In today's business environment, the risk of being found noncompliant with one of the many new regulations out there is high. Just as high is the risk of your business experiencing financial or operational offenses, such as fraud, identity theft, loss of trade secrets or privacy problems. You need a way to protect yourself against all of the risks. Internal controls, of course, are a start - hey're crucial to accounting for an organization's ongoing operations. But Sarbanes-Oxley (SOX) has taken IT governance and operations accountability to a whole new level. What's so challenging? One big hurdle is securing users' access to the countless networks, operating systems, applications and databases that populate a distributed enterprise - and then accounting for it. Each of these systems has a unique way of authenticating users and controlling what access rights individuals are entitled to. And to complicate matters further, it's common for one person to use different identities (IDs and passwords) for each system. These various identities are difficult enough for users to manage, and they pose a tough administration problem for IT departments, especially during a security audit or when they need to deprovision a user. The burden on IT to account for identities and produce evidence regarding their use can be overwhelming. In fact, one of the most scrutinized areas of compliance has to do with these identities and their access rights. Identity management is clearly vital to controlling users' access rights, and it's fast becoming the foundation for IT operations, linking business initiatives and processes. Identity auditing, then, is one of the keys to successful IT compliance. Organizations are scrambling. They're desperate for powerful, nondisruptive, easy-to-implement solutions for identity auditing - and confused about how to reduce the costs and risks associated with compliance. Some new tools are entering the market. They're designed to explore the IT infrastructure to discover unique user IDs and related access permissions, then provide an intelligent way to associate those IDs with individuals. While these identity-auditing tools aren't yet fully automated, they are a step in the right direction. Identity Auditing Identity auditing is the process of documenting, reviewing and approving access controls, such as roles, separation-of-duties rules, and entitlements or privileges. Identity auditing tracks who has access to what, who should have access to what, who reviewed and approved what, and who actually did what. Identity auditing relies on huge data collections from log files and systems reports. Unfortunately, it's nearly impossible to analyze this data manually. Manual processes are expensive, recurring and error-prone - and are so resource-intensive that they can inhibit business growth and initiatives. The answer, then, is to automate the process of provisioning, identity auditing and deprovisioning, making it continuous rather than periodic and incomplete. Automating the process significantly reduces the manual effort required of an IT department while also protecting critical areas from becoming compromised. Identity auditing can extend beyond users to protect assets, applications, transactions and data while ensuring compliance. It provides visibility into business transactions and verifiable proof of authorized activity as well as control of unauthorized, illegal activity. Obviously, the result is a reduction in both compliance costs and risks. Identity-Auditing Solutions Organizations can more easily pave the road to continuous compliance by becoming identity-focused and selecting a robust software solution to automate a repeatable process of provisioning and auditing. To start, the software must be able to:
|
 |
|
|
|
