As users make security changes like the ones we’ve seen in this series, there are often requests to retain excess access. The key with these is to really consider job being done and ask lots of questions.
In the last of this multi-part blog series, we're reviewing quick fixes to improve NetSuite security, with this last blog pressing the question "How Much Access is Too Much?".
Security Fixes for NetSuite: Is Excess Access A Good Thing?
For example, the CFO role should be an executive role, not a job that involves entering journal entries. In most organizations, that same thinking should apply to the Controller position. A Controller may help shape a journal entry, assist with getting the accounts right, etc, but the Controller should be asking someone else to make an entry, not processing transactions.
Executive jobs are not transactional jobs. There are plenty of examples where executives process transactions a means to defraud the organization.
This questioning trickles through to other roles as well, and it’s important to ask the same questions. What is this person’s job? Their responsibilities? Their role in the organization? What access is appropriate?
In many cases a user’s request for access is about convenience. While a user might ask for view only access to customers, don’t be afraid to just give access to a report with the same data. Why? It’s easy to make the case that someone already has read only access to a window, now they just need additional access to make a small change. It feels like a smaller request than going from a report to being able to change a customer. If there are alternative ways to accomplish the same result, use those. If not, companies need to consider the risk/benefit of allow excessive access.
Requests like these may also be made to support or backup another individual but granting access year-round to back up two weeks of vacation leaves open a pretty big hole for most of the year. It’s convenient for the user and administrator to grant this access, but it’s a poor security choice. Is the benefit of not changing security twice a year worth 50 weeks of risk? A well-designed program to assign and remove access quickly as needed helps reduce year round risk.
This series is just a start. It won’t solve all of a company's security needs or plug every hole, but the items we’ve covered can address significant, pervasive issues and provide a solid foundation for long-term security improvement.
You can find all of the fixes in this series at NetSuite Easy Security Fixes.
Looking for even more useful NetSuite security best practices?
Get our "NetSuite Change Management" paper which examines the native NetSuite functionality available to deploy effective change management in a NetSuite environment, including best practices, the change monitoring process, as well as the change review/sign-off process.