Secure IT VNext Front End Control Owner/SCLO Training
Agenda SecureIT Benefits Review Phases Control Owner Responsibilities Control Owner Training SCLO Responsibilities SCLO Training Tips and Tricks Common Error Messages
Secure IT VNext Front End Benefits Provides a streamlined and automated process for reviewing access, which enables the following: Security of Microsoft’s financial data through least privilege access Time savings for control owners and reviewers through automation of manual processes Increases accuracy due to automated checks, reporting and oversight Reduces manual monitoring effort Reduces control deficiencies Centralizes evidence retention to support audits by: Streamline testing Reduce audit costs
Review Phases
Control Owner Responsibilities Kick-off Upload Validate Remove Sign-off Tenant Admin Start new review Manage Review Close review Control Owners N/A Upload list of users Review system accounts Remove invalid users Complete sign-off Reviewers Review assigned users SCLOs Access Type Tenant Admin Full control to all Control Owners Assigned workspaces – upload workbook, review users Reviewers Review assigned users SCLOs Assigned workspaces – sign-off only Auditor Read-only to all
Control Owners Process As a Control Owner you will receive an email that will ask you to start your review. This email will provide a link to the SecureIT VNEXT Tool “Application Workspace” page from the Home Screen menu. On the Application Workspace page, you will see a list of applications where you are listed as the Control Owner. The Dashboard shows the steps you must complete to finish the review.
Home Screen Dashboard Clicking on the binocular symbol, will take you on a guided tour of the Dashboard and list step by step details of the task at hand. Tool provides an interactive experience for users to explore the different features. Every page offers unique tool to explain the layout along with the required steps to perform the review. Guided tours are launched automatically for the first time when user logs in. User can click on binocular icon as highlighted in the image above, if they wish to take guided tour anytime later.
Application Workspace(s) Dashboard By default, APPLICATION REVIEW tab is opened for you. As highlighted above. - Application Workspace(s) Dashboard keeps track of all the steps that are pending and what you have completed. To access the Dashboard, simply click “Application Workspace(s)” in the home screen dashboard or use the side bar menu. To begin review, click the Application you want to start a review on.
Application Workspace Status Chart Timeline for the quarterly review Note: Evidences can be uploaded until the review has not been signed off (step 5 of 5) Select an application that you are managing to work on and you will notice that representations on the charts are now changing for that application only. Please get in familiar with the different statuses that will come in handy during your review process. Note: If subsequent phases are locked – this means that pre-requisites from the previous phases are incomplete. Please watch out for message pop ups!
Review Prep Step 1 The Review Prep (step 1 of 5) is to check and ensure that all the details on your application workspace are correct. You can edit the details as highlighted above. Click on “Save and Continue” if the managing users are correct (step 1). Note: You cannot remove yourself as control owner. If it is a requirement, please contact admins.. Click on “Save and Continue” if the managing users are correct (step 1).
Kick Off and Upload Process Step 3 Step 2 Step 4 The Kick Off and Upload (step 2 of 5) begins with downloading the XLSX template (step 2) and uploading the users into the system (step 3). The next several slides will provide more details and a visual example of the XLSX template process along with what the XLSX completed template looks like and what sections must be completed. Once the user file has been uploaded, you will need to confirm and validate the uploaded users (step 4).
Download XLSX Template Required Fields You may leave blank and these fields will auto populate themselves. Or you can choose a predetermined reviewer and fill in their aliases yourself. Please rename and delete unused columns Once you click “Download XLSX Template” this is what the XLSX template will look like. The “User Alias” and “User Role” are the two required fields. “Region” is optional. You have the option to leave “Assigned Reviewer” and “Backup Reviewer” blank, or fill them in yourself with aliases. If left blank, these two columns will query Feedstore during upload to obtain the user’s manager and skip-level manager. The “Assigned Reviewer” will auto populate with the user’s manager, and the “Backup Reviewer” will auto populate with the user’s skip-level manager. Custom Fields: You are provided with 5 Custom Fields. Please delete the ones you don’t use. Also, it is important to rename each Custom Field. The next slide provides an example of a completed XLSX Template.
Populated XLSX Example Either predetermine your reviewers by adding them yourself, or choose to leave them blank and they will be auto populated from Feedstore Renamed Custom Fields and deleted unused ones Note: After you are finished populating the data into the XLSX template, you will need to save a copy on your desktop.
Upload XLSX Template Step 3 Now that you have saved the XLSX template to your desktop, the next step (step 3) is to select the populated user file for review. Click “Upload Users for Review”, which will ask you to locate the file to upload. Append Users: Merges net new users to a previously uploaded list of users. Delete Existing Users: This option will overwrite a previously uploaded list of users. Select “Delete Existing Users” if it’s your first time uploading a list of users.
Validate Uploaded Users Step 4 After your upload is complete, tool will validate the correctness of the records before they are passed on to reviewers. Please click Refresh button (Step 4), highlighted in the image above to see the results. You might have to wait for few minutes or more depending on the volume of upload. Roughly 10,000 records are uploaded in less than a minute.
Validate Uploaded Users Cont. Step 5 Once the tool has completed with the upload, please click on the “Validate Uploaded Users” link (Step 5). A pop up message will appear where you will see two tabs, Need attention and Manage Valid users.
