When IT attempts to communicate problems to business, the same type
of communication problem ensues. For example, if IT decides to check for
segregation of duties violations and runs a report or a query, it may find a
violation within the procurement department and notify them. However,
procurement doesn’t understand the report because it’s too technical and
not in their language. They hand it back to IT, telling them to fix it. Unless
reports are written in language that business understands (we have made
a payment to a vendor who shouldn’t be paid, a duplicate check is going to
go out), they won’t take responsibility for access control problems.
Exceptional circumstances dictate exceptional access ................
IT departments do try to keep access control managed. However, at certain
times, IT departments may be pressured by users. At year end, when people
need to close the books, they want to run reports and get data into the system.
Perhaps Mr. E, who has access to these transactions, has had to make an emer-
gency visit to the doctor. His colleagues call IT and demand access to his trans-
actions. Or perhaps someone in the payroll department is on vacation, and HR
needs to run paychecks. Under pressure, IT hands out access. The problem
arises when IT forgets to revoke the access, or when the users forget to remind
IT to do so. In this way, you see users with roles that become more and more
nonstandard over time, a kind of insidious accumulation of access, sort of like
putting on weight over the holidays.
Large scale increases complexity.....................................................
Small companies can get away with users having unique roles. When compa-
nies grow and develop a huge pool of roles, which they have created them-
selves or inherited through mergers and acquisitions, access becomes a
nightmare to manage. Add to the mix multiple instances of different brands
of software, and you find that managing users with unique roles becomes
impossible. There are hundreds of roles. No one knows exactly what they all
mean; they probably conflict with each other, and there are likely to be SoD
violations within the roles themselves. This scenario leaves the company
open to fraud.
If any or all of these situations prevail at your company, it’s time to repair
your access control. Poor access control is not only a security risk, but it’s a
mess for auditors to try and figure out, and you don’t want unhappy auditors.
120 Part II: Diving into GRC
