Case study overview

ACME is a privately held company listed on NYSE and offers B2B services. In order to be compliant with the applicable regulations, several control mechanisms have been set up: access reviews are performed every 6 months for internal users and every 3 months for external users.

The goal is to certify, from a business perspective, that the entitlement management policy is enforced and that Managers are well aware of their responsibilities. Running an access review is a difficult task, due to IT silos and the lack of a comprehensive entitlements description.

As a result, the IT Security team is preparing access reviews by consolidating user entitlements in Excel files and dispatching the files to managers. This tiresome task often results in « blind validation »and leads to many risks, such as invalid, incomplete or irrelevant information and poor operational performance.

To reduce operational risks caused by permissiveness in users’ entitlements, security good practices recommend that the following principles (included in operational risks regulations as well as in security policy standards) are applied:

• Line managers are accountable for access rights approval within their team
• Application owners are accountable for access rights activation in the systems
• User access rights must be reviewed regularly and at least every time the user undergoes a change of assignment or responsibilities
• The “least privilege” principle must be applied when entitlements are assigned to users
• Segregation of duties principles have to be documented, applied and controlled

Goals

• Simplifying the approvers’ work while improving the review quality
• Progressively improving data quality without hindering reviews
• Improve the regularity of the review cycle

Nexty: Brainwave approach