authorization review ebook

8/12/2019 Authorization Review eBook

1/47

A Publication of Xpandion

AUTHORIZATIONREVIEW

A GUIDE TO CONDUCTING A SUCCESSFUL AUTHORIZATION REVIEW*

* Also called Access Review or the Authorization Inspection process.


2/47

Overview

ALL-IN-ONE

AUTHORIZATIONREVIEW

SOFTWARE... brings your whole process

together in one, powerful system

Significantly lower overhead costs

Easily manage process via web browser

Please auditors with well-documented andcontrolled processes

Reach accurate decisions based on actual

authorization usage

No need for ERP expertise

Share This eB

www.xpandion

Request A Demo
http://www.xpandion.com/GRC/authorization-review.htmlhttp://www.xpandion.com/http://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://www.xpandion.com/http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefbhttp://www.xpandion.com/GRC/authorization-review.htmlhttp://www.xpandion.com/GRC/authorization-review.html


3/47

Share This eB

www.xpandion

WRITTEN BY MOSHE PANZER

Moshe Panzer has over 15 years experience as a recognized ERP expert. Mr. Panzer ha

worked as a senior ERP consultant, project advisor and project leader for large privatecorporations worldwide and as development, conversions and interface manager for the

Israel Ministry of Finance.

Mr. Panzer has developed and managed large scale software integration, interfacing and

architecture, and has played pivotal roles in more than 50 complex ERP implementations

Israel, Europe, and the US. He led the development of the largest ERP implementation in

Israel, led by the Ministry of Finance and thought to be the largest IT project in Israel. Mr.

Panzer was regional director, responsible for Microsoft-SAP solutions connectivity, and

personally developed a connector for MS-SAP. Over the years, ERP, as well as other macompanies in Israel and Europe, have called upon him to lead dozens of courses in ERP

management systems.

His technological vision is the driving force behind Xpandion's product development. In

addition to his technological expertise, he has founded and run three successful software

companies.

Mr. Panzer has a B.Sc. in Information Systems Engineering from the Technion, and a

Masters degree in Information Systems (MSIT) from Clark University. He is also on theBoard of Directors of Enshav, a non-profit organization for the safe use of the internet.

FOLLOW ME ON TWITTER.

@moshepanzer
https://twitter.com/moshepanzerhttps://twitter.com/moshepanzerhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb


4/47

TABLE OF CONTENTS

1. INTRODUCTION

2. TERMS AND DEFINITIONS

3. RELATED PROCESSES

4. INDIVIDUAL AUTHORIZATION REVIEW

5. MANUAL VS. AUTOMATED6. LOCAL VS. CLOUD

7. AUTOMATED TOOL: KEY FEATURES

8. 6 IMPORTANT TIPS FROM THE FIELD

9. CONCLUSION
http://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb


5/47

CHAPTER ONE

INTRODUCTION


6/47

WHAT AN AUTHORIZATION

REVIEW IS,

AND WHY YOU NEED IT

Why should I be performing authorization reviews?

The process of reviewing authorizations enables enterprises to

verify that authorizations granted to employees are still valid. The

process entails that a manager must go through eachauthorization allocated to each of his/her employees, and decide

whether to remove or keep it. In some cases, the authorization

review process ends after a single managers approval. In other

cases, additional approval steps from senior management are

required. At the end of the process, a list is produced of all the

employees whose authorizations were not approved and will need

to be removed.

The authorization review process is required by SOX and

equivalent regulations, so companies need to review their

authorizations at least once a year. Many organizations perform

these reviews twice a year or even quarterly, depending on legal

obligations and the requirements of the companys auditors.

Authorization Review is also often called Access Review or the

Authorization Inspection process.

nly after achieving a complete view of all authorizations can organizations rem

unused ones.


7/47

The importance of the authorization review process is not only

related to financial regulations like SOX. In addition to being a

regulatory obligation, a periodic review of authorizations ensures that

employees are holding authorizations for justifiable reasons. Over

time, a full overview of employee authorizations is achieved via acomprehensive list detailing all of the authorizations, the usage

pattern per each authorization, and the name of the manager that

approved the authorizations.

After achieving a complete view of authorizations, organizations can:

Remove unused authorizations.

Identify usage of sensitive authorizations.

