CA Endevor

Expand all | Collapse all

Endevor Access Reviews

  • 1.  Endevor Access Reviews

    Posted 08-14-2020 03:44 PM

    I am reaching out to the community to see how others are handling their Endevor Access Reviews. As part of an audit control, we are performing them semi-annually. The current process however is very labor and administrative intensive. Our security team runs Top Secret Reports on all the Endevor Profiles (approximately 300). These reports are sent out to the application managers of those profiles to review and determine if the ID's associated within those profiles are appropriate or not. A spreadsheet is used to track when the reports were forwarded for review, and when they are returned. Deletes are processed based on those reply's by the security group managing Top Secret. ID's are suspended for 30 days then deleted.

     

    Is there a more automated means within Endevor to produce access reports, or has someone developed a process integrating with Endevor or Top Secret that could simplify this review process?

     

    Thank you,

     

    Michael S. Grabski

    Information Technology Services | Production Compliance & Controls

    msgrabski@comerica.com

    Office – 248-371-4297

    Cell – 313-204-9282

     



    Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the "Contact Us" forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.


  • 2.  RE: Endevor Access Reviews

    Posted 08-14-2020 06:06 PM
    Hi Michael.

    We use RACF, not Top Secret so not sure it compares but under RACF, our TSO IDs are suspended after 45 days of inactivity & revoked after 90. Revoked IDs are auto-deleted from all RACF resources, datasets, and groups. That still doesn't stop the company from wanting to be more pro-active so once a quarter, my company does the same as yours - sends out a list of everyone with access asking the managers to keep or remove each direct report's access. I think the only thing that makes it manageable is our list isn't as large because of the RACF 'auto-delete after 90' feature.

    In terms of Endevor access reports, you can certainly set up a batch process to execute the Top Secret Endevor access reports on a more frequent basis. Make the reports available to management. No reason to wait to have someone removed.

    Finally, 300 ESI rules seems like a lot (unless that's 1 per application). it might be worth it to see if they can be made more generic. That is, you don't need a rule for ADD access, a 2nd rule for UPDATE access, a 3rd rule for GENERATE access.  Having a well thought out BC1TNEQU name equates / function equates table can go a long way to expediting Endevor access reviews.

    Dave







    ------------------------------
    Configuration Engineer Senior Advisor
    Anthem
    ------------------------------



  • 3.  RE: Endevor Access Reviews

    Posted 08-17-2020 08:29 AM

    Thank you for your input Dave. Much appreciated. I'll speak to our Information Security Group to see what they have to say.

     

    Michael S. Grabski

    Information Technology Services | Production Compliance & Controls

    msgrabski@comerica.com

    Office – 248-371-4297

    Cell – 313-204-9282

     



    Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the "Contact Us" forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.





  • 4.  RE: Endevor Access Reviews

    Posted 09-08-2020 02:09 PM
    Hi Michael,

    It may be worth talking with your security/compliance group(s) to discuss the possibility of doing access reviews on all Top Secret profiles, and not just the Endevor ones.

    This way, the Endevor Top Secret profiles and all the other profiles can be reviewed/updated following a corporate standardized method.

    Hope this helps.

    -Phil

    ------------------------------
    Phil Gineo
    Senior Systems Engineer
    Aetna / CVS Health
    Hartford Connecticut USA
    ------------------------------