More access to data to reduce risk & enable better decisionsApr 04, 2019
You already know that there is untapped value within your systems and the data they contain.
But user access limitations - because of audit, risk and compliance expectations – mean that it is increasingly difficult to get access to the data you need.
Access to systems and data is traditionally limited by job function, and the introduction of Sarbanes Oxley, PCI-DSS* and other regulatory obligations and compliance standards has resulted in heightened focus on limiting user access.
However, these controls were designed to apply to systems of record e.g., ERP, financial or other systems used to process transactions. For such systems, limiting access makes sense because they are used to process transactions that reflect business activity, and getting that wrong could be damaging.
Unfortunately, this approach is also often used for granting access to systems of information and intelligence e.g., data warehouses.
For these types of systems, the risk profile is different: in most cases, the primary downside risk you need to mitigate relates to confidentiality i.e., making sure privacy is maintained and preventing leaks of intellectual property. But there are also upside risks to consider.
What does this mean?
For systems of record, access controls are put in place to reduce risk, and because they are tried and tested, they generally work well if designed carefully.
For systems of intelligence, if you apply the same control design, those controls actually increase your risk by decreasing efficiency and effectiveness. This is because the purpose of these systems is not to record transactions, rather, they are designed to provide access to information to better understand customers and operations, and to enable smarter decisions.
With growing data volumes, and growing potential for the use of data to improve your business, is there an alternate approach?
Consider open access to systems of intelligence
Open access means granting access to everything except certain specific pieces of confidential data.
A more extreme approach involves granting access to everything and then monitoring access to confidential data. This may work in certain circumstances but is riskier.
While open access instantly raises concerns, when done right, it can yield significant benefit.
Organisations like yours are implementing such access policies, or are thinking about moving in this direction, because open access promotes:
- Efficiency - reduced effort in discovering and requesting access to data.
- Innovation - providing opportunities to join up data for new insights.
- Data quality – gaps and inaccuracies become easier to spot.
If you lead a business area, do any of these sound familiar?
- It takes too long to access the data your team needs.
- Your team often discovers or stumbles upon data that enhances analysis.
- You get the feeling there is data you don’t know about that could help.
If they do, you need to insist on a better approach. Challenge your risk and assurance and your data teams. Ask them to explain the risk/opportunity analysis – because there is a better, more sensible approach.
If you are accountable for data, reporting, BI or analytics, consider whether your access policies are working.
Are you enabling your business teams to generate the value you have promised?
If you oversee risk or compliance or assurance, consider whether the controls you have in place are mitigating risk, or preventing opportunity.
In guiding or auditing your business teams, you have an obligation to help them reduce risk, so if you are trying to enforce systems of record controls to systems of intelligence, are you really being effective?
In general, open access enables better analysis and reporting, but it usually does not directly grant access to process transactions or change data. However, if you have a feedback loop from your data warehouse to your operational system, or if you permit any type of data capture/change in your data warehouse, you may need to think carefully about how you control access.
* PCI-DSS: Payment Card Industry Data Security Standard. An information security standard that is applicable to organisations that handle credit card data.