How Herman Miller automated its SOX Segregation of Duties validation across multiple business applications

1
How Herman Miller automated its SOX Segregation
of Duties validation across multiple business
applications
Session GB-06Mon, April 24 , 2006
Don Morren Herman Miller Inc.
2
Session abstract

• Like so many organizations seeking SOX
  certification or adequate governance, Herman
  Miller needs to certify that users do not have
  access to applications that create a conflict of
  interest. Our challenge, however, was to perform
  such Segregation of Duties (SOD) validation
  across 3750 users, 250 user-roles, 350
  business processes and thousands of
  application/session accesses associated to
  various business systems. For our first round, we
  came up with home made scripts, tables and
  spreadsheets along with countless hours of
  analysis to perform this tedious task. We have
  since then implemented a rules-driven
  SOD conflicts identification engine, enabling us
  to scan dynamically of all the above elements
  in less than 10 minutes! Not only we know
  precisely who is able to access what, we have
  direct visibility of any SOD conflicts for us to
  investigate and resolve. In addition to saving us
  considerable effort, this SOD compliance solution
  enhanced the accuracy of our conflicts
  identification, critical to maintain our SOX
  certification for years to come. Benefit from our
  experience, mark this session in your agenda

3
Herman Miller Case Study
Herman Miller Inc. and My Position

• A Great Place to Work
• An International Company That Builds Great Office
  Furniture Solutions
• On Track for 1.7 Billion for 05/06

4
Herman Miller Case Study
Herman Miller Inc. and My Position

• Technical Analyst
• Business Process Analyst
• No Financial Back Ground
• Started With
• Business Process Change Control
• Software Change Control
• Business Systems Access Request
• Evolved Into
• SOD Review, A Finance Issue, That Needs IT Help

5
Herman Miller Case Study
404 requirements

• Past Present and Future
• Adoption of and Achieving the COBIT Standard
• Business Process Change Control
• Software Change Control
• Business Systems Access Request
• SOD Review

6
Herman Miller Case Study
SOD Review, Past Present Future

• System Generated User Access List Across Multiple
  Apps
• Combining Into One Place for SOD Analysis
• Building of the Complete List of All Available
  Session
• Ability to Identify New/Old Session
• Building of the Complete User Access List
• Who has What, Sessions, Roles, Systems, Limited
  Sessions
• Writing The Risks, Controls, Conflict Rules
• The Conflict Scan
• Total Visibility to All Conflict in All Systems
  in One Place
• Analysis by, Rule, Role, Session, User, Status

7
Herman Miller Case Study
SOD Review

• The Resolution of Conflict
• Writing Resolution Rules
• Appling The Resolutions to the Conflicts
• Timing and Automation of the Entire Chain of
  Events.
• Hours not Days
• Scheduled on off Hours
• History, and Archiving
• Targeted Preventative Action
• Repetitious Monitoring as a Preventative Measure
• Monitoring Super Users

8
(3)