ApplicationsMicrosoftSecurity

Case Study: Senior Living Management Company

Kevin McCreary
May 15, 2020
4 min read

Building a SOX Compliant and Scalable Microsoft Dynamics 365 Security Framework in a Short Timeframe

Situation

Our client is a national manager of distinctive, independent assisted living and memory care communities throughout the U.S., established less than two years ago and which has grown to manage more than 100 retirement communities caring for more than 5,500 residents across 28 states.

To accommodate the company’s rapid growth, the organization implemented Microsoft Dynamics 365 for Finance and Operations (D365F&O) on an accelerated timeline to rapidly establish a business management platform. In order to implement the solution quickly, the team chose to utilize the out-of-the-box (also known as ‘seeded’) security roles delivered with the application, which inherently contained numerous high-risk segregation of duty (SoD) conflicts.

Due to the amount of revenue under management for a large publicly traded real estate investment trust (REIT), the client would be required to comply with Sarbanes-Oxley (SOX), including controls over functional access in D365F&O. Due to this compliance requirement, the company needed to find a solution that would integrate well with their D365 environment and provide detailed audit reporting, SoD visibility and scalable task-based roles.

Solution: Clearer identification of conflicts and faster issue remediation

The organization decided to leverage Fastpath Assure software, and they asked for implementation partners that could support them in solving their problem within the timeframe allotted. They reached out to Protiviti to assist with the Fastpath implementation, the security redesign and the development and implementation of governance processes to protect their new security architecture while demonstrating strong controls. Management knew it was critical they had the right software and the governance processes in place in order to effectively accomplish their objectives and sustain their security model going forward.

To start building a compliant D365 security architecture, a SoD framework had to be established and configured within the Fastpath software. The framework provided the rules for how the new roles could be built. Once the SoD risk ruleset was configured, the team used Fastpath to help build security roles that aligned with the SoD framework, designed processes for managing their new risk framework, and implemented the new roles throughout the organization. Using software and security analysis tools helped to minimize effort for the iterative build, test, analyze and modify processes. The Fastpath tool, specifically the “Security Designer” module, made it easier to quickly build scalable task-based roles that were free of SoD conflicts and still provided a flexible security framework enabling our client to grow and change over time.

Results: Measurable KPIs around role design and issue remediation

Over the course of 15 weeks, Protiviti built an application security framework to support compliance with Sarbanes-Oxley requirements and drive business ownership of security roles and risks. Before the redesign, the client had roughly 50 critical SoD role conflicts and over 1,200 user conflicts. After the project was completed, all roles were free of unmitigated SoD conflicts and the total number of conflicts at the user level had been reduced by over 97%. The ruleset is more comprehensive with the addition of 69 custom objects that would not normally be captured in the out-of-the-box Fastpath ruleset. Lastly, the number of non-system users who are assigned the “System Administrator” role has been reduced by 60%, ensuring that only the right individuals have this elevated level of access.

To keep the company moving forward, key individuals in audit, IT and the business have been trained on how to leverage Fastpath and perform the new governance processes. Additionally, the organization implemented a role-based access control process and redesigned security within their Microsoft CRM system (aka Dynamics 365 Customer Experience).

Conclusion

Our client needed timely solutions to meet the demands of their ownership partner and their external auditors.  Protiviti organized quickly, brought the right experience and began implementing governance processes, technology, and security structures to meet their needs. There were bumps along the journey and times when the plan had to pivot, but in the end, our client exceeded the requirements of their ownership partner and established a platform for ongoing access management.

 

To learn more about Protiviti’s Microsoft capabilities, please visit our Microsoft consulting solutions site or contact us.

 

 

Kevin McCreary

Managing Director
Enterprise Application Solutions

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More