Building a SOX Compliant and Scalable Microsoft Dynamics 365 Security Framework in a Short Timeframe
Our client is a national manager of distinctive, independent assisted living and memory care communities throughout the U.S., established less than two years ago and which has grown to manage more than 100 retirement communities caring for more than 5,500 residents across 28 states.
To accommodate the company’s rapid growth, the organization implemented Microsoft Dynamics 365 for Finance and Operations (D365F&O) on an accelerated timeline to rapidly establish a business management platform. In order to implement the solution quickly, the team chose to utilize the out-of-the-box (also known as ‘seeded’) security roles delivered with the application, which inherently contained numerous high-risk segregation of duty (SoD) conflicts.
Due to the amount of revenue under management for a large publicly traded real estate investment trust (REIT), the client would be required to comply with Sarbanes-Oxley (SOX), including controls over functional access in D365F&O. Due to this compliance requirement, the company needed to find a solution that would integrate well with their D365 environment and provide detailed audit reporting, SoD visibility and scalable task-based roles.
Solution: Clearer Identification of Conflicts and Faster Issue Remediation
The organization decided to leverage Fastpath Assure software, and they asked for implementation partners that could support them with solving their problem within the timeframe allotted. They reached out to Protiviti to assist with the Fastpath implementation, the security redesign and the development and implementation of governance processes to protect their new security architecture while demonstrating strong controls. Management knew it was critical they had the right software and the governance processes in place in order to effectively accomplish their objectives and sustain their security model going forward.
To start building a compliant D365 security architecture, a SoD framework had to be established and configured within the Fastpath software. The framework provided the rules for how the new roles could be built. Once the SoD risk ruleset was configured, the team used Fastpath to help build security roles that aligned with the SoD framework, designed processes for managing their new risk framework, and implemented the new roles throughout the organization. Using software and security analysis tools helped to minimize effort for the iterative build, test, analyze and modify processes. The Fastpath tool, specifically the “Security Designer” module, made it easier to quickly build scalable task-based roles that were free of SoD conflicts and still provided a flexible security framework enabling our client to grow and change over time.
Results: Measurable KPIs around Role Design and Issue Remediation
Over the course of 15 weeks, Protiviti built an application security framework to support compliance with Sarbanes-Oxley requirements and drive business ownership of security roles and risks. Before the redesign, the client had roughly 50 critical SoD role conflicts and over 1,200 user conflicts. After the project was completed, all roles were free of unmitigated SoD conflicts and the total number of conflicts at the user level had been reduced by over 97%. The ruleset is more comprehensive with the addition of 69 custom objects that would not normally be captured in the out of the box Fastpath ruleset. Lastly, the number of non-system users who are assigned the “System Administrator” role has been reduced by 60%, ensuring that only the right individuals have this elevated level of access.
To keep the company moving forward, key individuals in audit, IT and the business have been trained on how to leverage Fastpath and perform the new governance processes. Additionally, the organization implemented a role-based access control process and redesigned security within their Microsoft CRM system (aka Dynamics 365 Customer Experience).
Our client needed timely solutions to meet the demands of their ownership partner and their external auditors. Protiviti organized quickly, brought the right experience and began implementing governance processes, technology, and security structures to meet their needs. There were bumps along the journey and times where the plan had to pivot, but in the end, our client exceeded the requirements of their ownership partner and established a platform for ongoing access management.