Validate Uploaded Users Cont. Select multiple click edit Inline edit – row by row Manage Valid Users – All the users correctly entered. You can still edit them if you want here. For example, updating the Assigned Reviewer and Backup Reviewer name, change the role or uploading another file to delete the user. You also have a provision to do a multiselect for the ease of usage. Need Attention – All the user records which has some error or warning will appear here. Error – You must fix all the errors before moving to next step. For example, Primary reviewer alias or secondary reviewer alias is invalid. You can use inline edits or bulk edits to change the values to correct strings and fix the error. Once error is fixed, record automatically moves to Manage Valid Users tab. Warning – Tool lets you ignore the warning and still submit the record for review on your responsibility. Warning do not block you from going to next step. For example, if someone has included invalid user alias or alias of an employee who has left the organization, it could be a warning. It is not blocked because sometimes due to audit requirements there might be a need of such records to be included in the review. Warnings remain in need attention tab but they would be included in review. You get to see all the details when you are doing accuracy sign off. Another example of warning could be when reviewer is EXECUTIVE, so you as a CO can choose to still assign the review to him and accept the warning.
Validate Uploaded Users Cont. Control Owner Accuracy Sign off – After your upload is complete Step 6 This is summary of your upload. By clicking this checkbox (step 6), you sign off on the uploaded users. If you have any issues and you want to make changes, you can revisit “Validate Users page” those two tabs – Need attention and manage valid users.
Completeness and Accuracy Signoff Step 6 Signoff is required by the CO AND SCLO for the uploaded template of the users/reviewers **Custom Justification is optional to include into your review For audit purposes, the uploaded users and reviewers for your application review will need to be signed off by the CO and SCLO for accuracy and completeness. After the uploaded users has been signed off and the errors and warning message has been accepted, your next step is to click on “Signoff” for Control Owner (step 6). **You also have the option to enable a custom business justification into your review. This will provide justification details for the users access. If the Custom Justification is selected, you will need to Modify Justification by adding the justification content. Once the reviewers selects “Retain Access” for the user, they will need to select one of the Justifications Content.
SCLO Completeness and Accuracy Signoff Notification After completion of the CO sign off, you are ready to notify the SCLO to provide the Completeness and Accuracy sign off in the tool. A standard notification will automatically appear once you have completed the CO sign off. You also have the ability to update the verbiage in the notification if you want to customize the message. Note: A feature has been added into VNEXT to notify the CO once the SCLO completes the Completeness and Accuracy sign off.
User Validation Phase Step 7 Step 8 When all the sign offs have been completed, you are ready to Enable the Review and Invite the Reviewers. Click on the Enable Review icon (step 7) then you can invite the reviewers to start with their validation (step 8). The Removal of Invalid accounts (Step 4 of 5) is locked until all the uploaded users has been validated in the Validate Users page (a warning message will appear if this step is incomplete). Note: You can as well choose to escalate to backup reviewers if required in this page.
Removal of Invalid Accounts Control owner needs to confirm that all the accounts which were marked by reviewers for revocation are removed. There are two ways to do that- Manual invalid accounts check Automated invalid accounts check
Removal of Invalid Accounts Cont. Step 10 Step 9 **Exporting the Invalid Accounts If you select the manual check, you will need to ensure that user is no longer listed with the level of perms in your application. When you have confirmed that the user level of perms has been removed, click on the radio button “Yes” in ‘Removal Validated’ column (step 9), as highlighted above, then click on save (step 10). **You can also export the invalid user list by clicking on the Report menu located on the left and select “Invalid Accounts Report”.
Removal of Invalid Accounts Cont. If you select the “Automated Invalid Accounts Check”, you need to upload the excel template with the current user aliases. If it does not contain the removed aliases in the list, the verification is complete. Idea is to allow admins to take a fresh list of applications after removal and provide that as input to this step to ensure that all invalid users are removed and are not populated in the list.
Control Owner Sign Off Step 11 Once you have verified that all of the users have been reviewed and invalid accounts are removed, then SecureIT enables for the Control Owner and SCLOs to Sign-Off in Step 5 of 5. Complete the CO Sign-Off (step 11), then notify your SCLO to sign-off. Once the sign-offs are initiated, you may no longer make any changes. If for some reason you need to make a change please notify the Administrator.
SCLO Responsibilities Kick-off Upload Accuracy Sign-Off Validate Remove Sign-off Site Admin Start new review Manage Review N/A Close review Control Owners Upload list of users Sign-Off of uploaded template Review system accounts Remove invalid users Complete sign-off Reviewers Review assigned users SCLOs Access Type Site Admin Full control to all Control Owners Assigned workspaces – upload workbook, review users Reviewers Review assigned users SCLOs Assigned workspaces – sign-off only Auditor Read-only to all
SCLO Process After the Control Owner has signed-off, they will notify you to sign-off on the review as well Visit the SecureIT VNEXT Tool Click on “Application Workspace(s)” Click on an application Complete the SCLO Sign-Off Repeat these steps if you have multiple applications Or have multiple tenant spaces.
SCLO Sign Off Step 2 Step 1 Step 3 Once the Control Owner signs-off on their review and notifies you to sign-off, you will have to complete three steps (repeat these steps for every Application you are assigned an SCLO role). Step 1 is to click “Application Workspace(s)” from the home menu. Step 2 is to select your listed Application. Step 3 is to go to the bottom of the page and click “SCLO Signoff” for the selected Application. You will need to repeat this process, steps 1-3, for every listed Application you have under “Application Workspace(s)”.
Tips & Tricks “User Alias” and “User Role” are required columns in the XLSX template Do not delete the “Assigned Reviewer” and “Backup Reviewer” columns in the XLSX template even if they’re not in use You can rename the custom field column headings You should delete custom columns when not in use. This will appear in the Validate User page if not removed. There is a multi-filter ability in the “Validate Users” page SecureIT will import hidden and filtered data
Common Error Messages Duplicates (where the same alias and role combination is listed more than once) Maximum number of characters for custom columns is 201 characters Format of new template doesn’t match the originally imported template (for Merging Records and Automated Invalid Accounts Check)