Implementing A Proper Data Access Governance Solution
It’s amazing what a properly deployed Data Access Governance solution can do for an organization. When I walked into our client’s office on a hot Texas morning, I knew that they had been struggling to deploy their Governance software. They had a textbook story and they needed some help to “right the ship” with their unsuccessful deployment.
Their goal was to take their current manual access review process and automate it to ensure proper access for their users and provide accurate, consistent reporting to satisfy their industry compliance requirements. I sat down with the Compliance Manager, and he began to explain that they had spent many years performing laborious compliance audits through manual email. Before automated Governance, their access review process looked like this:
- The compliance team would first acquire a report from another internal department of all ~10,000 employees’ access privileges for their enterprise applications and databases.
- The report was provided in a format that was difficult to understand and required revision to make it easier to understand. Once revised, the report would be sent in a spreadsheet to the management team or application owners to review each of their employees’ user access rights, and note any changes or updates needed.
- Some managers would jump right on the report and respond with their updates while others would not. This required the compliance team to follow up with each manager individually to get their input (this would take weeks, depending on the manager’s schedule an availability and workload). Oftentimes requests would require escalation to an executive to ensure that task was completed.
- Once the data had been manually collected, the compliance team would create service tickets for the provisioning team to update user access. The audit report was then created from this information.
I knew this team could really benefit from some help to get their Access Governance implementation problems solved. Not only was the current process labor-intensive, drawn out and ripe for human error, there was an opportunity for more robust reporting to assist with forensics in the case of a breach or incident.
Data Access Governance Implementation Results
Over the course of a few hours, the client laid out their pain points and their vision for the future state of the access review process. Once we began work on the project, it took about six weeks for our team to dig into the details and refine their deployment into a fully-functioning solution. In the first phase, we directly connected to six of their critical enterprise applications to shorten and simplify their access review process. The “After” process looked something like this:
- Once the connections to their applications were established, we pulled in the data to create the certification campaign. The software then automatically emails each user’s manager or application owner to review access.
- Managers and application owners then enter their responses directly into the tool, using their existing network credentials.
- For non-respondents, the tool automatically sends an escalation email to an executive to help encourage the manager/owner to respond after a certain interval (in this case, one week).
- The audit report is automatically generated with little oversight from the compliance team.
The new process is straightforward and easy to manage, plus the reporting also includes helpful details like an audit trail with login history for each user.