Today, no organization escapes demonstrating the security and compliance of access rights which are subjected to regulatory standards (ISO 27001, ISO 27002, ISAE 3402, SOC 1 and 2, SOX, CMMC, HI Trust, HIPPA, CRBF, Solvency, etc.). The implementation of IT General Controls (ITGCs) in the context of IT audits or in addition to them, makes it possible to verify the security and compliance of a company’s logical access rights.
However, their execution raises several issues because the lack of formal processes to frame their triggering exposes organizations to considerable risk.
Through three real use cases, we will look at why ITGC controls are essential to protect your organization’s resources and keep your business healthy. At the same time, we will learn how to optimize their execution.
ITGCs: What are they used for and when should they be used?
Definition of ITGCs
ITGCs are IT general controls designed to protect your organization’s data from use, disclosure or compromise. They can be applied to applications, databases, logical access rights and infrastructures within your information system (IS). Their implementation is mandated by regulatory entities for most companies and helps to fight against the risk of data theft or fraud. For more context on ITGCs, you can also read our article on this topic available here.
What is the scope that ITGCs cover?
IT general controls can be applied to all levels and in many areas, such as the identity lifecycle, privileged accounts and logical access rights. They contribute to the implementation and verification of compliance using several functionalities.
The main aspects of ITGCs that we will focus on here are:
- The control of logical access rights, meaning the control of user access rights to applications, repositories and data sources.
- User access review campaigns.
- The segregation of duties (SoD).
ITGC and Compliance Management: What is the typical internal process within organizations?
In order to better understand the control points to be considered, the underlying issues and the involved individuals with regards to your company’s requirements, we will refer to a standard compliance management process that could be applied within an entire organization.
The typical process would be considered at three levels of ongoing controls:
- Permanent ITGCs: Level 1
This refers to operational or technical controls carried out by people close to the field, such as line managers or application managers.
The problem they face is identifying the actions performed by their teams on the information system (IS), and, in the case of the application manager, knowing who accesses which resources and at what level of permission.
- Permanent ITGCs: Level 2
These on-going controls apply to consolidated data within the entire company and with a much broader scope. This is the case for risk analyses or independent controls which can be carried out at any time of the year. In this situation, the internal control services or the risk and compliance management departments are in charge.
- Periodic Controls : ITGCs Level 3
This third level of control refers to post-incident or periodic checks. These serve as prevention control but also as proof of compliance regarding the regulations your company is subjected (SOX, HIPAA, GDPR, etc.).
The final contact for these controls is internal and external auditors and/or regulatory authorities from your sector of activity geographical region. The latter requires certain controls to be carried out and reports to be produced attesting to their proper execution.
Since Level 2 and Level 3 ITGC controls apply to consolidated data, the first challenge is to make the top-level controls as effective as possible. In this way, Level 2 and 3 controls can be optimized.
Why is it essential to apply ITGCs to logical access rights?
Beyond the need to comply with security and access rights compliance standards, ITGCs are a great way to protect your organization from a multitude of threats. As harmless as it may seem, a lack of control related to the access rights of one of your employees can have dramatic consequences.
In fact, the management and rigorous execution of these controls is an essential prerequisite so as not to jeopardize your organization and weaken its financial equilibrium.
The following three scenarios led to critical situations, situations which could have been avoided by resorting to the execution of targeted IT general controls.
Case Study #1: Why can regular execution of ITGCs help avoid the worst-case scenario?
The departure of an employee is an integral part of a company’s daily activities. However, this is a major event that must be subjected to rigorous controls, particularly in terms of access rights.
What if your network administrator retained active rights after leaving the company? He or she would still have access to resources using high permission levels that were in line with the job function held at the time of employment.
Like many of his or her colleagues, privileged access was granted to be in line with job responsibilities and duties and most likely includes access to sensitive resources. Additionally, this person is most likely aware of any vulnerabilities in the company’s information systems.
For this discussion, it will be assumed that this person has left the company within a conflictual context, such as resignation or dismissal, and that his accounts remain active upon his departure.
What are the risks to your organization?
Being someone with a high level of knowledge as well as knowing how to penetrate the information systems using a high-level of privileged access permission, the following two kinds of threats will make the company very vulnerable:
- Sabotage or disruption of business
The former employee with continued access to his privileges and permissions uses them to commits damage, such as data deletion or a massive shut-down of servers in a can lead to a malfunction of your services and applications, internal and external.
- Data leakage
This person continues to connect to the information systems to retrieve confidential data on his behalf or that of a competitor (customer database, financial data related to sales policies, intellectual property data, etc.).
What it the possible impact?
There repercussions are numerous and can be of many different types, including:
- Loss of customers or staff to the competition (if the former employee poached your employees, for example, or reached out to your customers using confidential data).
- Legal proceedings by customers impacted by sabotage carried out on your information system.
- Heavy expenses required to get the information systems up and running as well as secured.
It happened to Cisco.
In 2018, a Cisco system administrator resigned and retained active rights. Several months after his departure, he connected to the Cisco systems and carried out significant damage.
- More than 450 servers that operated the Webex service (Cisco’s video conferencing service) were erased.
- 16,000 customer accounts accessing this service were deleted.
To restore the accounts and restart Webex, two weeks of intensive work was required. In total, the operation will have cost the company nearly $2.4 million.
- $1 million was allocated to the labor needed to restore service.
- $1.4 million was spent on hardware, software and restorative actions.
