Security Processes and Control Frameworks

The overriding mandate of today’s corporate regulatory environment—a complex web of legislation such as Sarbanes-Oxley, GLBA, Basel 11 and HIPAA—is not that businesses have “forensic” processes established to identify and document financial malfeasance after the fact, but rather that they have strong, well-documented control processes in place to prevent fraud and abuse from occurring in the first place. The onus for ensuring that these processes exist has evolved upward from business operations to executive suites and boards of directors.

Get Your Copy Now

Download

Kinetic Request and BMC Remedy Security Processes

This shift in emphasis—from finding and punishing corporate wrongdoers to ensuring that controls exist to prevent abuse—has led to new interest at the highest business levels in established but continually evolving financial and IT best practices and frameworks such as ITIL®, COBIT, COSO and other overlapping controls and guidelines. Perhaps the most relevant of these to IT organizations is COBIT, which stands for Control Objectives for Information and related Technology. Created in 1966 by the Information Systems Audit and Control Association (ISACA), COBIT’s objective is to provide “managers, auditors, and IT users with a set of generally accepted measures, indicators, processes, and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.”[1]

The complexity of COBIT has spawned a large library of interpretations and implementation guidelines. It consists of 34 high-level objectives regarding the use of IT assets that cover 215 control objectives categorized in four domains entitled:

  • Plan and Organize
  • Acquire and Implement
  • Deliver and Support
  • Monitor and Evaluate

The control objectives cover IT applications and systems in these four domains as they are applied to virtually every operational and financial process within enterprises. The control objectives have three purposes: 1) to ensure that IT processes support business objectives; 2) to regulate how users access these processes, and; 3) to automatically enforce corporate governance policies in how they use them.

COBIT concepts and language are mirrored in ITIL, the Information Technology Infrastructure Library, an authoritative source of IT best practices, notably in operations and service management. COBIT, however, provides a more structured and prescriptive approach to IT controls, rather than ITIL’s narrative and descriptive approach; this makes COBIT the preferred foundation for U.S. businesses required to meet Sarbanes-Oxley control and monitoring requirements.[2]

Sarbanes-Oxley is, of course, the sweeping measure passed by the U.S. Congress in 2002 as a response (or an overreaction, according to critics) to Enron, WorldCom and other accounting scandals. Its central intent is to ensure reliable financial information from public companies, requiring an attendant focus on the software that house financial and operational data. In creating IT controls for compliance, businesses must:

  • Assess risk
  • Control relationships and deliverables from outsourcers
  • Integrate security into the development process
  • Monitor all changes that might impact critical systems.[3]

Security Processes and Service Catalogs

The BMC® Remedy® suite of applications is designed to support COBIT frameworks and ITIL best practices in business process automation and management applications. BMC refers to this as “creating a sustainable compliance capability that is integrated into the day-to-day operations of your IT department. …We call this concept continuous compliance, and it is a result of running IT well.” This statement reflects the challenges many IT departments face today—making applications and systems continuously compliant with corporate security processes mandated by senior management and “running IT well”—that is, more cost-effectively and directly supportive of business objectives than ever before.

Both needs intersect in the area of service catalogs, which are now proven to be a boon to running IT well, but are less obviously helpful in supporting and enforcing corporate security processes.

Service catalogs are becoming the foundation for defining and delivering services, as well as for demonstrating the value of IT, HR, facilities, procurement, sales and marketing, and other service-oriented groups within the business. They offer any enterprise functional group a way to publish available services over the web, standardize service deliverables, establish service levels, and market service offerings to internal and external customers. For IT in particular, several factors are driving their adoption by large organizations. These include the increasing pressure on IT organizations to:

  • Document and communicate their value to the business
  • Reduce costs and increase efficiencies
  • Reduce service request backlogs through standardization and automation
  • Adopt COBIT and ITIL standards in service delivery management, of which service catalogs are a key component[4]

Service catalogs are “request-centric, forms-driven, and workflow-based,”[5] which is also how BMC describes the underlying architecture of the BMC Remedy Action Request System (ARS®). Service catalogs built on BMC Remedy ARS allow businesses to manage requests for applications and processes—from employees, customers, suppliers and others—presented through web-based forms. But they also raise a number of questions pertaining to security processes and compliance requirements, such as:

  • Are service catalogs easy to build and request forms easy to add?
  • Is the service catalog portal secure?
  • Who has authorized access to specific types of requests?
  • How is this access being used?
  • Who must approve specific requests, and how is the approval workflow process handled and enforced?
  • What is the process for decommissioning accounts and deauthorizing users?
  • How does the system provide auditability; that is, how are user request authorization and approval processes monitored, enforced, and shown to be compliant with data and information security requirements?

Kinetic Request for BMC Remedy

Kinetic Request is an ideal tool for building service catalog capabilities and processes to address these security and compliance issues.

Kinetic Request is the only “built on BMC Remedy” service request management system (SRMS) application that works with any BMC Remedy ARS standard or custom application. It enables organizations to quickly build and implement actionable COBIT- and ITIL-compliant service catalogs.

Unlike bolt-on SRMS applications, Kinetic Request works with any BMC Remedy standard or custom application, regardless of version, and extends service catalog functionality beyond the IT department. And since Kinetic Request is developed natively on BMC Remedy ARS, it requires no separate management systems or integration effort, and it introduces no redundant processes.

