The Perils of Provisioning Done by "Favor"

Here’s the classic scenario that has played out numerous times at many an organization - “the favor.”

 

A charismatic end-user saddles up to the cubicle wall of an IT friend and asks if they can do him a favor. They need access to an application in order to complete an urgent task for a VP. The IT staff knows and trusts the end-user and assumes all is on the up and up. They said they need the access urgently for a task they are working on for the VP and the IT staff doesn’t want to be the reason for any failure. So, they grant them the access and forget about it.

 

The problem with this scenario is there’s no oversight into whether or not the end-user really should have access to that application. Depending on the role they have within the organization, granting them access may even be in violation of a compliance regulation which could result in a fine for the organization, something the IT staff member may not be aware of. Not even considering any malicious intent, having no approval process in place for such requests is very dangerous.

 

The reality is that the organization in the above example may have a process in place for requests to go through, but if those requests take a couple of days to be processed, then that may be why the end-user called in the favor. However, if the request process is automated so that it funnels directly through to the appropriate approver from the business (not IT) immediately and then once approved, if a workflow is already set up to automate the provisioning of access, then favors wouldn’t need to be called in to IT. In fact, it could be a simple matter of the end-user looking at the request status to see who they are waiting for the approval from and calling that person to ask them to look at the pending request immediately. Another added bonus, is that since everything is done appropriately in the request system, it will also be logged for future audits to show when, who and how the access was granted - something “favors” are lacking.

 

If you’d like to explore more information on why provisioning should move away from IT and into the hands of the business, I invite you to read this white paper on the subject.

Anonymous