All of this is in addition to the business consequences and loss of reputation that this attack on the Webex service provoked.
Cisco is far from being an isolated case. The American credit operator, Equifax, and the US Navy have experienced similar setbacks following the departure of one of the members of their teams.
Why and how could using ITGCs have avoided these situations?
Two types of IT general controls (ITGCs) could have been considered to prevent drift:
- permanent ITGC controls, or
- ITGC controls that are triggered in the event of an incident.
Permanent ITGCs are useful to:
- Identify the active accounts of people who have left the company.
- List orphaned accounts, dormant accounts, technical, generic, test or training accounts (which system administrators may be aware of and may be tempted to exploit without being able to uncover their actions or trace them back to them).
- Monitor the activity of people with privileged access (verify the use and timing of their connections to sensitive assets, last transactions made, etc.).
ITGCs associated with events can be triggered as soon as the departure date of an employee is entered into the HR system. This would make it possible to:
- List the privileged access that the person has.
- Identify active accesses that should be removed.
- Identify a person’s permissions in the event of internal mobility (change of department or business function).
- List all access held by someone associated with a conflict of interest within the organization.
Case Study #2: Why should you use ITGCs to resolve SoD conflicts?
How do I prevent or detect SoD conflicts?
One of the basic principles of access right security is to ensure that toxic combinations of rights are avoided as much as possible by respecting the principle of segregation of duties (SoD). Some regulations require monitoring of the activity of identities holding permissions whose combination is toxic.
For example, a person with the ability to modify a bank identity statement in payroll software while having the necessary access to issue a transfer accumulates access rights causing a toxic combination. Fraud or human error then becomes possible and directly impacts the company. Therefore, the principle of segregation of duties should be observed as best possible.
What are the risks to your organization?
There are many, some of which are cited below:
- There is the case of overbilling using fictitious suppliers or in a situation of conflicts of interest. For example, a buyer declares a fictitious supplier and links his own account statement to this supplier to make payments if the access rights that allow the creation of suppliers, the issuance of transfers and the validation of orders are combined.
- Another case is stock market fraud (in banks or financial institutions). A person can make purchases of risky assets by doing what it takes to secure the organization’s own funds.
- Lastly, there is the example of financial fraud. An employee generates the creation of fictitious customers and income to artificially inflate the turnover, to embellish the company’s accounts in the event of a merger and acquisition, or to suggest that his individual objectives are achieved and, thus, receive his bonus.
What is the possible impact?
The cases of fraud mentioned above may give rise to:
- Financial losses, including the crashes on the stock market,
- Considerable damage in terms of image and reputation that will have to be compensated by implementing a crisis management and communication strategy.
- Legal proceedings and criminal sanctions (fines, imprisonment) against the leaders of the organization involved in a case of fraud.
It happened to an automotive supplier.
This company uncovered massive internal fraud equivalent to more than $20 million. How did it happen? The elaborate development of a false invoicing system set up from scratch by unscrupulous service providers having access to the company’s management system in an Asian subcontracting country.
This system of false invoicing directly benefited the relatives of the perpetrators of the fraud and was developed by using extensive access rights that had then been assigned to them in the ERP.
Could the execution of ITGCs have prevented this situation?
The establishment of permanent ITGCs would have made it possible to:
- Identify the list of toxic permission combinations by mapping the access rights assigned to users and by carrying out regular checks on detected risky situations.
- The creation of a role catalog (role mining) that grouped sets of compatible permissions and assigned them to employees who needed them as part of their job functions.
- Run checks on the contents of each role and who can access it.
- Identify individuals with access rights to applications to which they did not request access or the access was not validated through an access rights management (IAM) application within which these request processes are documented.
Event-related ITGC controls are particularly useful to:
- Trigger campaigns to review access rights applied to identities on the move. It could be decided that each movement within the company triggers a review campaign of access rights as part of which the manager will be asked to recertify the access rights of people changing departments. In this way, the team leader could revoke the rights associated with the former functions held by the person if they are no longer necessary or validate that fact they he retains them.
- In the case of cumulative rights generating an identified toxic combination, alerts could be triggered when the user who holds them connects to the associated applications to monitor his activity.
- Finally, an alert system could also be set up when a new right that has just been granted generates a SoD conflict.
ITGC Controls: How to facilitate their execution?
ITGC Controls with Certain Benefits but Sometimes Complex to Execute.
As we have seen during the two practical cases studied, IT General Controls have many benefits.
Optimizing logical access control tasks can make it possible to:
- Reduce the risk associated with logical access rights.
- Fight internal fraud.
- Improve a company’s defense against cyber risks.
- Demonstrate to auditors the compliance of logical access rights within the company.
However, many organizations struggle to implement these controls, which involve the correlation and quality of disparate and large amount of data in a context where internal staffing changes frequently take place.
Automating ITGC Controls with Brainwave GRC
To make it easy for companies, Brainwave GRC delivers its expertise in access rights analysis through one of its flagship products: Brainwave Identity Analytics.
With Brainwave Identity Analytics, get a 360° view of the access rights present within your information system and discover how to:
- Automate your control plane using over 150 built-in, standard control points.
- Enrich your control plan with configurable controls that can be adjusted to your specific needs.
- Generate reports allowing you to list deviations.
- Follow compensating controls and control exceptions.
- Automate your access rights review campaigns.
- Create a catalog of relevant business roles.
- Produce compliance reports to provide to your auditors.
Would you like to learn more? Please contact us at your earliest convenience.