Auditing Application User Account Security and Identity Management with Data Analytics

Transcription

1 Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD, CISA Senior Information Systems Auditor Audit Services Tom Valiquette, MBA, CIA Director, Corporate Compliance Compliance Data Solutions

2 What is your end game? 1. Evaluate for key risks (one-time audit) Active user accounts of terminated employees/contractors 2. Continuous Monitor Audit Services tool 3. Build case for corporate identity management solution What else happened: Continuous Audit business unit tool

3 Key Considerations Decide your end-game What is your corporate standard Source of truth Data normalization Known data exceptions Error validation & process improvement Continuous auditing & monitoring

4 Example #1 User Accounts Individual system installations Individual systems do not communicate with each other. Hospital 1 Hospital 2 Hospital 3 Not integrated with Windows Active Directory Hospital 4 Manual user account administration managed at each hospital Hospital 5 Hospital 6 Hospital 8 Hospital 7

5 Example #2 User Accounts Primary applications for Enterprise Some not integrated with Windows Active Directory Manual user account administration managed within Information Services External service providers Accounts Receivable System A Accounts Receivable System C Accounts Receivable System B Electronic Medical Record

6 Key Risks Risks External Regulator sanctions due to active user account for terminated teammate; (JCAHO Joint Commission on Accreditation of Healthcare Organizations) System access using terminated teammate account; Transitioning to central Accounts Receivable system.

7 Source of Truth Central list used to identify personnel Maintained to some standard Contains unique identifier Customer and Audit agree Employee Roster Active Directory Contractor Roster

8 Analytic Process Flow Continuous analytic cycle agreed to by Audit and Customer Every application account receives a result code for each testing cycle Pass/Fail If Fail High/Low risk

9 Data Preparation Provision data on same schedule Remove application-specific known user ID modifications Target and isolate approved administrative accounts Only ACTIVE target system user accounts TargetSystem User ID ComputedID (used for matching) TargetSystem User Last Name TargetSystem User First Name JOHNSON ELLIOT EJOHNS01 EJOHNS01 JOHNSON ELLIOT EJOHNS01W EJOHNS01 JOHNSON TIM ID Modification

10 Layered Testing Algorithm Target System Identify inactive, template, system, and deleted accounts

11 Error Validation UserID ErrorReason ErrorValidation ValidationReason 5309 EJOHNS01 Application userid not found in PeopleSoft EC99 - Valid Error RC99 - Remediation Plan Application userid first name does not RC02 - False Positive - match first name in PeopleSoft EC01 - Not Error Positive Teammate ID Allows customer opportunity to participate in audit process Demonstrates to senior leadership the customers willingness to correct problems Approved false-positives accounted for in continuous auditing program Remediation plans confirmed by continuous auditing program

12 Audited Results Client-Audited Results Test if client provided acceptable responses to previous analytic cycle results

13 Teammate Identification - PS Compare active accounts to Human Resources Match Enterprise ID - Network ID or Employee ID; Match Name First name characters, or Levenshtein first name or Levenshtein last name Teammate active in HR data yes/no

14 Teammate Identification - AD Compare active accounts to Active Directory Match Enterprise ID - Network ID or Employee ID; Match Name First name characters, or Levenshtein first name or Levenshtein last name Teammate active in AD data yes/no

15 Teammate Identification - itim Compare active accounts to itim Match Enterprise ID - Network ID or Employee ID; Match Name First name characters, or Levenshtein first name or Levenshtein last name Teammate active in itim data yes/no

16 Analytic Results

17 Report Results Audit finding detail Dashboards

18 Reports Identify primary audience (audit management, customer?) Summary vs. Detail Facilitate exception management process Continuous Auditing Continuous Monitoring

19 Continuous Monitoring Single Application with Multiple Installations

20 Continuous Monitoring Tier 1 Applications

21 Continuous Monitoring Tier 1 Applications Drill Down

22 Continuous Auditing/Monitoring Provides evidence for end-game Identify root cause(s) Monitor process improvement Need for central Identity Management System Transition auditing to business unit Monitor process improvement gains Monitoring provides re-audit signals Allows for key system comparison

23 Questions?

24 Tom Valiquette, Director Compliance Data Solutions Corporate Compliance O: