Access Management and Auditors – Don’t Fear the Reaper

With the start of a new year many people are focusing on what lies ahead for 2015. In cases such as the previous quarters audit we are looking backwards to see how we did. Sadly when we mention auditors in any capacity people get a sense of unease in the pit of their stomachs. I on the other hand look to this time frame to not only reflect on what went well and not so well but to also learn for these experiences. 
One area where people may have challenges with regards to audits is in the access management space. For a moment think about how your organization manages access management as it pertains to your applications.
IT organizations basically manage the way that access is granted to key systems through three activities:
Onboarding – A person is starting new position or role and access is granted via a manual process, or automated with tools and may be verified through a “source of truth” authority such as SAP.
Changes / Modifications – A person is modifying position or role and will require different levels of access which again may be done manually or again automated through a toolset
Offboarding – A person is leaving a position or role in one way or another and the termination process drives the removal of access either manually or through tools
For the most part validating the onboarding and offboarding (joiners and leavers) may be simplest to define.
“Gillian starts on Monday and will need access to application x to do her work” (Onboard)
“Desmond has quit, remove access” (Offboard).  
It is the “Changes / Modifications” component that may need to be tightened up from a process perspective. The managing of users and roles across the enterprise, especially large and diverse ones, can be quite complex when there is no underpinning process to govern it.
For example, let’s suppose we have an employee who works in Business Unit “A” and is moving to work in Business Unit “B”.


Now think again about the way your organization handles changes or modification in access
When people change roles does your Access Management process discontinue all access from role A and then grant access to role B in a seamless way?
How is access to roles validated – the dreaded “just mirror John Smith” can create major access issues
Could lingering access from Business Unit A follow this person to the new role?
Are there segregation of duties concerns in the role access that we should be concerned about
You really need to ask yourself if your overall Access Management process is checked in a regular time frame (quarterly, annually)? I can already hear some people saying, we have an automated tool that handles all of this. Just because it is automated does not mean it is working or still valid. The process governing how the tool works should be validated just like in the situation above.
Remember finding gaps in the process and mitigating risk shouldn’t be something that is discovered as a result of an issue. Regular process checkpoints should allow you and your organization to proactively move on these before they become issues. This is why your auditors should be your trusted advisors in the sense that they are looking to ensure that you are protecting your corporate ass(ets). You shouldn’t be concerned with what your auditors find, rather it is what they don’t find that you should be concerned about.