In brief, the features that make Kinetic Request an attractive service catalog tool for organizations using BMC Remedy include:

  • Kinetic Request enables users without BMC Remedy development skills to quickly build and implement actionable service catalogs. This enables functional groups outside of IT, such as facilities and HR, to create catalogs and manage requests utilizing service process workflows in BMC Remedy.
  • Kinetic Request enables automatic management and fulfillment of user service requests by enabling requests and approvals to be embedded in email messages.
  • Kinetic Request effectively manages service requests by enabling users to track the status of their requests, and helping management to accurately monitor service delivery time and quality.

When it comes to service catalogs and security processes, Kinetic Request provides a central BMC Remedy process to:

  • Give users authorized access to certain types of requests
  • Establish and enforce approval policies
  • Track how requests are handled and approved
  • Provide an audit trail for every step in the process

New types of requests and special security processes can be added easily. Kinetic Request service catalog forms are also designed to initialize the security process up front by ensuring that no required fields are left blank.

Kinetic Request increases workflow efficiency by eliminating emails and phone calls to requestors for additional information. It ensures that requests don’t languish in in-baskets but are instead processed according to approval policies and, through the use of predefined escalation procedures, within specific time frames.

Case Study

One user of Kinetic Request is a large entertainment conglomerate that operates film studios, theme parks, retail stores and movie theaters. The company hires thousands of employees each year. In a typical example, a manager is hired to oversee theaters in a specific territory. The company uses more than 40 different applications, many of them BMC Remedy-based or integrated with BMC Remedy, to manage its business at all levels.

The newly hired manager needs access to about a dozen of these applications, including:

  • Salesforce.com®
  • Blackberry® enterprise access
  • Oracle® Financials
  • SAP®
  • BMC Remedy
  • RIM® US/RIM EMEA
  • Windows® NT Domain
  • Siebel® Sales
  • Siebel Marketing
  • Custom internal applications

Sarbanes-Oxley introduced many new requirements pertaining to application access provision for new employees. Pre-Sarbanes-Oxley, provisioning application access to new hires involved a flurry of phone calls and emails, as well as processing manual forms from HR, IT, and other functions.

Post-Sarbanes-Oxley, the old process would have been unworkable. There was no way to introduce accountability and auditability into the process without hiring expensive outside consultants and adding a new layer of software on top of the process, which would achieve only cosmetic improvements since much of the underlying human and manual activity would remain untouched.

By using Kinetic Request to build BMC Remedy-based service catalogs, the company solved all of these challenges with the ease and cost-effectiveness of simply adding another native application to its existing BMC Remedy ARS-based infrastructure. The company now publishes available services over a secure web portal that uses a BMC Remedy published Java API. Authorized managers from HR, IT and other departments can provision the new employee by completing request forms for the application access required by the new employee. The request forms automatically enforce security process requirements and launch the approval workflow process. The employee can later initiate his or her own requests through the service catalog portal to make changes or obtain access to other applications permitted by his or her authorization level. All activity is tracked and is available in detailed or summary form through pre-configured or customized reports.

The company has essentially “killed two birds with one stone.” The old expensive, manual process for account provisioning is now automated, with accountability and security requirements enforced. The new employee has access to the applications he or she needs to become productive automatically and almost immediately—versus days or even weeks using the old process. The company’s senior directors and board members are now confident that access to important financial and operational systems is fully compliant and auditable to meet new control and reporting requirements.

Specific features of Kinetic Request that enable this include:

  • The ability to activate/deactivate a request form
  • The ability to configure locale-specific messages for the user in the event of an error (required field missing, survey already submitted, connection problems, etc.)
  • The ability to make fields required
  • The ability to allow fields to be conditionally required
  • The ability to hide/show questions and text based on answers or other events
  • The ability to specify that a user must login (to BMC Remedy) before accessing a form
  • The ability to place an expiration date on forms
  • The ability to send notifications to managers based on completed request forms
  • The ability to send notifications based on answer qualifications
  • The ability to audit changes to a user’s submission/answers
  • The ability to audit changes to a template
  • The ability to create records in other BMC Remedy-based forms on submission by an employee or nonemployee
  • The ability to list only the request forms that the user has access to see (based on his or her BMC Remedy login)
  • The ability to assign primary approvers and backup approvers
  • Multi-level approval support
  • The ability to use the BMC Remedy approval engine
  • The ability to determine approver, based on categorization of employee/non-employee answers or other criteria

Conclusion

For many enterprises, service catalogs can be a double-edged sword. They allow you to automate and publish, via the web, access to a vast library of applications and corporate information to both internal and external constituencies.

Yet access to and use of those applications and corporate information must be more tightly controlled and auditable than ever before. Increased access with increased controI isn’t a paradox for organizations that use Kinetic Request with BMC Remedy, but rather an easily solved challenge. A Kinetic Request-based service catalog can:

  • Manage thousands of employee, customer, supplier and partner requests
  • Automate processing of those requests
  • Segment access and duties according to Sarbanes-Oxley requirements
  • Leverage COBIT standards
  • Enforce security processes for access and authorization
  • Demonstrate that corporate processes are “in control” through automatic tracking and auditability

Meeting these needs can be an expensive proposition for organizations outside the BMC Remedy world. But for BMC Remedy users, Kinetic Request makes it as easy as installing and switching on another BMC Remedy-based application.

Resources

[1] Gartner, Inc., The Realities of Using Workflow Products to Achieve IT Operations Automation by Kris Brittain and David Williams, June 2008.

[2] http://www.bmc.com/products/product-listing/change-management-software.html

BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners.

Back to White Papers

Try the Kinetic Platform Today.

When you're ready to learn how Kinetic Data can help you achieve better business outcomes, we're here to answer your questions.