Bank Engages BASG to Remediate SOX Deficiencies

SCOPE OF ENGAGEMENT

A strong regional bank was faced with six SOX deficiencies which needed timely remediation.  The scope of the work included:

  • Develop a risk-based, enterprise-wide segregation of duties (SOD) process to monitor for potential access conflicts.
    1. SOD policy/procedure documentation.
    2. Intra- and inter-application SOD Conflict Matrix
    3. Re-develop the current SOD review process to include audit trail documentation to support completeness and accuracy of the process.
  • Design a formal ‘Role Creation/Change’ process for the identification and inclusion of new and modified access roles in the SOD process.
  • Recommend a future-state SOD process that incorporated a third-party identity and access management solution to automate and enhance SOD enforcement and support IT Access Controls.
    1. Review, assess and redesign current ‘User Password and Authentication’ policy.
    2. Review password/authentication configurations for all 17 in-scope applications for policy compliance.
    3. Provide guidance on necessary password/authentication configuration modifications.
  • Assess in-scope application compatibility with SSO (Azure).
  • Provide management with guidance on necessary ‘Password Risk Acceptance’ memos.
  • Assess management’s process for maintaining passwords for shared, or generic systems or service accounts.

 

THE SOLUTION

BASG’s Risk Team worked in tandem with internal Risk Management Executives to:

  1. Baseline User Access Reviews and Annual Application Access Reviews
  2. Review and access the current state of the User Access Review (UAR) processes:
    1. Baseline User Access Reviews
    2. Termination Access Reviews
    3. Annual User Access Reviews 2.
  3. Present management with recommendations for enhancing the current user access review processes to establish a streamlined, repeatable workflow that ensured completeness and effectiveness of the reviews while maintaining compliance and audit requirements
  4. Implemented the redesigned User Access Review processes and provided management with leading practices/recommendations for division of responsibilities between the lnformation Security and Identity and Access Management departments.
  5. Provided management with formal procedural documentation supporting the user access review processes.
  6. Recommended a future-state UAR process that incorporated a third-party identity and access management solution to automate and enhance user access review processes.
    1. Worked with management to develop a privileged access management policy.
    2. Reviewed and assessed privileged access across all in-scope applications.
    3. Provided recommendations related to the restriction of privileged access to appropriate users.
  7. Reviewed and assessed the current employee termination and timely access processes.
  8. Worked with management to develop an ‘Access Management’ policy which outlined the procedures for employee termination and timely access removal.
  9. Recommend a future-state access removal/termination process which incorporated a third-party identity and access management solution to automate and enhance the access termination process.

 

THE RESULT

The Bank was able to successfully meet the mitigation goals set by governing agencies in a timely manner, avoiding penalties. Further, the adoption of recommendations made by the experienced BASG Team put the Bank on a firm path to avoiding future discrepancies and successfully continuing its plan for growth and development.