Investigate irregular behavior. Comply with SOX regulations.

This eBook will detail how to conduct a sound authorization review

and why using an automated tool is highly recommended.

Sources

This document is based on extensive hands-on experience withauthorization-related processes by Xpandion, selected CISOs, riskmanagers from leading companies, and various external and internalauditors, all in the hopes of helping improve how companies conduct theirauthorization review processes.

THE IMPORTANCE OF THE

AUTHORIZATION REVIEW

PROCESS


8/47

CHAPTER TWO

SIGNIFICANTTERMS

&DEFINITIONS


9/47

Term Description

User/User Account The employees account in a specificsystem. For example, JOHN_S in the

ERP ERP system, or account

[email protected] in the

Active Directory system.

Employee The term in information systems forthe logical entity that represents the

human employee. An employee can

have a number of user accounts in a

number of different systems. For

example, the employee John Smith

has a user account JOHN_S in the

SAP ERP system and the user

account JOHN_SM in the CRMsystem.

Organizations Auditor External or internal auditors. Ingeneral, the requirement for

conducting an authorization review

process and its related follow-up

actions come from the organizations

auditor. Therefore, this document

refers to both types of auditorsinterchangeably.

Provisioning Performing an actual change inauthorizations via an automated

method for adding or removing

authorizations.

TERMS & DEFINITIONS


10/47

CHAPTER THREE

RELATEDPROCESSES


11/47

RELATED PROCESSESHow do they relate to my workflow processes?

In general, the authorization review process is one of four

significant authorization-related workflow processes:

1. Authorization Reviewthe process discussed in thisdocument.

2. Authorization Requestthe process in which an

employee requests additional permanent authorizations toanswer a specific long term business need, or a temporary

authorization due to organizational needs such as replacing

someone on vacation. The process begins with an employee

requesting an authorization to a certain system and ends with

either granting the authorization or rejecting the request.

?

For information about authorization request, click here.
http://www.xpandion.com/Security-Authorizations/authorization-request.htmlhttp://www.xpandion.com/Security-Authorizations/authorization-request.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefbhttp://www.xpandion.com/Security-Authorizations/authorization-request.html


12/47

RELATED PROCESSES

3. New Employee/Account Creationthe process ofcreating a new record in the HR system for a new employee,

then creating usernames in the relevant systems and

allocating the required authorizations according to

organizational needs for the purpose of commencing work. In

most organizations, creating new accounts for an employee isperformed by copying an existing employees account, which

can result in also replicating many unnecessary

authorizations.

4. Closing Employees User Accountsthe process ofclosing all user accounts in the event an employee leaves the

organization. The term closing changes from system to

system according to a companys standards for saving data.

Some user accounts are erased, some are only locked, and

others receive an expiration date earlier than the current date.

The trigger for this process is an event of an employee leavingor prior notice from the HR department.

+

-


13/47

RELATED PROCESSES

Emergency AccessThe emergency access process interfaces with the four previous

processes and deals with an immediate need to perform irregular

entry into the production environment. SOX regulations require

enterprises to do this only by enabling privileged and timelyaccess into the production systems.

Emergency access comes in answer to a situation where an

employee who is not supposed to access the production

environment needs access for a limited amount of time and for a

specific ad hoc reason (for example, to inspect a bug or train an

end-user for a specific purpose). Rather than allowing IT users to

freely log into the production system (creating unnecessary useraccounts and the possibility for security breaches), it is

recommended to implement an emergency access process.


14/47

RELATED PROCESSES

Emergency Access Process Flow

1. Employee opens a request for immediate, privileged access

and provides a reason for this request.

2. Supervisor grants defined, privileged access or additional

authorizations to the user account.

3. Employee logs into the production system and performs the

required task.

4. The account is automatically locked when the defined time for

the privileged access is over.

5. A detailed report on all activities performed in the production

environment is sent to the supervisor for approval/inspection.


15/47

THE AUTHORIZATION

REVIEW CONNECTION

Authorization Review by Employee

Departure ofemployee and

closing allusernames in all

systems

Authorizationrequest across all

systems

Emergency accessto specific system

Opening newemployee and user

accounts in allsystems

Authorization review related processes. Some processes occur

across all systems and some per a specific system.


