Evaluating Conflicts can be an overwhelming task. In a previous blog “First things first” is explained how to prioritize conflicts, to make it manageable. Now, we assume the list of conflicts can be meaningfully categorized, filtered and assigned to the corresponding role- and risk owners. From there, these owners can investigate the conflict and decide how to resolve the conflict.
Resolving the conflict can be done by applying the three R’s:
- Remove role from the employee
- Remove the application access from the role
- Restrict access for that role, e.g. by lowering the access mode to read-only
- Restrict the access to the application access in the role
- Accept the risk, if the risk is within the tolerance and there is no need for a mitigating control. (Recommended that this is documented and aligned with the conflict)
- Define mitigating control.
The last option can for example be applied if (1) the role should contain this authorization and (2) the role should be assigned to the employee. In that case, a mitigating control is required to assure that the corresponding access is used properly and not used for fraudulent or undesired activities. Examples of mitigating controls is a (manual) periodic audit of a log file (to check how the access was used), or an (automated) alert if an application access is used very frequently or outside normal working hours.
Investigating the conflict requires knowledge of the application and the processes in use, as well as knowledge of the risk that is constituted by the conflict. Therefore, conflicts often are analyzed by domain experts, as well as application experts. Finally, the supervisor needs to take responsibility of the roles assigned to each of their employees.
The process above should be modeled and automated in a workflow. Role owners and supervisors typically are executing this process. Automating the process ensures that no conflicts are overlooked, and evidence is recorded of the decision taken for a specific conflict.