2. KEY CHALLENGES
• Robotic process automation (RPA) is very quick and easy to put in place, and lines of
business do not require IT support to do so. This development can bypass security
practices and expose the organization to two main risks: data leakage and fraud.
• Even the most careful design of RPA will generate privileged accounts and possible
breaks in segregation of duties, making transaction monitoring and other
countermeasures to mitigate the risk of fraud of primary importance.
• Security review of scripts is difficult to automate because of the nature of the scripts,
and could prove to be a bottleneck in RPA implementation and change control
process as the volume of bots increases.
2
3. LEARNINGS
• Assign a unique identity
to each RPA bot.
• Use multifactor
authentication and rotate
passcodes for RPA bot
accounts.
• Do not hardcode
credentials in RPA scripts.
Avoid Failure:-Do Not
Reuse Human Credentials
With Bots
3
4. • Separate developers and bot
operators
• Enable privileged session
management where RPA leads to
privileged accounts
• Ensure close monitoring and fraud
management, especially where
breaks in segregation of duties is
unavoidable.
• Lock down bots.
Avoid Failure: Beware
of Breaks in
Segregation of Duties
4
LEARNINGS
5. • Ensure that the RPA tool
provides a proper audit
trail.
• Require an assessment
of the RPA tool from a
testing vendor.
• Address compliance
risks.
Avoid Failure: Ensure the
RPA Tool Provides a Full
Audit Trail and Essential
Security and Compliance
Features
5
LEARNINGS
6. • Review and test RPA
scripts
• Implement change
control for scripts
• Use caution when
utilizing free versions of
RPA tools with sensitive
data
Avoid Failure: Secure
the RPA Life Cycle, Not
Just the Operation
6
LEARNINGS
7. USER AND ENTITY BEHAVIOUR ANALYTICS
• The user will always have perception of putting all assumption under RPA without even
understanding maturity cycle.
• The user will always expect to run BOT with 100% accuracy.
• The end user will have expectation that they will not have to do anything after BOT infusion.
• The Business user will emphasize on low cost model. (How much the BOT can be optimized)
• The user will miss out taking the other stakeholder along with RPA project.( Compliance/InfoSec)
• The user miss out the functionality and security of the third party plugins & Interfaces.
• The Go live is not done as per schedule, resulting non working of BOT at production even after
successful UAT.(Due to sudden change in functionality of third part software/dependencies)
7