Case Study: Senior Living Management Company

Building a SOX Compliant and Scalable Microsoft Dynamics 365 Security Framework in a Short Timeframe

Situation

Our client is a national manager of distinctive, independent assisted living and memory care communities throughout the U.S., established less than two years ago and which has grown to manage more than 100 retirement communities caring for more than 5,500 residents across 28 states.

To accommodate the company’s rapid growth, the organization implemented Microsoft Dynamics 365 for Finance and Operations (D365F&O) on an accelerated timeline to rapidly establish a business management platform. In order to implement the solution quickly, the team chose to utilize the out-of-the-box (also known as ‘seeded’) security roles delivered with the application, which inherently contained numerous high-risk segregation of duty (SoD) conflicts.

Due to the amount of revenue under management for a large publicly traded real estate investment trust (REIT), the client would be required to comply with Sarbanes-Oxley (SOX), including controls over functional access in D365F&O. Due to this compliance requirement, the company needed to find a solution that would integrate well with their D365 environment and provide detailed audit reporting, SoD visibility and scalable task-based roles.

Solution: Clearer identification of conflicts and faster issue remediation

The organization decided to leverage Fastpath Assure software, and they asked for implementation partners that could support them in solving their problem within the timeframe allotted. They reached out to Protiviti to assist with the Fastpath implementation, the security redesign and the development and implementation of governance processes to protect their new security architecture while demonstrating strong controls. Management knew it was critical they had the right software and the governance processes in place in order to effectively accomplish their objectives and sustain their security model going forward.

To start building a compliant D365 security architecture, a SoD framework had to be established and configured within the Fastpath software. The framework provided the rules for how the new roles could be built. Once the SoD risk ruleset was configured, the team used Fastpath to help build security roles that aligned with the SoD framework, designed processes for managing their new risk framework, and implemented the new roles throughout the organization. Using software and security analysis tools helped to minimize effort for the iterative build, test, analyze and modify processes. The Fastpath tool, specifically the “Security Designer” module, made it easier to quickly build scalable task-based roles that were free of SoD conflicts and still provided a flexible security framework enabling our client to grow and change over time.

Results: Measurable KPIs around role design and issue remediation

Over the course of 15 weeks, Protiviti built an application security framework to support compliance with Sarbanes-Oxley requirements and drive business ownership of security roles and risks. Before the redesign, the client had roughly 50 critical SoD role conflicts and over 1,200 user conflicts. After the project was completed, all roles were free of unmitigated SoD conflicts and the total number of conflicts at the user level had been reduced by over 97%. The ruleset is more comprehensive with the addition of 69 custom objects that would not normally be captured in the out-of-the-box Fastpath ruleset. Lastly, the number of non-system users who are assigned the “System Administrator” role has been reduced by 60%, ensuring that only the right individuals have this elevated level of access.

To keep the company moving forward, key individuals in audit, IT and the business have been trained on how to leverage Fastpath and perform the new governance processes. Additionally, the organization implemented a role-based access control process and redesigned security within their Microsoft CRM system (aka Dynamics 365 Customer Experience).

Conclusion

Our client needed timely solutions to meet the demands of their ownership partner and their external auditors.  Protiviti organized quickly, brought the right experience and began implementing governance processes, technology, and security structures to meet their needs. There were bumps along the journey and times when the plan had to pivot, but in the end, our client exceeded the requirements of their ownership partner and established a platform for ongoing access management.

 

To learn more about Protiviti’s Microsoft capabilities, please visit our Microsoft consulting solutions site or contact us.

 

 

Kevin McCreary

Managing Director
Enterprise Application Solutions

Subscribe to Topics

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Load More