August 17, 2023
Enhancing Compliance through Automation: Targeted User Access Reviews
People are changing jobs at a rate not seen before, impacting all industries, and insurance is no exception. User access reviews represent a key control to ensure proper segregation of duties is maintained at all times. When titles and roles change, new employees are hired, and more, these are examples of key transition points where access provisioning and changes need to be reviewed.
Learn more about the 5 most common issues with segregation of duties and role based access controls in our recent article.
Access reviews are recommended to be performed on a periodic basis based on the risk of the system (at least annually). Due to the manual nature of these reviews, in many cases, they are not performed as often as recommended.
Our team has created an analytics tool to help insurance companies perform these common internal control assessments and limit the amount of manual work performed.
Our Approach
Johnson Lambert utilizes a comprehensive suite of digital tools and technologies that allow us to evaluate user access data across systems in an optimized and precise way. Our team can break down the user access review process into four primary areas of focus to help your organization reduce security risks:
- Look for changes in access – instead of reviewing every access role, our team uses analytics to look for changes in access that have occurred during the period under the assumption that if the access was reviewed and was correct last year, it will still be correct this year.
- Look for changes in title – changes in title are reviewed in conjunction with changes in access. Any major changes in title or department likely resulted in a change in access, so these users are sent to their new managers to ensure that they have the correct access for their new role.
- Ensure new hire access is appropriate – new hire access is something that must always be considered to ensure access was provisioned appropriately. Consolidating a list for manager review allows reviewers to focus on this high risk area instead of all of the users with no access or title change.
- Compare the user listing to a role based access control (RBAC) – if a role based access listing is available, it can be compared to the user listing. Deviations from the defined RBAC are then communicated and signed off ensuring that only a small number of users have to be checked. Deviations from the RBAC can then be defined and the RBAC can potentially be updated if a trend has occurred, or known high risk deviations can be better monitored by other controls.
Insurance companies hold sensitive customer data and they must adhere to security regulations and standards that are strengthening regularly. Achieving compliance means preparing for internal audits on a yearly or semi-annual basis. Undertaking these audits manually consumes a substantial amount of time, but automation of user access reviews and other compliance endeavors enhances overall efficiency, precision, and security.
For more information on how we can assist you with access review automation, contact Kim Mobley, Partner, Business Advisory Services.