Case Study: Senior Living Management Company

Building a SOX Compliant and Scalable Microsoft Dynamics 365 Security Framework in a Short Timeframe

Situation

Our client is a national manager of distinctive, independent assisted living and memory care communities throughout the U.S., established less than two years ago and which has grown to manage more than 100 retirement communities caring for more than 5,500 residents across 28 states.

To accommodate the company’s rapid growth, the organization implemented Microsoft Dynamics 365 for Finance and Operations (D365F&O) on an accelerated timeline to rapidly establish a business management platform. In order to implement the solution quickly, the team chose to utilize the out-of-the-box (also known as ‘seeded’) security roles delivered with the application, which inherently contained numerous high-risk segregation of duty (SoD) conflicts.

Due to the amount of revenue under management for a large publicly traded real estate investment trust (REIT), the client would be required to comply with Sarbanes-Oxley (SOX), including controls over functional access in D365F&O. Due to this compliance requirement, the company needed to find a solution that would integrate well with their D365 environment and provide detailed audit reporting, SoD visibility and scalable task-based roles.

Solution: Clearer Identification of Conflicts and Faster Issue Remediation

The organization decided to leverage Fastpath Assure software, and they asked for implementation partners that could support them with solving their problem within the timeframe allotted. They reached out to Protiviti to assist with the Fastpath implementation, the security redesign and the development and implementation of governance processes to protect their new security architecture while demonstrating strong controls. Management knew it was critical they had the right software and the governance processes in place in order to effectively accomplish their objectives and sustain their security model going forward.

To start building a compliant D365 security architecture, a SoD framework had to be established and configured within the Fastpath software. The framework provided the rules for how the new roles could be built. Once the SoD risk ruleset was configured, the team used Fastpath to help build security roles that aligned with the SoD framework, designed processes for managing their new risk framework, and implemented the new roles throughout the organization. Using software and security analysis tools helped to minimize effort for the iterative build, test, analyze and modify processes. The Fastpath tool, specifically the “Security Designer” module, made it easier to quickly build scalable task-based roles that were free of SoD conflicts and still provided a flexible security framework enabling our client to grow and change over time.

Results: Measurable KPIs around Role Design and Issue Remediation

Over the course of 15 weeks, Protiviti built an application security framework to support compliance with Sarbanes-Oxley requirements and drive business ownership of security roles and risks. Before the redesign, the client had roughly 50 critical SoD role conflicts and over 1,200 user conflicts. After the project was completed, all roles were free of unmitigated SoD conflicts and the total number of conflicts at the user level had been reduced by over 97%. The ruleset is more comprehensive with the addition of 69 custom objects that would not normally be captured in the out of the box Fastpath ruleset. Lastly, the number of non-system users who are assigned the “System Administrator” role has been reduced by 60%, ensuring that only the right individuals have this elevated level of access.

To keep the company moving forward, key individuals in audit, IT and the business have been trained on how to leverage Fastpath and perform the new governance processes. Additionally, the organization implemented a role-based access control process and redesigned security within their Microsoft CRM system (aka Dynamics 365 Customer Experience).

Conclusion

Our client needed timely solutions to meet the demands of their ownership partner and their external auditors.  Protiviti organized quickly, brought the right experience and began implementing governance processes, technology, and security structures to meet their needs. There were bumps along the journey and times where the plan had to pivot, but in the end, our client exceeded the requirements of their ownership partner and established a platform for ongoing access management.

 

To learn more about Protiviti’s Microsoft capabilities, please visit our Microsoft Solutions site or contact us.

 

 

Kevin McCreary

Director
Technology Consulting – Enterprise Application Solutions

Subscribe to Topics

#Protiviti’s Bryan Jordan and #SAP’s Anne Marie Colombo will be presenting “End-to-End Security Strategies for SAP S/4HANA” on at the upcoming #SAPinsider2020 Virtual Conference! http://ow.ly/bq8n50AQrg4

Great day for golf and our brand ambassadors! @MattFitz94 is underway at the @PGAChampionship in San Francisco, CA - the first men’s Major of the year - and @jenniferkupcho tee’s off shortly at the @MarathonLPGA in Sylvania, OH.

Contact us directly to learn how our wide scale of Microsoft consulting solutions can help you maximize your Microsoft investment http://ow.ly/40JF50AQs4v
@msspalert #Microsoft #MSAzure #MSPartner

How do you create a continuity plan and improve your operational risk program? Sign up now to receive a copy of our Guide to BCM – Frequently Asked Questions, coming in September http://ow.ly/2hyw50ARwW7 #businesscontinuity #businesscontinuityplanning #disasterrecovery

Load More...