How to Control Segregation Risks
* By Ramon Ito
improper access It is one of the biggest risks to the integrity of ERP systems. Performing unauthorized activities, whether innocent errors or fraudulent acts, may affect the accuracy of the financial statementstherefore auditors will certainly test access controls, in addition to Function Segregation (SoD). Segregation of Duties) is an essential part of achieving SOx compliance. Sarbanes-oxley).
The Challenge of Achieving a Segregation of Role acceptable is typically more acute in small and medium enterprises due to the lack of advanced tools or expertise to have an effective Access Management.
THE best practice is to grant users only access required to perform their work (usually referred to as & #8220; minimum privileges & #8221; or & #8220;need to know& #8220;). The most efficient way to achieve this is to implement Role Based Access Control (RBAC). Role Based Access Control) with a well-designed safety model.
The Internal Controls, Information Security, Information Technology and Internal Audit areas need to work closely with business areas to segregate high-critical functions wherever possible and, where not feasible, assign appropriate compensatory control.
The initiative to determine, analyze, and address SoD issues can be achieved by the following three steps:
Step I: Define Role Segregation rules applicable to your business environment and from these rules, create a SoD risk matrix.
Stage II: Perform risk analysis to identify SoD violations. This step can be done manually or with the help of a tool. In case of manual analysis, it will be necessary for each user to analyze if they have access to perform conflicting activities present in the SoD risk matrix.
Stage III: Assess whether conflicting activities can be performed by an alternative person. If access cannot be restricted, consider designing appropriate control to mitigate risk. This process must be performed to resolve all remaining high-risk conflicts.
Finally, it is essential that a process of Access Governance each request for new access is reviewed for Risk Matrix SoD before provisioning in the system. Be careful when granting additional access to existing users, as new access may not generate conflict on its own, but in combination with the access the user already has, SoD violations may occur.
* Ramon Ito is DataPrivacy Lead Partner at Safeway Consulting.
Regarding the [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!