You are in good hands with us.
You are in good hands with us.
2 out of 3 undesired incidents related to access violation, involve an insider. Usually by mistake, sometimes malicious. With our solution, you can easily document the functions of your enterprise and what access these require. You also configure the access and access combinations that are risky. By connecting user to function, you further ensure that each individual only has access to what is needed at any given time, so-called “Least privilege”. This helps prevent data loss and reduces the threat surface of the enterprise. You get an overview of the most trusted users in the enterprise allowing you to implement additional measures for these, or to adjust permissions to reduce risk. Employees easily see what access they have. The latter is particularly important for credit and invoice authorizations because it reduces the risk of authorization breach.
The user concept of the solution is wide and extensible. It may be a permanent or temporary employee, a hired consultant, an external consultant, a robot, a system account, an operational user or a computer.
Managers including their deputies, themselves manage access and IT-equipment for their employees. Users can find and apply for access themselves. Approval for access requests is turned on by default, but can be turned off per service and access level.
Our solution supports your existing processes, business logic, associations and functions. Examples of associations are Company, Department, Job Title and Type of user. As for function, you can connect access to association. Role is an umbrella term for function and association. Function and Department roles support hierarchical structure.
Our solution yields simplified lifecycle management of identities and access with automated workflow, business rules and easy integration with heterogeneous platforms, internally and in the cloud. The main process involved is “Joiner, Mover and Leaver of employment”, abbreviated JML. The solution supports JML via automated import from HR, both for association and other user data such as name and address. Combined with configurable access for association, this is a highly efficient automation platform.
The solution is readily available and easy to use. You can do all configuration and setup yourself. Thus you can continuously improve and increase the level of automation using internal resources. Automation trumps robotization. You can also implement new automated platforms through internal development.
The solution has excellent reporting capabilities. This is important for several functions, such as security, risk, compliance with external and internal auditors, HR, management, support, and administration. The reports are security trimmed so that they show only what the user is authorized for.
When an employee changes department, the new manager gets a certification task to audit the employee’s access. Managers are also assigned periodic certification tasks to audit all employees in the department. The manager audits the employee’s function and any special access granted beyond association and function. Cost and risk of employee access and access combinations, are the key figures in the manager’s certification. The purpose is to reduce risk and cost.
The solution is a platform for continuous improvement of operational risk management and compliance. As regulatory requirements and ethical guidelines change, you easily and smoothly adapt existing and set up new services to comply.
The application includes the following compliance and risk management services that each customer can customize to their needs:
It is easy to set up services for other types of reporting by building enquiry and order forms per service. The fields in the forms are given sequence and can have caption and description. The fields support input of the following data types:
Alerts, access and responsible case workers are configured per area and category of each service. Access can be linked to function, manager of rapporteur, managers in department hierarchy of incident or managers in department hierarchy of customer pertained in incident. It may also be linked to the owners of the processes involved. Each service is a configurable security silo. With a system for identity and access management as platform, comprising automatic import from HR system of manager hierarchy, employee association and function, this is a highly automated and very powerful authorization tool.
The enterprise service desk should be rigged for self-service. This means that users can find information to help themselves and that users have access to features to solve tasks. Our solution has a complete service desk built around these self-service concepts in an agile and elegant way.
User-guides are information, fact sheets and frequently-asked-questions about the services the enterprise offers its employees and the products it offers its customers. Most enterprises have such a knowledge database for internal use by support. By making user-guides available and searchable for all, employees are able to help themselves. Self-service is the fastest problem resolution. It also eases the load on the service center, which then can serve requests faster and spend more of their time proactively, for example by continuously improving existing and creating new user-guides.
Our solution places the searchable user-guides and service pages between user and service desk. It connects user-guide to service. Services have 1st and 2nd line support teams. By default, the solution allows submission of enquiry only in the context of a service. The users are hence forced to try and find information themselves first, and then contact the service desk if they cannot find what they are looking for. With submission in service context, enquiries are also automatically routed to the proper support team. People with the necessary knowledge, can thus begin to work on their enquiries, sooner.
Each service has one or more custom forms used for submission of enquiry or order. The fields in the forms can have caption and description. The sequence of the fields is configurable and they support input of all conceivable types of information. By only allowing submission of enquiry in the context of a service, the requests more often contain the necessary information because the proper form is filled out.