16/47

CHAPTER FOUR

INDIVIDUALAUTHORIZATION

REVIEW


17/47

INDIVIDUAL

AUTHORIZATION REVIEWWhy perform authorization reviews for an individual

In many companies an authorization review is performed

immediately after an employee changes positions. This is

because when an employee switches positions, the organizationmust verify that all authorizations from the previous position are

still relevant for the new position. If not, changes must be made

immediately to the current authorizations in order to adjust them

to the responsibilities of the new position. Other organizations

adopt more strict approach, removing all authorizations first and

only then allocating the required authorizations, as if they are

dealing with a new employee.


18/47

INDIVIDUAL


Removing all authorizations can interfere with ongoing business

process, even if an employee does not protest.

While the latter method makes sense, it may disturb the employee

and/or companys proper and functional performance, as many

employees receive authorizations outside their formal position,

such as access to personal network folders and the ability toexecute special queries. An individual authorization review that is

performed automatically after an employee switches positions is

strongly recommended. Such a process prevents unpleasant

surprises that tend to occur during a periodic authorization review.


19/47

CHAPTER FIVE

AUTHORIZATION

REVIEWPROCESS

MANUAL VS.

AUTOMATED


20/47

MANUAL VS. AUTOMATEDWhich way should I go?

Choosing between a manual or automated authorization review

process is dependent on the amount of available resources and

the complexity of the project. The more systems an organization

has, the more complicated the authorization review process can

be, and the more resources are needed. Therefore, in such acase, an automated process adds great value to a company,

saving time and unnecessary hassle.

Similarly, if an auditor demands complex requirements for the

review process (such as exact documentation for each step, the

reason behind each authorization, second approval by senior

level management, etc.) an automated tool becomes a must. In

addition to the great savings in time and resources, authorization-related information is more up to date and can be documented

easily, which pleases auditors and management alike.

Furthermore, an automated tool allows for the process to be

repeated easily (based on previous reviews) without requiring

additional resources and without depending on the organizations

experts.

Rule of thumb: organizations with more than one system and

500+ employees should unquestionably favor an automated tool

for reviewing authorizations.


21/47

MANUAL VS. AUTOMATED

Many small organizations with just one system also prefer using

an automated tool in order to be prepared at all times for any

changes or new requirements. Changes can include a new

auditor, a new organizational structure, a request to view records

from a previous process, etc. Small companies also see the valuein an automated tool for improving the quality of the process and

for obtaining accurate cross-organizational information so they

can perform the review in the most professional way.



for reviewing authorizations.A screen shot from ProfileTailor Dynamics depicting an overview of the process bydepartment.


22/47

MANUAL VS. AUTOMATED

From a departmental point of view, an automated tool enables the

process-owner and the auditor to know the exact status of the

review by business units or business processes at any given

moment. The process owners can be in control and easily see

different views: how many authorizations need to be reviewed,

how many authorizations have already been reviewed by secondlevel management, and how many authorizations have not yet

been reviewed. With an automated tool, departments are able

to control the entire process, provide clear reports to

management and reach accurate decisions.



for reviewing authorizations.Majority advice: Our findings are that most CISOs recommend

conducting authorization review processes using an automated

tool, like ProfileTailor Dynamics.
http://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb


23/47

CHAPTER SIX

AUTHORIZATION

REVIEW TOOLINSTALLED

LOCALLY VS.CLOUD


24/47

INSTALLED LOCALLY VS.

CLOUDWhats the best platform for me?

In general, Cloud-based applications usually do not involve

continuous connection between the organizations internal

systems and the Cloud; rather they require loading occasional

data to the Cloud. For example, a CRM system in the Cloud, likeSalesforce.com, means, in most cases, that employees work only

in the Cloud and do not use data from internal systems inside the

organization. Therefore, there is usually no need for continuous

connection between Cloud applications and the organizational

network.

Surprisingly or not, due to the many services available in the

Cloud, more and more organizations are reviewing their

employees authorizations of the internal systems using the

Cloud. The data is obtained from the internal network (either

automatically or manually) and then transferred to the Cloud.Emails are sent to managers via a server in the Cloud, and

managers work on web pages that are located in the Cloud and

not inside the organization.


25/47


CLOUD

The main advantage of performing an authorization review

process using the Cloud is the fact that no hardware is needed.

