AhlsellDigital Initiatives Roadmap

DD-79None

KPMG-IT revision 2024 and actions from 2023 report

DIPInfrastructureOrderSP1-People&CultureSP5-FinanceSecurityWorkflows

Start date

1 Jul 2024

Due date

20 Jan 2025

Assignee

Rikard Eriksson

Reporter

Business Representatives

—

Description

Space for KPMG report findings and actions from it revision year 2023. Focus IFS and Vivaldi, also some HR/AD things to handle. (from year 2023)

KMPG report to be added and also splitted for actions i PO teams, Infra, Sec

KPMG focus areas 2024, confirmed 1/7. Tests to be done week 40-42.
- IFS
- Vivaldi
- Active Directory
- (Jira)

KPMG like to receive, to 'understand Ahlsell IT':

KPMG questions

Responsible

Uploaded to KPMG file share (date)

The main document with information about the business ("KPMG_Ahlsell intro Revision" was the name last year.)
o This document contained various types of information such as supplier changes etc.

Anders/Maria

Organizational chart.

Anders/Maria

System map.

Anders/Martin

Cyber Self-Assessment (Digital Maturity, AI, and security).

Daniel/Niclas

Information Security Policy.

Daniel/Niclas

IT Policy.

Daniel/Niclas

Epics (3)

Key	Summary	Project	Status	Start	Due
E2E-243	IFS User profiles	E2E		—	—
E2E-244	IFS Portal users	E2E		—	—
E2E-403	Medius User Profiles	E2E

KPMG report ID:

Recommendation

Jira ticket/status

1.1

We recommend that Ahlsell strengthens its procedures around the removal of user permissions in IFS10, furthermore, we recommend that Ahlsell ensures that periodic reviews of users' permissions in IFS10 are carried out.

1.2

We recommend that the procedure for handling permissions is harmonized among the Nordic countries and implemented
centrally in a way that enables reliable traceability of all additions of permissions.

2.1

When we review the procedure for adding permissions in
IFS10, we still note the lack of a formalized and documented routine. We recommend that the procedure for managing
permissions is harmonized among the Nordic countries and
implemented centrally in a way that enables reliable traceability of all additions of permissions.

2.2

In this year's (2023) review of the access review control, it was noted that the access review for users in IFS10 was not done. Furthermore, there is still a lack of a formally documented routine for periodic access reviews. The review has discovered
that the lack of access reviews and transfer of user from
previous systems has led to a user during the review time
being determined to have inappropriate permissions for their role. More details can be found in section 2.3. The observation from previous years remains.

2.3

During this year's (2023) review of the high permission control, an inappropriate user was identified based on job role with high privilege. Furthermore, the review noted that
logs for users with high permissions are not followed
up. KPMG recommends Ahlsell to introduce a formal
routine for periodic review of high permissions in IFS10.
KPMG also recommends that Ahlsell activates logging
in important data areas to be able to track activity of
users with high permissions. The observation from previous
years remains.

2.4

This year's (2023) review of users who have finished
identified that 53 user accounts are still active in Active Directory after end date. Furthermore, it was noted that 9 of
these users had a login date in Active Directory after their
end date. Of the 9 users who have logged in to Active Directory after the specified end date, KPMG has been able to confirm that none of them performed any activity in Vivaldi after the end date. For 1 of the users, HR was lacking at the
time of review the documentation required to carry out a correct deletion of the account. The observation from previous years remains.

2.5

During the 2023 review, KPMG noted that there is no formal procedure for reviewing all application users in Vivaldi. When we take into account the comments from Ahlsell from previous years, we understand that there are still challenges with implementing a periodic review of permissions. This still constitutes a risk that is thus added to this year's report. Observations from additions and removals of permissions
indicate that a periodic review would have reduced the risk of inappropriate permissions not being detected. If the process will not be added, the recommendation is to add it as an approved deviation in your formal policy. The observation from previous years remains.

2.6

KPMG still lacks the documentation that strengthens a technical segregation of duties at the implementation of functionality in Vivaldi. During the implementation of
program packages, an IMESS account in IBM-AIX is used.
Upon inspecting logs, KPMG has noted that developers at IMI have had access to the IMESS account during the year. KPMG recommends Ahlsell to limit access for developers to the IMESSaccount used to implement changes in production.
The observation from previous years remains.