Security Role Reviews

[elans]

Our company does periodic security reviews of each individual role. Our auditors are looking to enhance the processing and have us conform to a more robust and efficient security review process. The problem is, we don't know where to start with the change. Our current review process is as follows...
- Pick a role to review
- CNC Print out users in that role, P00950 output, and menu items assigned
- Review the details by our System Coordinator
- Assign the role to a "DEMO" user and log in, review what User/Role is allowed to complete
- Report on any needed changes verbally (no sign-off)
- CNC Implement the security changes where needed (sign-off)
- Move onto the next role.

Our auditors want us to up the volume and frequency of our reviews. Essentially, reviewing all roles every year. We are trying to find a good process that supports that frequency and add any steps that could help us satisfy the audits. From the above listing, does anyone do anything else differently? More efficiently? Or do you have a strict process as implemented by another party such as a SOX or HIPAA auditor? All answers are helpful! Thanks!

 

[StewartSchatz]

Just a thought... once the initial audit review is done on a role, couldn't you just look for additions/changes in the F00950 & F95921?

 

[elans]

That was an initial thought I had. If we completed the role review and had management sign-off on the setup, then either configure auditing on the F00950 or manually audit the F00950 changes. The role review itself also presents a viewpoint for management and reviewers to say, "update" the way the roles are assigned. So if a Payroll individual could have a modified role, then the review opens that can of worms.

I like the idea of just auditing the F00950 for changes though. It also helps with the "audit the administrator", whereas CNC is not inputting unapproved lines of code, which in itself can be a cumbersome item to track.

 

[tboat00]

You also might want to consider a thrid-party tool such as ALLout Security software. We use it on our JDEdwards instance. It provides the ability to create rules against existing roles to identify SOD conflicts and report on them.

 

[BPConnor]

ALLOut Security gives you the ability to run reports that will show exactly what a role has access to via menus and security. If you are looking for SOX compliance, AOS also has tools to report over each role to identify any violations based on the level of access for the role.

AOS also has change control for E1 included. You can use it with dual security tables to make changes in non-prod and promote to prod, or you can use it to monitor for changes to user and/or roles. IF this is done in conjunction with the default security history records you would have a good history of any changes made to roles since the last audit cycle.

The SoD reports from AOS will run in just a few minutes and give very detailed information for your auditors. There are also other tools in AOS the auditors can use to trace the access for a role down through the form and row exit programs as well without having to assign the role to them. One of the issues with trying to navigate through multiple levels of programs is that you have to put good data in to get to the next screen or use the exit programs. With the AOS tool that is not necessary.

With the AOS tools, you could audit every role every month if you wanted to!