When servers are not installed in an organization, there is no

installation cost, no need for ongoing maintenance, nordetermining password policies, nor for technicians if something

goes wrong. In addition, working in the Cloud facilitates

organizations to allocate resources exactly as needed. The Cloud

entails payment only for the exact amount of time required to

complete the process and saves upholding hardware costs after

the review ends.

What about the data itself? The most common belief is that data

is not totally secure in the Cloud. However, even if we ignore the

robust security methods of the Cloud, (like SSL access, security

reviews, penetration tests, etc.), most Information-Security

Managers will agree that exposing data required for theauthorization-review process such as usernames and roles,

cannot be compared to the larger risk of exposing business-

related information. Not that exposing usernames and

authorizations should be taken lightly, but in most cases the risk is

small compared to the potential benefit.


26/47


CLOUD

In the end, in regards to authorization review, the choice between

on premises installation or Cloud is mainly based on the

organizations policy and its approach to innovation. The more

traditional organizations, such as banks and insurancecompanies, are expected to choose classic installation. The more

innovative companies, especially companies that already use the

Cloud for other services, may consider conducting an

authorization review process using the Cloud.

*** Xpandion supports both on-premises and in Cloud

authorization review. Read here for more information.
http://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb


27/47

CHAPTER SEVEN

AUTOMATED

AUTHORIZATIONREVIEW TOOL

KEY FEATURES


28/47

AUTOMATED


TOOL: KEY FEATURESWhat should I be looking for in an automated tool?

An effective automated authorization review tool includes, at the

very least, the following features and abilities:

1. Review optionsThe tool must be able to support the following review options:

Review of all basic activities allocated to an employee, such

as opening supplier accounts, updating records, etc.

Only reviewing sensitive authorizations, per employee (for

immediate and rapid review). Only reviewing specific activities such as financial activities,

per employee.


29/47

AUTOMATED


TOOL: KEY FEATURES

1. Review options, continued

Reviewing authorization groups (roles) allocated to

employees. If there is a need for a quick review, some objects

can be removed (but this will result in a less thorough review).

Only reviewing some employees, a specific user group,

department, etc.

Reviewing only changes in authorization allocation that

occurred since the last successful review.

Advanced Reviews:

Reviewing business objects as authorizations to

warehouse, to company codes, etc.

Reviewing activities that havent been used.

Reviewing authorizations according to position.

Reviewing authorizations resulting from an

organizational change.


30/47

AUTOMATED


TOOL: KEY FEATURES

2. Requirements from a process point of view

Support the ability to retrieve authorizations data andmaintain a centralized database for employees in operational

systems.

Obtain the HR systems organizational structure and upload

it to the main system.

Emailmanagers with a link to their employees authorization

review.

Allow managers to highlight the authorizations they want to

cancel and keep, according to the following options:o Approve/reject authorizations per user.

o Approve all authorizations in department with just one click.

o Reject some authorizations and approve the rest.

o Approve some authorizations and reject the rest.


31/47

AUTOMATED


TOOL: KEY FEATURES

2. Requirements from a process point of view, cont.

Continuousness of Review. Permit managers to reviewsome authorizations, shut down their computers, and return

later to complete the review of only the authorizations that are

still open.

Requests to Cancel. Allow those authorizations marked as

canceled to be sent to a special database where they can be

handled by the person responsible for the relevant system.

A note from the editor: These recommended features werecollected from numerous RFQ documents over the last few years.

ProfileTailor Dynamicssupports all of these requirements and

more.

Improve Your

Authorization Review Process.
http://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://xpandion.com/Security-Authorizations/authorization-review.htmlhttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb


32/47

AUTOMATED


TOOL: KEY FEATURES


Data owners must have the ability to review

authorizations.This means that the key financial user

reviews all financial authorizations, the asset expert reviews

all authorizations related to asset accounting, etc. Note: Even

if this option is not relevant to your current review

requirements, it is important to ensure that the tool supports it

in order to allow future modifications based on current reviews

and changes in the auditors direction.

Quickly obtain authorizations data from the various

systems.In many organizations this is done manually and

repeatedly for each and every system! By the time the data is

fetched from last system, time has elapsed and the

information from the first system is no longer 100% accurate.

Therefore the tool must be able to repeat the process quickly,

and to recover in case of a technical malfunction.


