Completing Identity Management

Case Studies

Toro Logo

ORGANIZATION: The Toro Company
BUSINESS PROFILE: Headquartered in Bloomington, Minnesota, The Toro Company is the #1 brand for outdoor turf management with more than 5,000 employees and annual revenues of almost $2 billion. The Toro Company provides innovative turf landscaping solutions for both the residential (mowing equipment, home solutions, snow) and professional (grounds, golf, agriculture irrigation) market segments.

Sarbanes-Oxley Compliance Drives Identity Management Development at Toro

As it becomes increasingly critical to maintain up-to-date and detailed records of data access for Sarbanes-Oxley compliance, the need for robust monitoring and auditing tools must be met. These tools have to provide an ongoing, supportable framework for compliance to be upheld throughout the future. Sarbanes-Oxley compliance is no longer an issue for accountants and attorneys alone; IT departments are now finding themselves with major responsibilities for ensuring compliance goals are achieved. The Contouring Engine® helps them do just that.

The Situation

Toro’s challenge to achieving Sarbanes-Oxley compliance was the same as most major corporations — how do you ensure only the correct people are accessing the correct information at the right time?

Toro operated on a rudimentary Role Based Access Control (RBAC) system to assign access to employees. These roles presented several problems for achieving compliance, such as individuals in a role may have more access than is necessary. Additionally, excessive and inappropriate access could not be monitored or reported on.

The Solution

To improve their identity management program and automate their audit process for regulatory compliance, Toro implemented The Contouring Engine® from Prodigen. The Contouring Engine® collects data on the real-time activities of users. From this harvested data, The Contouring Engine® creates contours (profiles) of use. Based upon these contours, Toro is able to:

  • Evaluate how users are accessing the system and,
  • Create more appropriate role definitions and access privileges.

As a result, Toro has implemented a more robust and long-lasting RBAC model.

The Contouring Engine® also provides automated alerts when users commit abnormal activity in the system. These alerts notify the appropriate gatekeeper, either the internal auditing staff or the user’s supervisor, and create a record of the action for reporting/auditing purposes. These alerts also provide Toro with visibility into the actual activity of their users.

"When we first turned this system on, one of the things that jumped out at us was how much our users were sharing their IDs… The Contouring Engine® has given us strong visibility into how our systems are actually being used," said Steve Watne, Manager of Enterprise Security at Toro.

After identifying areas of concern in their users’ behavior, Toro was able to better educate them on how to use the system correctly. This dramatically:

  • Reduced the number of alerts they received and,
  • Limited those they did receive to only the most valid ones.

When external auditors saw that 432 users at Toro had access to a critical financial transaction, they required Toro to reduce that number. Using the profiling functionality of The Contouring Engine, Toro was able to go back and look at actual user activity and determine that only 13 people within the entire company had ever accessed that specific transaction. They were able to strip access to the transaction from the other 419 users and comply immediately with the auditors’ request.

Before implementing The Contouring Engine®, determining who actually needed access would have been a lengthy process. Each manager would have been asked to evaluate whether or not the employees with access in their department really needed it to do their job. Eliminating this process reduced the amount of time and money it cost Toro to comply.

The Contouring Engine® provides Toro with reports that allow them to identify underutilized systems, permitting them to decide whether or not they should continue investing in them. Profile reporting allows quick, reliable role development based on logical data. Toro also now has the ability to apply strong, documented detective controls to achieve Sarbanes-Oxley compliance. This visibility into actual usage gives Toro the ability to make rapid decisions on excessive access and segregation of duties cleanup.

These were unexpected, yet welcomed benefits of The Contouring Engine® for Toro. “We bought The Contouring Engine® as a security tool and we’re finding we’ve got this wonderful Sarbanes-Oxley compliance tool. It’s been great,” according to Steve Watne.

In the future, Toro plans to implement The Contouring Engine® in other areas of their business, including their:

  • Sourcing applications,
  • AD logging, and
  • Extranet.

Related Documents:
  • Digital ID World Presentation.pdf
  • Digital ID World Audio.mp3
    • Steve Watne, an identity and access management executive at Toro, was a featured speaker at the Digital ID World Conference in San Francisco. The title of his presentation was Innovation Cuts the Cost of SOX 404 Compliance While Improving Security at Toro.
    • Toro is utilizing innovative security technology to:
      • Expedite the process of role development and refinement, as part of their efficient identity management
      • Automate the audit process for SOX 404 compliance
      • Protect their most critical and confidential digital assets through application monitoring and alerting
    • Please download both the slides and the audio, and run them concurrently to see and hear Steve’s presentation.
  • Toro-Digital ID World Article.pdf
    • At the Toro Company, identity brings security and compliance with respect for employees. This is an article reprint from Digital ID World magazine.
  • Toro White Paper.pdf
    • Toro’s CIO reports on how deploying The Contouring Engine® has added significant business value to his organization. This white paper tells that story.
  • Toro-Enterprise Systems.pdf
    • Sarbanes-Oxley, the need to improve monitoring, and a desire to move administration and accountability closer to end users, drove Toro to invest in record-level enterprise application monitoring software from Prodigen. This newsletter tells that story.
Copyright © 2006 Prodigen, LLC. All Rights Reserved | Tel 763.557.9900 | Fax 763.201.3409 | info@prodigen.com | Home
Request a Demo

We bought The Contouring Engine® as a security tool and we’re finding we’ve got this wonderful Sarbanes-Oxley compliance tool. It’s been great.