|
|
|
Features
< Back
Sarbanes Oxley : Auditing : Continuous Auditing
Deploying Identity-Related Compliance: Best Practices
By
Glenn Choquette
|
|
Glenn Choquette
Director of Product Management
Fischer International
|
Domestic and international regulations mandate business outcomes that most organizations have pursued all along: improved efficiency, protection of confidential information, integrity of financial information, protection against fraud, etc.
Now that organizations have painstakingly gone through their first round of compliance activities, they are searching for ways to improve the timeliness and cost-effectiveness of their audit and compliance processes. This paper is directed to these organizations, and describes best practices that remove the hindrances of attaining the benefits that identity-related compliance provides.
Identity Management (IdM) enables organizations to automate many of the outcomes required by regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the European Privacy Directives. Without IdM, compliance effort and costs are higher and are likely not sustainable.
Comprehensive compliance requires the capabilities and stability available only with next-generation IdM suites; in particular, it requires IdM suites with audit and compliance facilities that have been organically designed into all aspects of the identity management architecture, rather than being bolted on as an afterthought.
Such solutions provide many other trickle-down benefits, including making workflows self-documenting and easy to understand, reducing the efforts of auditors, and so on. These solutions are the key to long-term sustainability of identity-related compliance and at the lowest possible cost.
Compliance Should Not Be an Afterthought or an Add-on
Why do most IdM vendors charge extra for compliance? Because they can and because they have architected their solutions that way. Yet, no Identity Management solution is complete without compliance: it should not be a separate feature, product or functionality and should not be licensed, architected or developed separately. Next-generation Identity Management solutions incorporate compliance throughout the architecture.
Choose a vendor that can provide robust yet simple compliance across all business processes and the systems that comprise them. Vendors that offer separate compliance ?modules? or products are not only charging too much money, they are not optimizing organizational compliance capabilities.
Separate products likely require integration, redundant administration, redundant points of data entry, and scripting or coding, i.e., compliance with a catch. A next-generation solution requires no integration, no scripting or programming and provides a centralized identity-related audit capability throughout your enterprise. Spend less, get more of what you need?always a best practice.
Focus Identity Management Compliance Efforts on Business Events
Implementing IdM changes and auditing through scheduled processes and uncoordinated audit logs typically leaves compliance gaps, creates weak links in your critical processes, and results in poor auditability of your IdM infrastructure.
Focusing on business events and real-time auditing yields far more value, lower TCO and improved end-to-end compliance. This approach also promotes consistent policy application and enforcement throughout business processes by ensuring that IT privileges are consistent with business responsibilities and by providing coordinated, real-time reporting.
Automate Anything That Moves and Simplify the Rest
The largest cost of compliance is labor, whether related to implementation, documentation, audit, or reporting. According to Gartner, organizations typically spend 5%-10% of their IT budgets on compliance activities, and organizations that don?t automate are expected to spend 50% more by 2008.
Verifying identity-related controls is highly manual, and can range from comparing actual permissions for each resource with the business policies that dictate what each person should be able to access, to discovering orphan accounts.
These and other audit tasks can and should be automated. For example, identifying "who could access what / when," "who approved access to what / when," exceptions between business rules and user accounts, and over-privileged accounts could easily be automated with an Identity Management solution. Automation will become a driving force in the Identity Management landscape, simply because most organizations can?t sustain the level of activity and cost that was required over the last year.
The Best Practice here is largely good judgment and thorough research to choose a next-generation, "architected" suite rather than an "integrated" suite that is not as complete or as efficient.
For example, the solution should enable centralized auditing that actually captures and reports all events. Separation of Duties must be automated to assure that nothing slips through the cracks as the business and workforce change.
Automated alerts or even automated rollback of excess permissions and the elimination of orphan accounts are required to enable rapid remediation. The solution should also not require any programming or scripting since business policies and compliance rules are inherently more time consuming to implement and change through scripting than through graphical interfaces. The ability to reuse components, such as through Service Oriented Architecture improves quality while reducing costs and effort.
Begin Your IdM Deployment With A Compliant Identity Store
A best-practice "load mode" process ensures that all data written to the identity store adheres to the compliance and business policies for your organization, before going live. This process pulls data from sources of authority, matches accounts to users, and matches permissions with policies before any data is written to the data store. The process further improves and simplifies ongoing identity management activities by producing a compliant data store on day one to immediately enable automated compliance and exception reporting activities.
Deploy "Continuous Compliance"
Every enterprise is dynamic and needs to detect identity-related changes to resources, whether inside or outside the IdM infrastructure, then document (prove) that their changes were appropriate.
Continuous compliance is the automated process of managing identities and authorizations based on business policies, business rules, business roles, internal controls, etc. It enables organizations to detect compliance anomalies and remediate them on an ongoing basis instead of taking only periodic snapshots.
This degree of automation and "good housekeeping" is looked favorably upon by auditors, and can minimize their time to test and validate controls.
Your ability to deploy continuous compliance cost-effectively is driven by your IdM solution, as it will need to quickly integrate with virtually any system, and be able to enforce internal controls in real-time based on business policies and system events. This is contingent on:
• a centralized audit database where all identity events are recorded as they happen, are co-located, and are immediately accessible.
• the ability to quickly pinpoint exceptions and discrepancies based on a complete identity event data set.
• rapid / cohesive reporting of all events, rather than a piecemeal approach where report data from disparate systems needs to be consolidated before it can be understood.
Make your vendor Prove It!
Especially when it comes to compliance, be certain that the vendor performs to your exact list of expectations, before you buy. Be sure you understand what they actually provide, what it will take to implement, how much it will cost, and what happens when you need to make unforeseen changes. Here are some items you?ll want to verify with your vendor:
• Are all identity-related events recorded and can some be purposely ignored if they?re not needed?
• Are all identity events written to the same database, or are they pulled from disparate databases and combined after the fact?
• Does it enforce separation of duties and provide exception reports, or do the auditors need to wade through screens of data to verify SOD?
• Can it identify and correct orphan accounts and over-privileged accounts?
• What reports do they produce? What level of effort is required to get what you really need and again, what happens when business requirements change?
• How much extra work will the auditors need to do to verify that the system actually does what it?s supposed to? With script-based systems, that will take additional effort.
• Do their graphical workflow tools truly "eliminate" programming, or simply cursory operations? This is important for total cost and time involved to implement and for business and compliance changes down the road.
• Will your people need to learn separate user interfaces for core IdM functions (e.g., provisioning, password management, auditing, etc.)?
Compliance doesn't have to be expensive and disruptive. In fact, implementing a continuous compliance process with a next-generation IdM suite can be easily accomplished, provided that compliance has been designed into the suite as an architectural element, not merely as an add-on module.
These IdM solutions are the key to leveraging compliance-related benefits including improved efficiency, secure confidential information, and integrity of financial information.
Glenn Choquette
Director of Product Management
Fischer International
Glenn Choquette is the Director of Product Management for Fischer International. Incorporated throughout the architecture, Fischer?s Identity Suite is the only Identity Management solution built with compliance in mind.
|
|
|
|
|
