A bank holding company needed to resolve audit deficiencies in user access and SOD – quickly.
A US bank holding company was under urgent pressure to resolve significant deficiencies in its user-access management. A federal audit had found inadequate access control to 48 high-risk Sarbanes-Oxley (SOX) applications, as well as deficiencies in de-provisioning of critical accounts. The audit stipulated that the bank resolve deficiencies within an 18-week period—a daunting timeframe given the complexity of identity access across its ecosystem. The bank, like most businesses, simply did not have the resources or expertise to carry out an initiative of this magnitude.
Our team of identity management specialists interviewed business and IT leaders across the enterprise, drawing upon our existing knowledge of the bank’s operations and regulatory requirements to perform a gap analysis, define a common approach, develop a baseline set of risks and controls, and create remediation processes for the high-risk applications. We also introduced an enhanced role-based access-control model to govern assignment of appropriate access across all business lines and helped the bank create and launch an IAM Center of Excellence to ensure that the new access and SOD governance policies are embedded into the fabric of organizational culture.
We helped the bank holding company satisfy the audit demands on schedule. The bank also has a work plan in place that will enable it to remediate user-access deficiencies for a remaining 27 SOX applications. Improvements in user-access controls and SOD processes have strengthened the bank’s compliance and enabled faster, more accurate provisioning and de-provisioning. The bank now has adequate visibility into user-access entitlements and SOD controls across applications and business divisions, as well as full clarification and documentation of critical processes. It is positioned to fully automate these procedures in the future.