33/47

AUTOMATED


TOOL: KEY FEATURES


Upload user and authorization data from Excel. Thisfeature is needed for systems that do not support direct

connectivity or if connecting to them is complicated. It is very

frustrating to discover in the middle of the process that there is

a legacy system for which the auditor demands a full review,

yet there is no easy option to upload the data from it to the

main system.

Current status of the review:It is critical to be able to

understand the status of the review at a glance: how manyauthorizations needed review, how many authorizations have

been reviewed and how many authorizations still need to be

reviewed? The status should be divided into different views for

departments, managers, user groups, etc. Sage advice: The

report should be understood not only by system technicians

but also by business managers.


34/47

AUTOMATED


TOOL: KEY FEATURES


Thorough documentation of the whole process for later

access. The entire process, each approval, rejection, change

in definitions, and every ticket for cancelling authorizations

must be easily accessible after the review, even after a long

period of time. Many times, during an audit or investigation, the

question Who asked to remove this authorization, and why?

arises, and the answer must be easy to find.

3. Requirements from a business performance pointof view

Review employees, not users. Managers tend to have a

limited amount of time for audit-related tasks and therefore

need to be able to review an employees authorizations in all

systems with one view. This is vital for satisfying managers

and for getting a quick response from them. In other wordsit

should be possible to review each employee only once for allof his/her authorizations.


35/47

AUTOMATED


TOOL: KEY FEATURES

3. Requirements from a business performance point

of view, cont.

Resend a reminder or the full request again to managers

that did not perform or complete it. Many managers tend to

take the review seriously only after receiving a reminder (or a

couple of them).

Support Cancellation Tickets. Cancellation requests need

to be documented in relevant ticketsone ticket per each

cancellation request. These tickets can be handled later by the

Helpdesk or relevant authorizations manager. In many cases,the auditor needs to see the full flow of the cancellation

requestso, supplying cancellation requests by tickets is a

rather good solution.

An effective automated tool enables sending a reminder email to

managers that did not perform the review according to the defined

timeframe.


36/47

AUTOMATED


TOOL: KEY FEATURES


of view, cont.

Provisioning.For certain systems in an organization, such as

the main systems, provisioning is strongly recommended for

changing authorizations automatically and documenting the

actions in the appropriate ticket. This ensures that no one will

make manual mistakes during the tedious process of removing

authorizations, and also increases the level of security.

Multi-language user interface support. It is proven that

responsiveness to the authorization review process issignificantly higher when the user interface is in the managers

native language.


37/47

AUTOMATED


TOOL: KEY FEATURES


of view, cont.

Simple and clear language. The language of the user

interface needs to be understandable by business managers

so they can make educated and accurate decisions. Role

names like ZLO_NOCHANGE provide little or no information to

non technical people, so managers may inadvertently sign

authorization reviews without really knowing if the

authorizations are required, which causes a rubber stamp

situation.Instead of unclear names, use role descriptions thathave a meaning, like Logistic authorizations: reports only, no

change options.

Employee details. Employee details like names and positions

must be displayed clearly because managers usually refer to

employees by personal information and not to user accounts.


38/47

AUTOMATED


TOOL: KEY FEATURES


of view, cont.

Automatically indicates sensitive authorizations in the full

authorization list.This is critical, because when managers

can visually identify sensitive authorizations, they can focus on

them quickly and make smarter decisions. For example,

opening an account entry can be defined as a risky action

that should be highlighted clearly in the managers review

page.

Display last usage for each authorization.If the system

being reviewed includes usage records, the review needs to

provide information regarding the last time the authorization

was actually used. Managers find it easier to remove an

authorization from an employee when they see that the last

time it was used was over a year ago, as opposed to one that

is being used frequently.

Its always better to have an experts advice. Contact us about

your situation now.
http://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/aradvicehttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb


39/47

AUTOMATED


TOOL: KEY FEATURES4. Additional RequirementsThe tool should also support the following important capabilities:

Delegation option.One manager can transfer the review to

another manager, as in the case when an employee does not

work directly under this manager. In addition, delegationshould be permitted for certain authorizations if there is a more

than one appropriate manager to approve them.

