Building Blocks + Communication + Rigorous Testing = Project Wins

Security and Risk. Two words that strike fear in the hearts of the unprepared.  No matter what your role is within the organization, these words can keep business leaders awake well into the wee hours. Recently, we worked with a large telecommunications company that was faced with solving significant security issues putting the organization at risk.

Generally, this telecom was unable to report on risks within their Microsoft Dynamics AX 2012 application, which in turn generated a number of other issues. Specifically, those compounded issues included:

  • Recent audit findings resulted in audit exceptions, generating significant manual effort to gather sufficient look-back documentation
  • Inconsistent protocols in provisioning access to AX 2012
  • Periodic user access reviews were difficult to perform, due to limitations of available access reporting and analysis capabilities
  • Protocols regarding the usage of the System Administrator account and who should have access were not always defined
  • Custom roles had been created, but security architecture was disorganized and was hard to interpret what existed within each role

With this background, our project objectives were to: 1) redefine the Segregation of Duty (SoD) and sensitive access ruleset; 2) establish flexible and secure role architecture; and 3) eliminate unnecessary access and document mitigated controls.

Our initial timeline was 11 weeks. With such a tight timeline, work began on three parallel paths including redesign, Fastpath implementation and establishing future state governance. It was critical to customize the ruleset for this client, as it would be the key to exception-based risk management.

When it came to defining roles, we considered job-based and task-based security roles. The client opted for the former, and we mutually implemented a “building blocks” approach to defining those roles. We began by stacking the task-based roles together. Next, we put them into a job-based role. It was critical to maintain a standard approach for assigning security. By ensuring that privileges were assigned to duties, duties were assigned to task-based roles and task-based roles were assigned to job-based roles, a scalable security structure emerged that the client could use as its needs grew and evolved.

The role architecture is four-tiered, ensuring users are granted access in a structured way to minimize risk potential and excessive access. Tier 1, or general access included birthright roles such as time entry or HR information on each employee. Tier 2, display access, carried minimum sensitivity, while Tier 3, update activity access, had medium to high sensitivity. At the top of the architecture is Tier 4, critical sensitivity, where IT and sensitive functions such as setups, user assignments and role modifications are housed.

As with most security projects, there were inherent challenges, perhaps the biggest of which was coordinating the various stakeholders across the client organization. This was not “just” an IT project or accounting project – the client was keen to work across business units. The client’s audit teams lacked experience in the AX security model, Fastpath functionality and how to best audit security. Those challenges were complicated by the complexity of the AX security model and the impacts even minor modifications can have on user functionality.

But with every challenge comes a new opportunity to develop a creative solution. In this case, we learned that having the organization’s senior leadership clearly communicate the importance of the project helped stakeholders prioritize appropriately. The client also ensured that both internal and external audit teams were well informed of the project objectives, direction and approach. Throughout, we gathered feedback and implemented suggestions, which further contributed to the overall buy-in of the organization to the project objectives.

Finally, the project timeline eventually extended to 22 weeks, double the time initially estimated. Why? It was clear early on that a “Big Bang” approach was not appropriate here. Testing was detailed, thorough and required a number of iterations. We extended the testing schedule and established a rigid process for ensuring all roles were tested and vetted prior to going live.

As with most projects, this work taught us important lessons we will carry into future security projects and which, in hindsight, are valuable objectives for any major undertaking:

  • Executive leadership is critical – getting buy-in from the top smooths the road ahead
  • Establish/update governance processes
  • Don’t underestimate user acceptance testing
  • Know what is mission critical – don’t get sidetracked by non-essential one-offs

Don’t lose sleep at night. Have a solid plan and use your “building blocks” to win.

Chris Katz

Associate Director
Business Application Solutions

Subscribe to Topics

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Load More