Our team has been working away adding features and functionality to our Security and Risk Advisor tool – SARA. In anticipation of the upcoming production release (Fall 2022), we have provided some preview highlights.
- Our one-stop-shop application for security data is now more dynamic, allowing the GRC or Security admin to select which product families they want to include in Flattened Role/Permission applications.
- We know getting started is often the hardest part. As part of the delivered content, we have pre-defined security roles for GRC Administrators and Business representatives that will use SARA.
Access Risk Management
- Tables are the most common access point into Nextworld applications. We also know that with the flexibility of the security model in Nextworld, users can set access for field (data item) and workflow security. We now have better data to investigate these access types and have included validation options for Restricted Field access.
- Risk Level settings for Controls are now determined by a combination of Likelihood and Severity instead of setting a single data item.
- The approval workflow for records that are flagged as an Access Issue is a critical component of Access Risk Management. Now, instead of approving without any reason being recorded, a Control Exception entry for user and control is now required before Approving an Access Issue.
- Most companies have a time parameter for their review processes. We have included a Validation End Date for Access Risk Reviews to determine when the review is open vs. completed.
- We continue to learn about the different ways applications can be designed to present the best user experience. We added a new front-end application on top of our existing Violation Review application to match the look and feel of Role Assignment Review.
Role Assignment Review
- Role Function column in Role Maintenance application is now auto populated with Inquiry or Transaction based on data from Role Access Tool when the Role list is built.
- When a Role Owner is working in Role Assignment Review to review their users, they now can send a notification to Security Admin group to Terminate User record if they notice a user that is no longer with the organization or does not need Nextworld access for anything.
- As with Access Risk Management, most companies have a time parameter for their review processes. We have included a Review End Date for Role Assignment Reviews to determine when the review is open vs. completed.
- If a Role Owner does not complete the review in the allocated time (before the Review End Date), the status of the record will change to “Review Not Completed”. For the Compliance Managers, we have a new report to display Role Owners who did not complete the Role Assignment Review approval process.
Security Release Compare Review
- Nextworld released a new application called Security Release Comparison which produces a list of security differences between environments and is meant for use in comparing current Production security vs. Next Release security. We built a new application that connects data from the Security Release Compare application to SARA Role Owners to summarize review data at the Functional and Aggregated Role level and added an approval process so Role Owners can sign-off on the changes before they are pushed to Production.
- We also added a connection to our Validation What If application to pre-load the list of roles from Security Release Compare to validate for Segregation of Duties or Sensitive Access issues. This helps the GRC Administrator understand if any compensating controls need to be set up and recorded in the Control Exception application prior to the next production release.
Data Change Notifications
- Data Change Notifications (DCN) is a new module for SARA. It does not replace NATE Audit and it does not hold any transactions in a pending state. It is meant for a small amount of Master Data tables and selected data items within those tables.
- Once the customer identifies the tables and data items, we add them to the DCN Setup application. We also add user groups, business events, message templates, and message definitions to the customer environment. Then, once these are in place and end users make changes to the selected data items in the selected applications, the DCN process will send an email notification to users in the defined group and write the before and after data to a list application.
- From this application, Data Owners can review the change and follow up with the user who made the change and, if needed, recommend they manually revert the change.
- We also included the ability to define a list of “Allowed Users” for each table defined in DCN Setup so if a change is made by the Allowed User, it still sends a notification email and records the change but does not require the same Approval step.