Delivering a Passing Grade for Auditing Access

A large Midwest agricultural technology company called in STEALTHbits after failing two internal audits. The 9,000-user company had outsourced some of its IT operations to a third party, and was using spreadsheets to track file share and other access rights, but they knew they had no substantive controls in place to review access or control permissions on their file shares or SharePoint. Patrick Conlon, STEALTHbits Director of Professional Services, described the environment, “The auditor would point to a file share and ask them to list all those with access to it. They weren’t able to answer that basic question or provide records of previous reviews.”

Patrick and his team knew the customer needed process guidance even more than STEALTHbits products to start, so they sat down with the Company’s IT team. “We didn’t touch a computer for 2 days,” noted Patrick. “We sat in a conference room and talked through the workflow solution.”

The STEALTHbits Professional Services team initiated an almost textbook entitlement review process using its StealthAUDIT product suite. Deploying StealthAUDIT for Data Access Governance (DAG) and Active Directory Inventory (ADI), Phase I entailed:

  • Pulling out permissions for each of the Company’s 10,000 file shares and 100 site collections (DAG)
  • Identifying probable owners of each as well as probable owners of Active Directory groups (DAG & ADI)
  • Establishing owners or each file share (AIC)

In Phase II, using STEALTHbits’ AIC (Access Information Center) browser-based application, file share owners were automatically sent a list of those with access to their file share, and they were simply asked to check or uncheck boxes to indicate those that should or shouldn’t have access, and what permissions (read, write, delete) each should have.

At the time of the project, the StealthAUDIT product suite lacked the capability to provide an entitlement review progress status, something important to the Company given their need to correct audit failures in a fixed period of time. Without skipping a beat, Patrick’s team custom-built reports to provide the Company the information it needed. “That’s the beauty of the Professional Services Team here at STEALTHbits,” added Patrick. “We can not only guide and support our customers through complex projects, but we can customize our products or add features to fully accommodate our customers. Often - as was the case here - those features or customizations are folded into our standard products going forward.”

The Company’s original timeframe to remediate the audit deficiencies was 4 to 5 months. Without the involvement of the Professional Services Group, the entitlement review project likely would have stretched beyond 8 months. But, as it turned out, the project was completed in 3, and the Company passed the next audit with flying colors. Observed Patrick: “The Company was so pleased with the outcome, they expanded the scope of their entitlement review project to their overseas divisions. That’s the best testimonial any customer can provide.”


In Brief:

  • Midwest Agricultural Chemical Company

  • Approximately 9,000 users

  • Failed two internal audits

  • Had no controls in place reviewing access or controlling permissions to their file servers and folders

Quotes:

  • “The auditor would point to a file share and ask them to list all those with access to it. They weren’t able to answer that basic question.”

  • “We didn’t touch a computer for 2 days. We sat in a conference room and talked through the workflow solution.”

  • “The Company was so pleased with the outcome, they expanded the scope of their entitlement review project to their overseas divisions.“