Is Your Emergency User Concept Just a Carte Blanche?
Increased scrutiny from the BSI in connection with the NIS2 directive expected in the fall has put the issue of emergency users at the top of auditors' agendas, and not just for Kritis companies. In particular, they examine the extent to which the controls are integrated into the company's internal SoD (segregation of duties) concepts. This is because these are still rarely considered together and cause a significant and unnecessary security gap if super-users have far more permissions than they should according to the internal SoD concept. "This is neither sensible nor practicable for a holistic security strategy," explains Ralf Kempf, IT security evangelist and CTO of Pathlock Germany.
Monolithic or hybrid
"The complexity of IT systems, which are often no longer monolithic but hybrid, is growing rapidly, which means that SoD concepts are also becoming more extensive and less transparent. It is essential to keep them up to date, transparent, and harmonized. Contingency plans can no longer be viewed in isolation," emphasizes Kempf. It is important to consider the auditors' perspective. They are generally critical of super-user concepts because they can compromise the integrity of systems and financial data. To maintain confidence in the company's financial reports, they ensure that there are clear rules and controls on who is granted emergency user rights and how they are used.
As the task of harmonizing approaches, complying with requirements, and creating transparency through proper logging presents new challenges for organizations that have already struggled with the initial implementation of SoD. While there is no one-size-fits-all solution, there are a number of best practices that can help make the process more efficient. These include reviewing an existing set of rules for your own organization.
The review of the scope and relevance must take into consideration new developments and technological advances in the applications and, if necessary, lead to an individual adaptation of the rules and regulations. The necessity of each role and each T-code—including the currently valid authorizations—must be reviewed in relation to actual usage. If they are not assigned to a user or are being used by others, they should be removed for security reasons.
Relevance check
If the relevance check shows that an employee has not used an authorization for more than a year, it should be deleted from the profile. This sounds simple, but requires technical effort and expertise. After all, when you remove a user's privilege, you need to change the existing roles, which is not always easy to do manually. To streamline the process, it is common practice to remove the conflicting privileges first, and then remove the sensitive privileges in a second step. To prevent employees from feeling that their rights are being taken away, it is helpful to present them with the relevant statistical user data. Irrefutable evidence of non-use helps to overcome resistance and convince superiors. In this way, the policy remains clear and effectively adapted to the company's circumstances.
Closing ranks with auditors
It is crucial to see both internal and external auditors as allies with the same goal of a good security policy. Close cooperation and a lively discussion culture allow for compromise and flexibility on both sides. It must be possible to address specific issues if something in the regulations seems inappropriate. Auditors are often willing to accept an alternative if it does not change the level of security.
Integrate management
When in doubt, it makes sense to ask the auditor for appropriate solutions and to validate them with the goal of achieving quick success and gaining management support. The decision maker level should be motivated to ask if they need background information to understand and clarify certain SoD rules. If a role is deemed unnecessary, auditors may be tempted to remove it. With the right rationale behind a particular rule or requirement, managers are better able to evaluate changes and drive improvements. A well-informed management team can become a strong partner in the project.Â
No matter how competent an internal audit team is, additional support from experienced experts should be sought. It is extremely important to proceed with caution and do your homework. As a general rule, a consulting firm should have at least the same level of expertise as the audit team. If both parties use the same terminology and share the same beliefs and standards, this can result in significant cost savings and more effective prevention of future fraud attempts.
To the partner entry:
