Active Directory WorkFlow for Compliance
ADManager Plus, with its workflow capabilities, can function both as an Active Directory ticketing software and as a mini-IT-compliance toolkit!!
As a ticketing software...
Workflow can function as a basic, yet precise Active Directory ticketing software. This comes handy in executing tasks like creating and disabling users, which are simple but crucial to the security of the Active Directory. Workflow presents Active Directory ticketing with three important aspects:
Accountability: Workflow also facilitates viewing all the requests raised so far, provided they have not been deleted! Though small it may seem, this gives an edge for the administrator in compliance, as this feature gives a 'single-window view' of all the tickets that have been resolved through the product so far!
These features make ADManager Plus Workflow, an ideal tool to manage basic Active Directory tickets in the most secure and efficient way! But the native AD tools, PowerShell, etc. do not offer much when it comes to defining a workflow in your Active Directory.
As a compliance software...
In today's world of corporate entities, 'compliance' has become a bare minimal requirement to avoid massive financial liabilities and threats of those dubiously distinguishing 'CNN moments!'. Non-compliance is...and never will be an option! Adding to all this, there are compliance rules periodically getting appended to the pre-existing chain.
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
Formally document all existing processes and controls for financial reporting - and who owns the controls.
Evaluate the design and effectiveness of internal controls using the defacto standard, the COSO Internal Controls - Integrated Framework.
Requires companies involved in banking, export and import, insurance, securities, and tourism to ensure (and be able to prove!) that they are not dealing with certain foreign countries, nor any drug dealers, suspected terrorists, or other criminals.
It is clearly seen that all these laws converge at a single point: Information Security and Workflow! It is, from the aforementioned excerpts from HIPAA, SOX and USA PATRIOT, evident that compliance is one of the foremost requirements for any organization...and the task of ensuring this is largely in the hands of IT Management.
ADManager Plus kicks in, to ease the task of using Active Directory for compliance! As a central repository of all information in the organization to start with, Active Directory is 'the' point to start with when it comes to compliance. ADManager Plus, with its workflow feature, makes these compliance tasks a child's play! There are several laws for which compliance can be established using ADManager Plus:
How ADManager Plus's Workflow Assists in Compliance...
ADManager Plus can be used to assure compliance to several regulatory laws!Let us take for example, the one below:
Implement procedures for terminating access to electronic protected health information when the employment of a workforce member. - HIPAA [Sec. 164-308-3 (c)]
Imagine the trouble caused when a helpdesk tech deletes a user inadvertently, or the havoc a user account - which should be deleted but is still staying - can cause if exploited by disgruntled employees!
That is the reason several IT compliance laws emphasize on implementing a judicious user account termination policy!
Compliance to this particular section of HIPAA can be executed either manually, or can be automated using Robo Requester.
Using ADManager Plus Workflow, creating and implementing such a policy is easy. Define a "workflow" as follows:
A helpdesk technician can be designated as a "Requester" who can create requests ONLY for disabling user accounts. From time to time, he will scan the AD for inactive accounts as well (this task can be scheduled to operate automatically) & request a delete operation.
A higher authority can be assigned the role of a reviewer and the person can review requests from the technical helpdesk.
Another higher authority or an administrator can approve and execute the reviewer's recommendation, which could be disabling accounts or deleting them.
Depending on your IT and business needs, you can configure the "reviewer", "approver", and "executor" functions to be handled by the required personnel.
As opposed to a non-linear process, this work flow ensures everything goes fine, giving no room to any error. This takes care to clearly outline the policies to delete a user, and also to transparently handle the entire process. At the end of the process, it is also ensured that no stale user account or terminated account has remnant access rights to any privileged information inside the network.
Using this automation tool, you can automate requests based on a condition that isolates data from reports. Taking the above case as an example, a report < link_admanagerplus_reports > can be run for Inactive Users, and an automation can be effected to raise a user-delete request generation for those not logged in for the past thirty days. This request will undergo the normal process defined in the work flow viz. approval and execution. Thus the monotony of creating recurring requests manually is a thing of the past!
Let us consider a case where a person had been on 30 days leave. Still it is an inactive account as far as Active Directory is concerned! What if there is user is deleted inadvertently?! This is where the entire approval process proves significant in sealing such loopholes!
If the person has not logged in for the past thirty days because of a legitimate reason known to the reviewer, the reviewer can reject the requests to delete such users! It is evident that ADManager Plus Workflow works to avoid even any inadvertent mishap in the Active Directory by tightening the linear flow of the process path!
Now that's one more feather added to ADManager Plus's cap - a mini-compliance management system!! With an inventory that works for the requirements of almost all acts, this comes as a cost-effective tool too! Your expenses are cut down, not just from paying millions for violating the acts, but even from the moment you start using ADManager Plus - the complete Active Directory management solution, now with Workflow monitoring for Active Directory ticketing and compliance!!!
"We evaluated ADManager Plus along with several other Active Directory Management and Reporting software. After using it really made life easy for administrators. It is very understandable and fast to learn, I didn't even read the manual."
Bogdan Campeanu, Network Engineer