Aristotle, the Greek philosopher, probably wasn’t thinking about Governance, Risk, and Compliance (GRC) solutions when he said, “The whole is greater than the sum of its parts.” But it certainly applies, particularly when we’re thinking about cross-application Separation of Duties (SoD), risk remediation, and maintaining a continuous compliance posture.
The challenge for many organizations is knowing which GRC capabilities add the most value to an efficient system. Although they come with many features, we’ve honed in on six key capabilities that form the nucleus of an enterprise-ready GRC solution and provide a solid foundation that ensures SoD — a critical set of internal controls that reduce the risk of both erroneous and inappropriate actions. They include:
In this blog series, we’ll examine (and demo) each of these features, explore their importance to an organization, and unpack how Saviynt’s industry-leading Application Access Governance (AAG) identifies and remediates potential or actual violations — before they damage compliance.
Let’s briefly consider each one.
Rulesets are a series of internal controls that prevent a user from executing both sides of a sensitive transaction, like being able to create an invoice and pay an invoice without any other approval required. They act as checks and balances.
Saviynt has developed standardized rulesets that customers get when they implement Saviynt AAG. Since many of the applications in your organization were designed by different software vendors, each with their own security model, it’s very difficult for organizations to build these rulesets from scratch.
Saviynt’s rulesets are unique because they are fine-grained, which means they look for SoD violations deep within the security models of such popular software offerings as SAP, Oracle, Active Directory, Cerner, Epic, and others. While other GRC solutions may focus on a single application, like SAP, Saviynt can identify violations across applications.
With the rapid adoption of cloud solutions, IT and security teams face new challenges in implementing consistent, compliant GRC processes across all cloud and on-premises applications. Saviynt meets this challenge while providing the flexibility to import custom rulesets as needed for your unique business needs.
Identifying real and potential risks of SoD violations has been a longstanding challenge for many organizations. Mitigating and remediating those risks — both in a single application and across applications — was workload intensive and always just out of reach.
Ideally, you want a GRC system that identifies the risks, alerts the administrator with accurate information, and provides an easy-to-use interface that moves from risk identification to mitigation and remediation with just a few clicks. To spot trends and accelerate risk reduction, you need a workflow system that shows you how many risks are in play, how many are being worked on, which were accepted, and which were closed and remediated.
Visualizing the risks associated with user access across multiple applications is foundational to a good GRC system. The true value is in being able to report on risks continually using a predictive model.
Ideally, you’d like to report on a cross-application ruleset that identifies the risk code, the functions causing the risk, a risk priority, a clear description of the risk, and the status of the risk — whether it’s potential or active. You’ll also need to know the user’s account information and whether a dashboard of open, in-process, closed, remediated — or if the risk has been assessed and accepted without further action needed.
Certifications are a set of access reviews performed on a regular schedule to determine whether a user’s access is still valid or should be discontinued. This capability is critical to the joiner, mover, leaver scenario: as employees onboard or move between departments, it ensures they only have the proper amount of access to do their job when they. If they leave the organization, we want to remove their access in a timely manner.
Organizations should develop certifications as campaigns. These campaigns need to be able to certify from various owner types, such as an entitlement owner, organization owner, a service account, or a user manager. Dashboards help administrators see the status of any given certification campaign.
The needs of a business can change quickly. The flexibility to provide users with rapid, short-term access is extremely valuable. Emergency access capabilities should include the ability to be added as a role or as an ID. With an emergency access role, we use existing credentials to grant additional access to that role. With an emergency access ID, the user doesn’t have existing credentials, so organizations set up IDs with an approved set of access. With either access type, having start and end dates helps eliminate the potential for orphaned accounts when the need for the access expires.
One of the primary reasons for deploying an application GRC solution is to maintain regulatory compliance and ensure you have strong cybersecurity controls in place. A good GRC solution should have out-of-the-box capabilities that ensure you remain in continuous compliance with regulations like NIST, GDPR, HIPAA, FINRA, PCI-DSS, and many others.
Analytics should form the basis of configuring tests that can run on an ad-hoc or scheduled basis — and should be able to be filtered by application or by the specific regulation. This will aid in audit preparation and ensure ongoing compliance.
In future posts, we’ll delve into why these six critical capabilities are so crucial to a successful GRC system — and show you step by step how Saviynt’s Application Access Governance can simplify the process of safeguarding your company, users, and data.