Traditionally, Governance, Risk and Compliance (GRC) focuses on technology applications that manage risk and compliance across a customer’s enterprise applications. The goal of any GRC solution is to answer three key questions: Who has access to what? Is the access secure? And is the access appropriate? These are reasonable, logical, and important questions. However, obtaining the answers can seem like a daunting task. On average, companies use 34 SaaS apps across their enterprise – and securing them is ever-changing.
At the same time, cyberattacks and data breaches are on the rise. As Crown Jewels continue to move from on-premises to the cloud, single and cross-application security and governance become even more critical: Whether an attack comes from within your organization or outside, these events can do significant damage. Sarbanes-Oxley (SOX) and Gramm-Leach-Bliley Act (GLBA) were regulations developed in response to the situation that caused the financial crash in 2008. These regulations were intended to force businesses—especially financial institutions—to adopt best practices and adequately utilize technology to prevent theft and fraud. There is a solid track record of enforcement: Banks, for example, have been fined $243 billion for non-compliance since 2008.
That’s why the ultimate goal of any GRC program is to create standardized, measured, controlled, repeatable processes that allow for continual process improvement and optimization. To do this, we use the Capability Maturity Model as a guide to setting up and maintaining a well-run risk environment. Organizations don’t have to implement a GRC program for every application all at once. They can begin with their key financial system, for example, and then add relevant and interactive systems that are in scope for SOX, HIPAA, etc. This additive approach can continue until they have addressed the full range of their environment.
Get Clean, Stay Clean, and Optimize
GRC shorthand for using the Capability Maturity Model is Get Clean, Stay Clean, and Optimize. At Saviynt, we’ve created a solution that supports you every step of the way through this process.
In this blog series, we’ll describe the process in more detail, beginning with this overview and then taking you through the steps that will help you establish a robust risk management program based on industry best practices. No matter where applications lie in the maturity process, following these steps will help further an application’s governance maturity, ensuring continued compliance and standardized monitoring.
Get Clean: Monitor and Manage SOD and Elevated Access
The first step toward accomplishing this goal is to “Get Clean,” by establishing risk rulesets, executing detective risk reports and usage analysis, and documenting mitigating controls.
The risk ruleset tells you when you have a Separation of Duties (SoD) or a sensitive access risk. You can address the risks in SoD reports through either mitigation (applying a control to monitor risk for users) or remediation (removing the access causing the risk). And then, you will need to document the controls that help you address those risks.
To meet the goal of a standardized and measured risk environment, you will need to assess the current risk environment for single and cross application SoDs, establish a risk management approach, and address the risks detected in the current environment. The result is a clean state, meaning you have no unknown risks in your environment. Risks have been quantified and addressed, either by removing the risk through remediation or by addressing it with a mitigating control, which will monitor it for you. Once you’ve done that, you need to stay clean.
Stay Clean: Audit Simplification through Automated Access Provisioning and Deprovisioning
Now that you’ve done the detective work, you can “Stay Clean” by moving forward into an automated provisioning and risk management process. This step enables you to implement preventative risk checks during access provisioning, ensuring that you’re addressing the risks of anyone who’s coming in or moving around in the business in a preventive and proactive manner.
To succeed, you’ll need a solution that ensures no stale access remains assigned for users as job responsibilities change by revalidating their access on an audit approved frequency with access certifications (also called User Access Reviews or UARs). With automated provisioning and risk management processes, you can address joiner, mover, and leaver events in access requests workflows – through access provisioning and deprovisioning.
For example, when someone changes jobs (a mover) within an organization, they may get their new access but their legacy access isn’t removed, which increases risk in the environment. By using access certifications on a standardized basis, that access is reviewed and reapproved or removed. So a solution that offers automated provisioning and access reviews keeps your access clean and removes anything that’s stale.
Another scenario involves utilizing emergency access requests, also referred to as firefighter or elevated access requests. Such requests are granted on an emergency basis and are rescinded when the emergency situation is resolved, reducing risk. Regular access certification and use of emergency access management processes ensure that no standing elevated access is allowed and that critical access is limited, which keeps the environment secure. Again, as your process matures and you begin managing all of your users, you can review essential access more closely.
Another critical capability to help you “stay clean” is usage tracking. Usage tracking ensures access requests and recertifications get reviewed to determine if the access is being utilized and is truly necessary or if removal can reduce the overall risk exposure. Once these capabilities are achieved, you have established a controlled and repeatable set of processes for providing access reviews and elevated access. Now you must keep your system optimized on an ongoing basis.
Optimize: Achieving Continuous Compliance
Lastly, we’re going to move to the optimize phase. During this phase, the focus is on continuous compliance monitoring through further cleanup of unused or excessive access. This stage can be accomplished with a solution that offers built-in controls, integrated risk simulations, and role entitlement / engineering management tools. These allow you to focus on continually improving your environment after establishing a documented, repeatable, and automated risk management process. A solution that can provide role mining views and access analytics reporting is ideal here. Additionally, the environment can be further optimized by a solution that provides license cleanup and realignment reviews.
Out-of-the-box compliance controls provide visibility for SOX, HIPAA, GDPR and other regulatory requirements. Integrated risk simulations allow for review of possible role or user changes and the SoD risk impact of those changes, prior to submitting requests. Additionally, role entitlement / engineering management tools allow for deep dive analysis to review existing entitlement design and determine if adjustments should be considered based on usage of various user groups. Each of these features supports the ongoing optimization and management of your application environments.
At this point, you’ve addressed existing detected risks – and implemented preventative risk detection, automated access provisioning, certifications, and emergency access requests. So you can now optimize the environment by managing and monitoring environmental controls on an ongoing basis, establishing a complete customer lifecycle end-to-end, and avoiding gaps that may result in audit and compliance concerns.
Once your organization Gets Clean, Stays Clean, and Optimizes, you can govern who gets access and how, secure what access is provided, and maintain complete visibility to access risk and compliance initiatives on an ongoing basis. No matter what stage your GRC program is in, Saviynt can help. In the upcoming blogs in this series, we will provide more detail on the benefits of using our Application Access Governance (AAG) solution.