Loading in 2 Seconds...
Loading in 2 Seconds...
2010 Best Practice AwardsCUNA Technology CouncilInformation Security/Privacy Category Automated SAFE Process
History of the Issue Like many financial institutions, Affinity Plus had created an internal practice and process surrounding the entire sphere that is the common add, remove, and change actions on employee or external accounts. This process includes user setup, removal, changes, application access, network object and device access, and of course, a streamlined process within that could be audited and reviewed by internal and external auditors and regulators. The process started out manual and specific to a few applications and network access which was maintained primarily by paper forms signed off on by someone in IT where it was completed and then archived. Other processes like physical security access for branch locations was maintained in separate manual paper processes as well, oftentimes by other teams or departments within the organization. Finally a notification like an email or phone call would be completed alerting the manager or HR the process was complete. However, as the technical environment became more complex and additional resources and applications became available for member advisors to utilize, and the credit union experienced significant growth including that of branches and staff, the process bogged down and could no longer advance. The first iteration of what was coined internally a ‘SAR,’ System Access Request was created. Utilizing the ability to create forms within Outlook, the IT department setup initial parameters with a basic thread of standard information: name, start date, end date, location, job title, and a notes section that would detail any specific access or rights that user may need. This iteration was submitted via email within Outlook to the IT department distribution list and then the manual processes necessary to complete the SAR were done. While this iteration allowed for a more online tracking mechanism, the overwhelming majority of the process remained manual, including key points like notification, confirmation of the access work being completed, and the timeframe to completion from initially receiving the SAR. Additional iterations of the SAR process were completed in the years to follow that added additional feature sets to the SAR Outlook form including checkboxes and buttons to specify different application access, drop down menus for location selection, defined SLAs for internal expectations, notification emails that went to other departments for other user needs (business cards, physical security, etc.), and integration into our Track-IT ticketing solution that IT utilized to manage our work. The integration into our ticketing system was a significant advance because for the first time we had a portion of the process automated. The software date and time stamped the SAR, and logged the ticket into our general queue for pickup.
History of the Issue continued However, the process continued to be highly manual and difficult to oversee because submission points within the organization allowed management at all levels to submit for their staff a SAR. Oftentimes these submissions were sent with little lead time, at times the same morning as the new employee arrived. Furthermore, as the business pursued opportunities to better serve our members, new types of staffing and access arose that needed to be addressed: temp employees, vendor access through VPN, vendor access onsite, auditor and regulator access. Finally in the reviews by auditors and regulators, the SAR process was recognized as a positive move forward and had addressed many concerns, it still remained a manual process overall that could incur failure and whose practice had grown to encompass multiple staff within IT working a SAR form. To ensure that the knowledge and capabilities to complete a SAR had grown with the credit union, various staff and teams within IT took ownership of various sections of the SAR to ensure it was completed as needed. While this ensured a quicker response and multiple resources, it was complex and prone to occasional misses, misses that would come up in internal or external audits and the SAR process would alter to encompass a new check and balance. Resolution of the issue came about after extensive conversations between IT and HR focusing on creating a single comprehensive SAFE process that would do the following: Automate the submission process from a centralized source through to completion and back to the submitter with confirmation it was done, provide comprehensive audit tracking and real time updating of where the submission was currently within the process, ability to submit multiple types of SAFE requests depending on type of request or employment through a single portal, and provide for a comprehensive oversight mechanism within the process that gave management and HR the ability to be notified if the process and work was not being completed within established windows of time. This new process would also need to meet auditory and regulatory reviews as well as mesh within established regulatory requirements such as FFIEC, PCI, NCUA guidelines, etc.
SAFE process • January 2010 new SAFE (System Access for Employees) processes went live to Affinity Plus: employees, VPN, auditors/regulators, title and department changes, terminations in a single portal for submission. • Initiated by creating an internal workflow architecture developed using Hyland’s Onbase software. • New process centralizes SAFE requests from HR to IT with an automated notification of completion back to HR. • Initial requests are highlighted in a default alert message to all of IT. • Requests then follow a specific track with identified resources that ‘own’ various pieces of the SAFE request depending on the type of request it is. • The SAFE travels through the workflow in a scheduled timeframe based upon setup dependencies and needs. Those actions that are prerequisites for other accesses or controls are required to be completed first. • Once a section is completed, the IT staff marks that section so and the form is date and time stamped completed by the system. The SAFE then travels to the next section for completion. The SAFE does not move forward until the section it resides in is completed. • If the section is not completed within defined timeframes, notifications automatically alert IT management to the specific SAFE and where it is stopped within the process. • Each section of the SAFE process is owned by a primary person with redundancy of other staff. In the event of vacation or change, ownership of the section within the workflow can be re-pointed so that it continues. • The SAFE process contains various SAFE types, including different workflows that encompass vendor and auditor/regulator access requests, SAFEs specific to simple name changes or department changes, and title changes along with standard new user and termination SAFEs. • The SAFEs contains expiration criteria for temporary employees, contract employees, vendor, or auditor/regulator access. Once the end date comes due, based upon the type of SAFE, the process will automatically notify the responsible group (IT, HR, Compliance, etc.) that it needs to be reviewed for continuation. That responsible group then extends or terminates the access which then either automatically extends based upon the newest date range or automatically places the SAFE into the termination process. • In accordance with internal policies, various SAFEs (such as ones granting vendor VPN access) have an IT approver mechanism that automatically notifies IT management a SAFE requiring review and approval is now pending. The SAFE does not move forward until the review and approval is completed. Once approved, the SAFE enters the workflow and the first section for completion. • SAFES of all types when completed are archived and stored in our Onbase imaging system. This archival information can be provided to regulators and auditors for review and verification.
Safe process impact to Affinity Plus • SAFEs are now completed at a very high rate of accuracy and on-time percentage. • Overall SAFE process time to completion has been reduced from days to hours. • Reduced time impact on completing SAFE has allowed IT to utilize that available time in other projects. • Streamlined process has made verification and audit reporting of the function highly visible and verifiable to auditors. • Accessibility by other departments to affect SAFEs they are ultimately responsible for has significantly reduced ‘back and forth’. • Because process is modular, making changes and altering the SAFE environment for new needs or solutions doesn’t require a complete overall of the process. • Expiration feature has ensured critical security points like VPN access, contract vendor or temporary employee accesses are automatically reviewed. • Management approver process ensures policy based access specifics are followed. • Comprehensive security reviews since SAFE implementation has shown process has maintained a clean security environment.
Screenshots of the SAFE process SAFE New Hire Form
Initial SAFE form information provided by submitting group. This initiates a notification email to the IT department.
Automated email notification populates in our IT ticketing software at various points throughout the process.
Depending on the SAFE, various components of the process are broken up into task groups that are then completed by different staff and then signed off on at the right task bar.
Automated emails notifications go to IT management for specific SAFE requests like VPN or vendor access, that then need to be reviewed and approved. Automated emails also are generated to IT management if SAFEs are not completed by specific timeframes.
Each section allows the IT staff to input specific information that is then populated automatically into the Welcome Letter.
Noted within each completed section is a task completed by and completed on verification point.
Queue counter at top left shows all IT staff what is in a particular section to be completed. In the bottom left the account names, passwords and specific applications completed are noted.
This the welcome letter that is automatically generated as part of the SAFE process from the information completed by IT and then emailed to HR.