• Home
• About
• Advertising
• Contact
• Podcasts and Resources
  • VoIP Resources
  • Disaster Recovery/Business Continuity Resources
  • Security Resources
  • Software-as-a-Service Resources
  • Storage Resources
  • Unified Communications Resources
  • Virtualization Resource Guide
  • Wireless/Mobility Resources
• Quick Takes Archive

Tough Times Demand Strong Governance, Risk and Compliance Programs

As an undergrad, I snapped up a course entitled “Economics of Poverty” as an easy way to breeze through my non-technical credits, and it turned out to be one of the most insightful classes that I’ve ever taken.

One of the lessons from that class that is especially relevant in these uneasy times is this… Poor people aren’t more likely to steal because they are less moral, they are more likely to steal because, in relative terms, the opportunity cost is low and the reward is high. If you are affluent and you get caught with your hand in the bread basket, you risk reputation and stature. If you are poor, you risk not feeding your family.

Why should you care? Because layoffs at the behemoth Bank of America and the near instant vaporization of the once iconic Bear Stearns are sure signs that things have gotten a whole lot worse for the average financial services employee. In economic terms, the relative benefits of someone stealing from their employer has increased dramatically and there will be a commensurate increase in breaches from inside all enterprises. That’s not hyperbole, it’s just economics. If you want a second opinion, ask someone from LendingTree.

Said more formally, it is time for financial services companies to be more proactive about risk management to prevent unauthorized personnel from getting access to information or systems that they shouldn’t. Without control, there cannot be governance, risk management or compliance. There must also be consistent communication flow between the CEO, CFO and CIO offices to ensure that these measures are put in place and enforced.

An effective governance, risk and compliance (GRC) strategy starts with controlling access. Traditionally, organizations have taken a tactical approach, including using manual provisioning and point GRC solutions. They have also focused on making sure that employees have the appropriate access to do their jobs. While this sounds like tasks that should be standard procedure, the increased prevalence of insider breaches suggest otherwise. In addition to ensuring users have the appropriate access necessary to do their jobs, companies need to ensure that these rights are removed when someone leaves an organization.

The LendingTree incident illustrates this problem. According to a letter released by the company, some of the company’s former employees shared passwords and access to proprietary data with friends in the mortgage lending industry. This incident happened as much as six months after the employees stopped working at the company. Evidently, access to privileged information was not being terminated for former employees. The breach could have been prevented by implementing simple controls to manage orphaned accounts – an access point to proprietary data and applications belonging to a user who no longer is employed by a company.

To avoid being caught reacting once a breach happens, companies need to get aggressive about gaining control over user access, and take the offensive when addressing the Threat of the Insider. Addressing security vulnerabilities associated with processes such as new employee onboarding and effectively managing changes to access rights based on new job responsibilities or departures from the organization, will require companies to implement a comprehensive risk management strategy that incorporates the following:

User Provisioning: Enables organizations to automate the administration-intensive tasks for creating, modifying, and disabling access, which provides high efficiency and cost savings while ensuring security policy is enforced. This is a critical need for regulatory compliance.

Access Compliance: Ensures preventative controls around who has access to what and when, by examining user access, how they compare against policy, and automating remediation and corrective action. Segregation of duties (SoD) is particularly critical in compliance environments where users perform multiple roles, and where assignments of users to roles change on a frequent basis. This process examines a set of specified roles against the access control security policy to determine if the superset of access rights across all the roles would compromise compliance with segregation of duties policies. A similar process is used to detect attribute-level conflicts across multiple roles.

Password Management: Allows users to securely reset their own passwords and to synchronize passwords across multiple systems and applications, and provides fast, automated logons to Web, Windows, and host-based applications, as well as the ability to centralize administrative passwords to enforce policy as to when passwords are updated and who has access to them. There should also be a profile management component that enables employees, business partners, and customers to privately and securely register and maintain their authentication questions and answers, as well as personal profile information directly within the companies’ existing LDAP directories and corporate databases. This measure empowers users to securely register and update their own profile information directly within a company’s corporate directories for a more efficient and effective data collection and management process, as well as helps organizations to reduce support costs, deliver more personalized service, and ensure the privacy and security of your users’ digital identities.

Role Management: Helps organizations deploy user provisioning to simplify security policy administration and enforcement. Role management automation eliminates the often manual, cumbersome, and inefficient process of role creation and ongoing access control management. It also creates a foundation for robust ongoing access control and role lifecycle management that flexibly adapts to the constant stream of access control changes in today’s business environment. Roles lifecycle management is also needed to keep up with changes that occur over time. This includes the ability to modify or delete attributes associated with roles, to enable or disable roles, and track the history of changes associated with roles. Role history analysis is a particularly important capability for compliance analysis and reporting.

Data Loss Protection (DLP) and Security Incident and Event Management (SIEM): Deliver warnings to IT administrators and business managers of sensitive data leakage or inappropriate event activity that can be correlated with user identities and roles to determine if there is an issue, so that corrective actions can automatically be taken.

All of the above referenced technologies when combined in a mature IdM environment, provide a strong platform for risk and business management, and for fulfilling regulatory requirements such as those specified in Sarbanes-Oxley, and others.

Conclusion

Ultimately, risk management success can only be achieved when the IT and finance departments work together to identify greatest areas of risk and the consequences of data breach, create and implement policies to mitigate data breach, detect activity or access inconsistent with those policies, remediate any misuse or non-compliance with policies, and consistently enforce policy throughout the organization.

About the Chris Sullivan: Sullivan is the vice president of customer solutions at Courion Corporation. He heads both the Solutions Engineering and Customer Management areas for Courion Corporation. He can be contacted by email: csullivan@courion.com.

Icon courtesy of Lothar Grimme.

Comments

Copyright © 2007 The IT-Finance Connection · Revolution News theme by Brian Gardner | Admin | Log in