Upload
writeme670
View
24
Download
1
Embed Size (px)
DESCRIPTION
Compliance Goal
Citation preview
SESSION ID:
#RSAC
Lenka Fibikova
Compliance Goal: Implementing Segregation Of Duties In An Organization
GRM-R01
Independent Consultant
#RSAC
Why Segregation of Duties
Compliance with the national laws requiring correctness of the financial information and financial reporting
Business requirements on integrity of business information
2
#RSAC
The story starts with…
Identified misuse
Findings from an external auditor
Findings from an internal auditor
Push from an enlightened leader
3
#RSAC
Challenges
4
#RSAC
Areas of concern
within business functions
X
within IT functions
X
not acceptable (B-IT, IT-B)
defined by the BP owner (B-B)
defined by the IT(IT-IT)
X
X
X
5
#RSAC
Implementing SoD Step by Step
Define IT SoD Matrix
Define BP SoD Matrix
Identify BP in Scope
Define Project
Identify IT Processes in
Scope
DefineSoD Matrix
Identify Scope
Identify Conflicts
Identify Actions
Implement Actions
Define Project
B-B
IT-IT
B-IT/ IT-B
Identify IT Applications
in Scope
6
#RSAC
Exercise: Define a B-B SoD Matrix
1. Document the process, its sub-processes and tasks
2. Identify SoD-relevant tasks ◄
3. Create the SoD matrix
7
#RSAC
Exercise: Define an IT SoD Matrix
Areas of responsibility:
Change Management
Access Management
Operation
8
#RSAC
Implementing SoD Step by Step
Define IT SoD Matrix
Define BP SoD Matrix
Identify BP in Scope
Identify Conflicts
in BPDefine Project
Identify IT Processes in
Scope
DefineSoD Matrix
Identify Scope
Identify Conflicts
Identify Actions
Implement Actions
Define Project
B-B
IT-IT
B-IT/ IT-B
Identify IT Applications
in Scope
9
#RSAC
Exercise: Identify conflicts
1. Identify business roles
2. Document which SoD-relevant tasks each of the roles executes
3. Verify whether any of the roles currently violates defined SoD rules
10
#RSAC
Implementing SoD Step by Step
Define IT SoD Matrix
Define BP SoD Matrix
Identify BP in Scope
Identify Conflicts
in BP
Identify Actionsfor BP
Define Project
Identify IT Processes in
Scope
DefineSoD Matrix
Identify Scope
Identify Conflicts
Identify Actions
Implement Actions
Define Project
B-B
IT-IT
B-IT/ IT-B
Identify IT Applications
in Scope
11
#RSAC
Exercise: Identify Actions
For each of the identified conflicts, an action has to be defined and documented: Immediate removal of the conflict Immediate setup of administrative measures to minimize the
risk Implementation plan for removal of the conflict or for setup of
administrative measures to minimize the risk Formal risk acceptance by the Business Process Owner (might
not be possible for some risks)
12
#RSAC
Implementing SoD Step by Step
Define IT SoD Matrix
Define BP SoD Matrix
Identify BP in Scope
Identify Conflicts
in BP
Identify Actionsfor BP
Identify B-B Conflicts in
Applications
Define Project
Identify IT Processes in
Scope
DefineSoD Matrix
Identify Scope
Identify Conflicts
Identify Actions
Implement Actions
Define Project
B-B
IT-IT
B-IT/ IT-B
Identify IT Applications
in Scope
13
#RSAC
Exercise: Mapping the SoD Matrix to IT
1. Identify which applications and application functions support the tasks
2. Extract which user IDs use the identified functions
3. Identify SoD conflicts
14
#RSAC
Implementing SoD Step by Step
Define IT SoD Matrix
Define BP SoD Matrix
Identify BP in Scope
Identify Conflicts
in BP
Identify Actionsfor BP
Identify B-BConflicts in
Applications
Identify B-IT/IT-B
Conflicts in Applications
Identify IT-IT Conflicts in
Applications
Identify Conflicts in
IT Processes
Identify B-B Actions in
Applications
Identify B-IT/IT-BActions in
Applications
Identify IT-IT Actions in
Applications
Identify Actions for
IT Processes
Implement Actions in
Applications
Implement Actions
in BPDefine Project
Identify IT Processes in
Scope
DefineSoD Matrix
Identify Scope
Identify Conflicts
Identify Actions
Implement Actions
Define Project
B-B
IT-IT
B-IT/ IT-B
Identify IT Applications
in Scope
Implement Actions in
IT Processes
15
#RSAC
Lessons Learned: Good Approach
1.
2.
3.
4.
5.
6.
16
#RSAC
Lessons Learned: The Hard Part
1.
2.
3.
4.
17
#RSAC
Apply in Your Organization
Next week you should: Verify how you handle integrity of your financial data and whether
Segregation of Duties has been consistently applied Consider whether there are any further (business-related) reasons for SoD
In the first three months you should: If there is no consistent approach for SoD, initiate a discussion with the
senior management
Within six months you should: Set up an SoD project Remember: Implementation of SoD takes longer than it might appear
18
#RSAC
Questions
19