Saving the data to a file. The output can be saved to external

files, such as saving audit reports to Excel and user forms to

Word or PDF. Managers and many other users require saving

capabilitiesusually for backup purposesand the tool

should enable this action. The output must be able to be saved

in a nice, graphical style to guarantee user satisfaction.

ProfileTailor Dynamics provides simple overviews of the

status of all authorizations.


40/47

CHAPTER EIGHT

6 IMPORTANT

TIPSFROM THE FIELD


41/47

6 IMPORTANT TIPS

FROM THE FIELDI need the inside information.

The following useful suggestions come straight from customers

and consultants that implemented an automated authorization

review process in their organizations:

Tip #1:Prepare enough time in advance.The average time for the first implementation is between two

weeks to three months, depending on the number of systems, the

readiness of the databases and the organizational culture.

Therefore, it is recommended to be prepared ahead of time,

especially if additional resources need to be included.


42/47

6 IMPORTANT TIPS

FROM THE FIELD

Tip #2:Get top management support.It is essential that higher managers like the CEO and CFO

support this process. Involving senior management and sending

them status reports promises that the review will end on time andsuccessfully.

Tip #3: Involve the auditor.At the end of the day, the auditor is the real customer in this

process. It is recommended to involve them along the way to get

professional guidance and to increase their level of satisfaction

and confidence in the process. It is also a good idea for the

auditor to appoint a representative to participate in regular status

meetings, while the auditor him/herself should be present in the

companys executive meetings.


43/47

6 IMPORTANT TIPS

FROM THE FIELD

Tip #4:Prepare proper infrastructure.To avoid issues that might slow down the implementation process,

and to maintain an atmosphere of success, it is important to

prepare proper infrastructure. The infrastructure may include the

required hardware, additional software programs (such as

Microsoft Office in a certain situations, graphical elements, etc.),

preliminary installations (database, Windows), and allocation of

authorizations to the different systems.

A delay in any of the above will postpone the implementation and

the auditor might disqualify the authorization review for that

period. Preparing the proper infrastructure shortens

implementation time, improves the level of satisfaction and

enables the review to begin as scheduled.


44/47

6 IMPORTANT TIPS

FROM THE FIELDTip #5:Hold regular status meetings.During the implementation process, from the beginning and until

the end of the review, its a good idea to hold meetings about the

progress. In the meetings, determine the timetable and remaining

tasks. This way, enough time is left dedicated to the authorizationreview and for implementing any changes in authorizations

accordingly.

Tip #6:Train the reviewers.Hold a central training meeting in the organization for all

managers that are supposed to use the authorization review tool.

The meeting should be run by the person in charge of the tool

(ideally, an internal employee), with the goal of increasing the

managers confidence in the process. Professional training equals

high satisfaction and fast authorization reviews.


45/47

CHAPTER NINE

CONCLUSION


46/47

CONCLUSION

Now lets run with it!

By following the requirements, advice and guidelines in this

eBook, enterprises will be able to verify that authorizations

granted to employees are valid and comply with regulations, and

they will also be able to increase control of employee

authorizations.

Reviewing authorizations at least once a year, or even more

often, will ensure that employees are holding authorizations for

justifiable reasons and allow the organization to make the proper

decisions regarding its authorization compliance.

With ProfileTailor Dynamics, Managers can easily review a single employee's

authorizations.

The recommended method for conducting the authorization

review is to use an automated tool such as ProfileTailorDynamics Authorization Review.
http://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authrdemohttp://go.xpandion.com/authshareinhttp://go.xpandion.com/authsharetwhttp://go.xpandion.com/authsharefb


47/47

Xpandion also offers live demonstrations of our product to

qualified companies using custom data from your applications

and your industry

Ready to be in the drivers seat when it comes to ERP security and

authorizations? Our specialists can evaluate your particular situation

and tell you how Xpandions all-in-one ProfileTailor software can help

you easily take control over ERP security and authorizations.

ProfileTailor is a powerful, end-to-end solution that requires no ERP

expertise and is installed externally to the ERP system. It gives you

the tools to reduce security breaches, get alerted about irregular

behavior, eliminate unnecessary authorizations including power

profiles, and enable monitored remote access.

LEARN HOW XPANDION

CAN HELP YOU ENSURE

ERP SECURITY &AUTHORIZATION

COMPLIANCE BY

SPEAKING WITH AN

EXPERT

authorization review ebook

Documents