was considered acceptable.
The team saw that it was more difficult than having insight across functional areas. The company did have a formal way of identifying transaction-level risk, and how this risk changed when combined with other transactions. They saw some of the key questions to be: What transactions, if combined, posed significant risk to the company? What were the underlying system entitlements that allowed these transactions, and shouldn't co-exist?
Calpernica didn't have an easy way to answer these questions. Their best attempt to date was to take the individual application reviews, attempting to match roles that would conflict with each other. However, the roles were another issue in themselves. There was very little standardization in how the roles were setup, and the name barely told the whole truth about what underlying entitlements might there be.
CASE STUDY QUESTIONS
1. What are some of the issues related to effectiveness of access reviews at Calpernica?
2. What is Kathryn Major trying to accomplish working with the Governance Committee?
3. Why should duties be segregated? How can management determine if duties are properly segregated?
4. Why is it important to address the resource (application and entitlements) ownership issue?
5. How can Calpernica prevent rubber stamping issue Doug Anderson was referring to in access reviews?
6. What IAM data management practices would help Calpernica, managing user-list data, roles and entitlements data?