User-guides should be promoted on the Intranet and in handling of incoming requests. In telephone enquiries, callers should be guided to the search page and asked to find the user-guide or service to help themselves. User only need to remember how to get to the search page the next time a problem occurs. The same can be done with screen dumps in response to a written enquiry.
Not all knowledge database content can be made available to all employees due to complexity and confidentiality. Our solution supports multiple authorization levels for user-guides. The search results are security trimmed so that each user finds and have access to only the user-guides authorized for. That means the support teams can have their internal user-guides in the same location as the open. The support teams search for and read the knowledge base in the same way as regular users. The knowledge database has one single location.
Change password and unlock user account, are the two most common service desk requests. Our solution supports these features via colleagues. That means that employees can get help to do this from a colleague in the next seat. Password are sent via SMS to the mobile number registered to the user. All actions are logged and employee is alerted of actions performed by colleague.
Password policy is configured per user type. All conceivable configuration is supported. Passwords can be made pronounceable. Some password policies make it hard for users to come up with a new password when change is due. Our solution suggests passwords to use.
The solution also offers self-service setup of project and document rooms, including support for confidential rooms. The access administration for the rooms is simple, centralized and self-serviced. This builds on the IAM module.
With an IAM system at the base, having continuous import from the HR system, the solution has correct employee information and departmental structure at all times. The solution uses this for interactive visualization of department hierarchy with features such as find me, find colleague, find department, see employee and department information, see the Skype status of employees, IT cost per department and employee etc.
IAM concepts such as function, association, access and case worker teams, group employees. This can be effectively used for communication. The solution has a useful message central with SMS and e-mail distribution to one or more of these groups. It is for example possible to send a message to all having access to the service Adobe Photoshop or all employees of the division Private Market.
Our cost-benefit overview will surely show significant savings for your enterprise. Please contact us for a presentation.
The following are the main benefits:
Several functions are involved in the governance, control and assignment of identities and access. In smaller enterprises, it is natural that several of these functions have the same people.
A 1st line consisting of the authorization team, system owners, managers and the HR function, should be responsible for assigning and controlling identities and access.
Managers and HR use the features for Joiner, Mover and Leaver of employment. Managers also use the access certification feature for their employees and departments.
HR manages leave of absence and future department changes. HR is also responsible for the data foundation in the HR system, that JML is automated from.
System owners can automatically be assigned access requests to their services for approval and/or execution. System owners can also manage access to their services continuously. The authorization team manages the system owners’ capabilities and responsibilities per service and/or access level.
The authorization team alongside system owners and the assignment groups for each service, are responsible for the processing of incoming access orders. The authorization team has the overall responsibility. For example, a new employee will result in a person registration enquiry with an order book which contains a new order book per service to grant access to. The various assignment groups are assigned responsibility for the order books of their services, but the authorization team is overall responsible for the user being operative the first day at work for the employee.
An access level is either manual, automatic or register. Automatic means that the underlying system is automatically updated. Registration means that access only shall be recorded in the solution. This type is usually used because the underlying system is updated by a periodic export from the solution that the system imports on its side. Access orders for manual access levels must manually processed, i.e. the caseworker must modify access in the underlying system before moving the order to the completed state in the solution.
A 2nd line consisting of the authorization team and the functions of risk management and security, should be responsible for governance and control of identities and access.
The authorization team governs the solution by setting up new services with access levels and by continuously improving these services. They create functional roles and adds access levels in functional and associative roles. If the enterprise has no automated HR import that creates associative roles, the team creates these too.
The authorization team also sets up one or more training services, each having any number of courses. Courses can be specified as requirements on roles, either by direct connection or via service and/or access levels of the role.
Risk and security are responsible for defining separation of duty access and for entering risk numbers on roles, services and access levels. This should be continuously improved and periodically controlled.
System owner is responsible for use of their access levels in roles and their assignment as special access to employees. The solution enforces periodic revision of this by system owners.
The following reports are the most important in governance and control:
The reports include all conceivable fields and each field has support for sorting and drill-down-filtering. The report “users with access having license price” for example includes company, division, department and cost centers, making it easy to divide the cost in the organization. The reports “All Users” and “All departments” have the possibility to sort to find the most trusted based on risk figures and the most expensive based on IT cost.
Security also uses these reports in its control function:
The solution currently has 43 different enquiry types. Both data requirements and access model is configurable for them. This flexible model makes it easy to introduce new enquiry types.