The QCTO is subject to regular audits by national regulatory bodies. The various systems in use by the QCTO range from accounting and ERP solutions, to HR, Employee Self-Service (used to manage staff holidays, payslips, and tax certificates), and the custom-developed system used to issue certificates to qualified applicants. There is a Management Information System for qualification development.
Access and security varies by system which makes it hard to collate all the information required for auditors, as Mr Tafadzwa Ramhewa, IT Director for the QCTO, explains: “We needed to pull audit trails of who had access to the different systems. Every month we would print out access reports and then compare this with user access request forms to work out if the two access sources lined up. Some systems have such restricted access that we would rely on the business owners to do this job for us. All in all it would easily take half a day of our time every month.”
Thankfully the audit findings have always been positive, although one recommendation was taken to heart by the QCTO. Ramhewa: “The auditors were pleased with the system access review for our end users, but we didn’t review access for our system administrators in the same way. We have other processes in place for this, but the auditors felt we needed a clearer separation of duties, which just wasn’t possible with the manual processes we had.”
These considerations were even more important in light of new data protection legislation which will be enforced by South African government from 2018. This has been introduced to fight identity theft and ambush marketing and has resulted in a real behavioral change in South African organizations.
Following a market review, the QCTO was introduced to NetIQ Identity Governance and NetIQ Change Guardian to close any loopholes in their access and security policies. Identity Governance was implemented and is used to collect and correlate user entitlements across all QCTO applications into one view. It is designed to eliminate manual processes and increase efficiency.
Ramhewa explains its use within QCTO: “The business owners of our solutions receive an automated email driven by Identity Governance to confirm which users have access to their systems. This process is managed independently from the system administrators so that they can be included in the process as well, creating a clear separation of duties. The Identity Governance reports are easy to understand and our business owners are comfortable working with the process.”
Change Guardian delivers further automation to the security of QCTO systems, and as Ramhewa says: “For us, it’s all about automation. The less human intervention, the better. Policing our user accounts is very important as we have a lot of contractors and staff mobility. We need to be able to control system access easily and have a transparent audit trail.”
Change Guardian centrally records and audits changes, consolidating and archiving change events from across the QCTO IT environment. This helps reduce the complexity required to analyze multiple, disparate logs. Before the Change Guardian implementation, there was a manual effort involved in getting ready for an audit exercise. The IT team needed to ensure there were no orphan user accounts which could pose a potential security threat. Today, Change Guardian reports in real-time on deleted user accounts, failed log-ons, reset passwords etc. This gives the team the control and visibility they need to rapidly detect and disrupt threats that could negatively impact the confidentiality, integrity, and availability of the organization’s critical assets.
Identity Governance and Change Guardian have streamlined the auditing process and improved security for QCTO. Ramhewa comments: “We worked with LiyaTech, a knowledgeable local implementation partner, and it was great to have the expertise from Micro Focus on hand as well, during the project. We find the solutions easy to administer and can already see the benefits.”
He concludes: “Identity Governance and Change Guardian have helped us be compliant with stringent new data protection regulations, and the solutions are saving us time and effort every day. We feel we are completely transparent in our access reviews and our system security has been enhanced in the process.”