Navigating Compliance Controls in the IAM Space
November 20, 2013
We previously covered developing the business case for IAM and briefly touched on the role of ROI analysis for investment justification. While calculating numbers and measuring required return is important, there is something that can do more harm to the business than negative ROI: reputational damage and fines incurred by non-compliance.
While number of compliance regulations and their granularity vary depending on vertical and business profile, there are some buzzword regulations that affect almost everyone: HIPAA/HITECH and PCI DSS, which require privacy of personal information in the healthcare and payment card industry. Regulations such as SOX (Sarbanes-Oxley Act), GLBA (Gramm-Leach-Bliley Act) and SSAE no.16 (previously known as SAS 70) are also widespread and no less important. There are, however, implementation differences between controls prescribed by the former and the latter.
Both HIPAA/HITECH and PCI DSS provide formal requirements for various security areas that need to be implemented and controlled for an organization to remain compliant. HIPAA, for example, contains various Rules - Privacy, Security, Enforcement, etc. - and consists of Safeguards - Administrative, Technical, and Physical. The Security Rule comprises a total of 42 controls, some of which are directly IAM-related. DCI PSS (version 3.0 was introduced November 2013) contains 12 granular requirements that can be split into six functional areas.
On the other hand, the latter group of regulations – SOX, GLBA and SSAE no.16 – does not contain any granular requirements or controls and simply prescribes implementation of “adequate internal controls” as those relate to information privacy and access rights.
We recommend taking steps to strengthen IAM-related controls in the following compliance areas:
Access Provisioning and Deprovisioning
- Streamline and automate manual and simulated access provisioning and deprovisioning processes that are prone to human error. Leverage unique user ID and attributes to enhance risk controls and allow for audit trails.
- Configure automatic, event-based notifications to respective business process owners and stakeholders for follow-up and control purposes.
Access Certification Campaigns and Access Requests
- Implement automated and periodic certification campaigns to enable application owners and supervisors to review and authorize access of users who work with financial data and are involved in financial statements and reports creation process.
- Establish access request functionality that provides audit trails for requests and approvals (specifically for privileged access), user status and a point of audit for currently approved end-user access.
- Even though compliance regulations do not usually provide strict requirement for role-based access control (RBAC) adoption, RBAC, if implemented, leads to granular access management policies and better access management flexibility. A Compliance & Identity Management Readiness (CIMR) Assessment (data aggregation, correlation, and analysis) can provide a view of enterprise-wide access privileges and assist in modeling groups and role mining (bottom-up and top-down role analysis) for more granular internal controls over user access.
Segregation of Duties (SOD)
- SOD policies play a key role in violation prevention and detection process. SOD policies implementation is important to assure that user functions, while working with financial data, are segregated and accounting fraud is prevented.
Audit and Reporting
- An Identity and Access Governance (IAG) solution can create detailed periodic access reports, reports related to high risk systems containing financial and accounting information, as well as create reports on security violations. This will help in sustaining risk standards and internal audit controls mechanisms.
- Evaluate existing password policies and authentication mechanisms and assist in selecting and implementing alternative or advanced authentication solutions and password management functionality (reduced sign-on, simplified sign-on, single sign-on) based on your security policies, environment and existing challenges.
What we are witnessing today is that the cost of compliance is constantly growing, especially if organizations try to implement separate controls for each regulation. The number of regulations is unlikely to decrease; in fact, they will grow, especially for global and diversified companies. IAM-related controls, however, if implemented with due diligence and strategically approached, can address numerous regulations, thus reducing risks and enhancing business performance.