Organizations must approach regulatory compliance requirements with sustainability in mind if they are to manage their risk effectively. This is a security-driven compliance approach, and if we are compliant, we are secure. Security must be sustained in order to be secure. If you do nothing more than what’s necessary to pass a SOX or FISMA audit, you are not likely to address your logical access risks or security requirements. Effectively managing user access risk requires meaningful diligence above and beyond “checkbox” compliance. Achieving a sustainable level of transparency and risk management helps to protect against the very real security threats that exist inside the organization should be the goal.
Shown in Table 8-1 are common compliance requirements for organizations based in the United States. The intent of these mandates is to prevent breaches, fraud, and negligent behavior that violates an organization’s security.
Table 8-1
Common compliance requirements for organizations based in the United States
Regulation | Organizations Affected | Focus | Information Security Requirements |
|---|---|---|---|
Sarbanes-Oxley Act (SOX) | All public companies traded on US exchanges (including international companies) | Information integrity | Ensure the accuracy of financial information and the reliability of systems that generate it. Section 404 requires management to assess internal controls and obtain attestation from external auditors annually. |
Security Management Act (FISMA) | Federal agencies and affiliates | Information integrity | Develop, document, and implement programs to secure data and information systems supporting agency operations and assets. |
General Data Protection Regulation (GDPR) | All organizations who conduct business in the European Union | Privacy | Protect consumer data from theft and fraud. Notify all involved parties when a breach occurs within 72 hours and “forget” customer data when requested. |
Payment Card Industry (PCI) Data Security Standard | All members, service providers, and merchants that store, process, or transmit cardholder data | Fraud prevention, privacy | Meet 14 information security requirements in areas such as data protection, access control, monitoring, and intrusion protection. |
Health Insurance Portability and Accountability Act (HIPAA) | US healthcare providers, payers, clearing houses, and their business associates | Privacy | Protect the security and privacy of personally identifiable health information from unauthorized access, alteration, deletion, or transmission. |
Gramm-Leach-Bliley Act (GLBA) | US-based financial institutions | Privacy | Establish administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of consumer financial information. |
North American Electric Reliability Council (NERC) | All entities responsible for planning, operating, and using the bulk electric system in North America | Critical infrastructure protection | Protect IT assets essential to the reliability of the bulk electric system, including monitoring, access control, and change/configuration management. |
CA Senate Bill (SB) 1386 and 46 other state regulations | Organizations that store personal data | Privacy | Alert individuals when personal data is lost or stolen. |
Taking the right approach to compliance can enable an organization to manage user access as a sustainable ongoing process, rather than a one-time audit event that does little to support a sustainable, secure computing environment.
Sustainable Compliance
To proactively address compliance requirements, many organizations look to Identity Governance to define and manage the overall process. Identity Governance is a cross-organizational enterprise discipline that provides the intelligence and business insights needed to strengthen controls and protect information assets. With Identity Governance, organizations gain a 360-degree control plane that answers the question “who has access to what.” This control plane provides the process and tracking transparency needed to reduce potential security and compliance exposures.
Identity Governance also helps organizations improve efficiency by replacing paper-based manual processes with automated tools. Not only can an organization significantly reduce the cost of compliance, but it also helps establish a repeatable process that is more consistent, auditable, and reliable over time. Taking an automated approach helps to build predictability, repeatability, and sustainability into the compliance workflows while improving the end-user experience and overall satisfaction.
Building a Repeatable Process
The following steps describe a base methodology and timeline for implementing Identity Governance. The key to success is defining measurable steps to build that repeatable and sustainable compliance process across all identity tasks and activities. Table 8-2 shows the commonly employed best practice approach to achieving this goal.
Table 8-2
Best practice steps toward sustainable compliance and Identity Governance
1 | 2 | 3 | 4 | 5 |
|---|---|---|---|---|
Assess Your Current State | Build Governance Model | Automate Detective Controls | Automate Preventative Controls | Perform Closed-Loop Audit on All Changes |
Aggregate and correlate identity data | Define policy model | Access certifications | Access request management | Aggregate data |
Conduct baseline access certification | Define role model | Policy detection and remediation | Password management | Identity exceptions |
Define risk model | Automated provisioning | Provide proof of compliance |