Audit Article, IT Audit Article, Security Article, Integrated Audit Article, Technical Article, IT Audit, Entitlement matrix

Security Restructuring Using the Entitlement Matrix Approach

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

The objectives for a typical security design is to: (1) ensure that users are assigned access in accordance with the requirements of their job function; (2) provide an easily interpreted approach for requesting access to resources; and (3) provide a simplistic method to periodically reconcile the access granted.

To facilitate the implementation of these objectives, a new approach is being used to restructure the security which is referred to as the Entitlement Matrix Approach. When using this approach, resources are logically grouped whereby they can be assigned to users within a specific job function.

An example of this type of grouping of resources for a software development area consists of organizing resources by application and processing environments. Applications can be further grouped together if they are always supported by the same job function. In this example, a separate profile would be established for read access to an application’s production data, access to an application’s QA data, and alter access to system test data and program libraries. Depending on the area in which the security restructuring project is being performed (i.e., user, development, or data center), the resources which are logically grouped will vary.

In order to determine the access requirements of a specific job function a security policy must be defined which specifies at a generic level the access to be granted to specific job functions. An example of a security policy is as follows:

· Only users will have update access to production data
· Application developers will only have inquiry access to production and QA data
· Only the software management system will have update access to software libraries used to migrate
changes to the QA test and production environments
· Only users will have access to the production and QA online transactions

The most difficult task in any security design is to determine the resources which are required for a specific job function. This objective is often impeded by the lack of a dataset naming convention. Although a standardized dataset naming convention may be in place, many older applications will not have converted their dataset to conform to the new standard. Since the entitlement matrix consists of grouping resources by application and processing environment, various approaches may have to be used to determine the application and processing environment to which a dataset relates.

When performing a security restructuring of an existing environment it is common to establish new grouping of profiles since the old structure which was used does not provide the ability to separate access by job function. When new profiles are established, individuals would expect to obtain the same level of access unless their access violates the security policy which was established.

The second component of this security restructuring exercise is the establishment of a process to request access to resources. If the resource groupings have been properly established and documented, the actual form used to request access for a new user would only require the job function to be indicated. This approach would eliminate the need for the requester to understand the resources which are required for their job function. In addition, an understanding of the security systems resource types would have to be known by the requester.

The last component of the security restructuring project is to establish a set of reconcilement steps to ensure that the entitlement matrix itself is accurate. The entitlement matrix consists of the profiles which represent various resource groupings. Assuming that a job function has been established to ensure that resources are placed in the proper grouping, the security reconcilement should only have to verify that individuals are assigned to their proper groupings. If a dataset naming convention is being used, the security reconcilement could also include the verification that datasets are assigned to their proper groups.

The entitlement matrix approach is a set of common sense controls which are enforced by administrative disciplines. However, in order to successfully deploy this approach a person would require knowledge of the security systems resource types.




For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.