How to Incorporate GRC into your Identity Management Program
In most organizations the Governance, Risk, and Compliance (GRC) team operates entirely separate from the Identity and Access Management (IAM) team, and for good reason. An effective GRC team is responsible for identifying risks and making sure the right business processes and controls are in place to mitigate risk and meet compliance requirements. The IAM team ensures the right people have the appropriate access to technology resources. Maintaining their independence prevents any conflict of interest and any perceived conflict.
However, there are a few use cases where it makes sense for the IAM and GRC teams to work closely together to ensure organizations efficiently manage access control risks.
Improve Business Process Efficiency
Many IAM business processes can be more efficient by leveraging insight from the GRC team and/or utilizing the following GRC tools and methods:
- Integrate a Segregation of Duties (SoD) check into the user provisioning process
- Leverage an IGA solution to identify sensitive or mission critical access within an organization
- Conduct regular reviews of SOD rulesets to ensure they still apply and include any new risks to the business
- Incorporate risk signatures into the user access review process(s)
- Send control evidence automatically from the IGA system to provide documentation to auditors within your enterprise GRC platform(s)
- Implement solutions to identify sensitive data within your environment that may impact regulatory compliance
- Leverage key data points from your Identity Management systems to further improve the Enterprise Risk Management processes
- Incorporate key risk insights from the GRC team to prioritize applications for inclusion into an IGA program
Let’s dive a little deeper into a few of these scenarios and discuss some of the benefits of integrating your GRC team into your IAM business processes. One of the most valuable skillsets the GRC team can provide your IAM business is incorporating preventative Segregation of Duties and Sensitive Access risk analysis into the user provisioning process.
Fine-Grain SoD Analysis
Modern Identity Governance and Administration (IGA) solutions can incorporate an automated Segregation of Duties check seamlessly into the access request process. At Saviynt, we take this a step further and allow our customers to run SoD analysis at the fine-grained permission level within their main ERP applications. For example, with SAP this is done at the transaction code and authorization object level. It is important to manage application risk at the most granular security permission available in order to effectively identify risks as application security changes are made over time.
Risk Based Workflows
While performing an in-line risk analysis of the requested access, you can define the approval workflows to route the request based on the risk of the request. Some risk-based workflow examples include:
- If a request contains a critical SoD violation it can be automatically rejected
- If a request contains a high-risk SoD violation, it can be routed for additional approvals. A common workflow example is manager approval followed by Data Owner (or Role Owner) for additional approval. If the request contains an SoD risk, it can be routed to the compliance team for an additional check and to apply any mitigating controls.
- If the request does not contain any risk violations, Saviynt can simply route the request to the Manager. Once approved, we automatically provision the access.
External Integration Support
Some organizations have significant investments in Governance, Risk and Compliance solutions to manage SoD risks in their mission critical ERP systems, like SAP GRC or Oracle GRC. In these scenarios, Saviynt provides the capability to integrate with an external risk analysis engine, like SAP Access Control (AC), where SAP AC runs the risk analysis simulation and presents the results back to the access approvers within Saviynt.
Ruleset Review Process
As organizations mature in their Identity Governance processes, they can work with the GRC team to ensure they are incorporating the appropriate risk signatures. Organizations should have a process in place to regularly review the SoD ruleset with key Business Process Owners and Internal Audit experts to ensure its relevancy and suggest any necessary changes. The GRC team can also help refine the Segregation of Duties and Sensitive Access rulesets, identify any potential gaps, and consider any upcoming risks that may need to be included.
Enterprise GRC System Integration
Another opportunity for automation and improvement is leveraging evidence from your Identity Management applications to support control documentation within enterprise GRC applications. With most GRC applications, the control documentation and evidence collection process can be automated using API’s or other methods of integration. Some examples of this include:
- Identifying exceptions for Orphaned Accounts and critical pieces of information i.e.; who approved them and the business reason for their continued existence
- Evidence of Quarterly User Access Reviews for Sarbanes Oxley or other compliance requirements
- SoD’s and Sensitive Access violation reviews and mitigating control assignments
- Privileged Account Reviews
- Service Account Reviews
Finally, an organization’s GRC team provides support and insight into what applications are a priority to incorporate into an Identity Governance and Administration program. While there are several factors taken into consideration during this process, the GRC team is well suited to provide input and help identify risk factors to the organization.
There can be a lot of benefits to the organization by having your GRC and Identity Management teams work together. IAM Programs can be more effective and have a larger impact by taking a risk-based approach – the GRC team can be a crucial part to making that more successful.
WHY SAVIYNT? INTELLIGENT ACCESS. SMARTER SECURITY
Saviynt starts with people – who they are and what applications they need – to create a holistic set of identities across on-premise and cloud ecosystems. This approach enables customers to govern all identities access from cradle to grave, providing continuous visibility of access to enforce internal controls that align with regulatory and industry standard mandates. Saviynt’s cloud-native platform offers flexible deployments, including on-premises only or hybrid/cloud to match your hybrid ecosystem identity needs.
Our suite of solutions enables you to create a holistic approach to IAM that enables you to mature your cybersecurity posture by incorporating GRC risk analysis capabilities into your governance processes.
For more information about managing identity, security and GRC in your environment, contact us for a demo today.