Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD, CISA Senior Information Systems Auditor Audit Services Tom Valiquette, MBA, CIA Director, Corporate Compliance Compliance Data Solutions
What is your end game? 1. Evaluate for key risks (one-time audit) Active user accounts of terminated employees/contractors 2. Continuous Monitor Audit Services tool 3. Build case for corporate identity management solution What else happened: Continuous Audit business unit tool
Key Considerations Decide your end-game What is your corporate standard Source of truth Data normalization Known data exceptions Error validation & process improvement Continuous auditing & monitoring
Example #1 User Accounts Individual system installations Individual systems do not communicate with each other. Hospital 1 Hospital 2 Hospital 3 Not integrated with Windows Active Directory Hospital 4 Manual user account administration managed at each hospital Hospital 5 Hospital 6 Hospital 8 Hospital 7
Example #2 User Accounts Primary applications for Enterprise Some not integrated with Windows Active Directory Manual user account administration managed within Information Services External service providers Accounts Receivable System A Accounts Receivable System C Accounts Receivable System B Electronic Medical Record
Key Risks Risks External Regulator sanctions due to active user account for terminated teammate; (JCAHO Joint Commission on Accreditation of Healthcare Organizations) System access using terminated teammate account; Transitioning to central Accounts Receivable system.
Source of Truth Central list used to identify personnel Maintained to some standard Contains unique identifier Customer and Audit agree Employee Roster Active Directory Contractor Roster
Analytic Process Flow Continuous analytic cycle agreed to by Audit and Customer Every application account receives a result code for each testing cycle Pass/Fail If Fail High/Low risk
Data Preparation Provision data on same schedule Remove application-specific known user ID modifications Target and isolate approved administrative accounts Only ACTIVE target system user accounts TargetSystem User ID ComputedID (used for matching) TargetSystem User Last Name TargetSystem User First Name 5309 5309 JOHNSON ELLIOT EJOHNS01 EJOHNS01 JOHNSON ELLIOT EJOHNS01W EJOHNS01 JOHNSON TIM ID Modification
Layered Testing Algorithm Target System Identify inactive, template, system, and deleted accounts
Error Validation UserID ErrorReason ErrorValidation ValidationReason 5309 EJOHNS01 Application userid not found in PeopleSoft EC99 - Valid Error RC99 - Remediation Plan Application userid first name does not RC02 - False Positive - match first name in PeopleSoft EC01 - Not Error Positive Teammate ID Allows customer opportunity to participate in audit process Demonstrates to senior leadership the customers willingness to correct problems Approved false-positives accounted for in continuous auditing program Remediation plans confirmed by continuous auditing program
Audited Results Client-Audited Results Test if client provided acceptable responses to previous analytic cycle results
Teammate Identification - PS Compare active accounts to Human Resources Match Enterprise ID - Network ID or Employee ID; Match Name First name characters, or Levenshtein first name or Levenshtein last name Teammate active in HR data yes/no
Teammate Identification - AD Compare active accounts to Active Directory Match Enterprise ID - Network ID or Employee ID; Match Name First name characters, or Levenshtein first name or Levenshtein last name Teammate active in AD data yes/no
Teammate Identification - itim Compare active accounts to itim Match Enterprise ID - Network ID or Employee ID; Match Name First name characters, or Levenshtein first name or Levenshtein last name Teammate active in itim data yes/no
Analytic Results
Report Results Audit finding detail Dashboards
Reports Identify primary audience (audit management, customer?) Summary vs. Detail Facilitate exception management process Continuous Auditing Continuous Monitoring
Continuous Monitoring Single Application with Multiple Installations
Continuous Monitoring Tier 1 Applications
Continuous Monitoring Tier 1 Applications Drill Down
Continuous Auditing/Monitoring Provides evidence for end-game Identify root cause(s) Monitor process improvement Need for central Identity Management System Transition auditing to business unit Monitor process improvement gains Monitoring provides re-audit signals Allows for key system comparison
Questions?
Tom Valiquette, Director Compliance Data Solutions Corporate Compliance Tom.Valiquette@CarolinasHealthCare.org O: 704-512-5903