Implement new features with the upgrade and eliminate manual processes
One customer had the bare bones SoD analysis and emergency access features of their GRC operating. However, most products have components that enable customers to automate their user access reviews and automate the security request process. In this case the additional functionality was added to the upgraded system and enabled the customer to reduce expensive manual methods for resolving manual analysis and mitigation options. They also replaced the arduous manual access certification process.
Rethinking how things operate
Sometimes the chance to upgrade provides the opportunity to ask how can we make our current process more efficient. Or in this case, can we use the upgrade to resolve some repetitive audit issues. There was currently no formal process to approve mitigating controls used to resolve SoD conflicts. As a result mitigating controls were often used to eliminate conflicts however, auditors found the procedures mentioned were not followed. In addition, many acquisitions and reorganizations had made the process even more complex because many changes to roles and assignments often created more conflicts. The existing reorg and consolidation process was not expected to change. In this case, there were limited resources to keep up with security changes and also resolve conflicts among users in a timely manner. By implementing the provisioning features with the upgrade, the team was able to use the feature to keep up with organization changes as well as automate a standard approval process for resolving conflicts.
Improving Rule Maintenance Process
The realization that GRC is not a project but a journey came to a customer who had not done anything to their rules since their initial installation project was implemented 2 years earlier. Unfortunately the implementer had not included a maintenance process to keep their business rules for access updated with business and technical changes. As a result the rule set had no custom transactions or new transactions incorporated since their initial project was over. There was no process in place to identify the magnitude of new transactions or business changes. In some cases there were important changes made and significant risks were not being identified. An upcoming audit started to raise the priority of this issue. When the upgrade was performed, the rule set was analyzed and updated. In addition, a rule maintenance process was put in place which enabled them to avoid audit deficiencies and keep up with business and technical changes in the future without consulting support.