back to the main page
Top Five Things Auditors Want to Nail You On (And How Identity Management Can Stop Them)
The way sensitive information is managed, stored, accessed, and audited is now part of sweeping regulatory compliance laws, such as HIPAA, Section 404 of the Sarbanes-Oxley Act, 21 CFR Part 11, Basel II, European Union Data Protection Directive, FERPA, USA Patriot Act, Gramm-Leach-Bliley Act, and HSPD-12. When auditors come calling, your identity management solution can be ready, with controls in place and reports to prove how they're enforced. Here are some of the most common control deficiencies that auditors are looking for and how identity management (IdM) solves the problem.
PROBLEMS
- Delay in terminating access. Auditors check how long it takes between when an employee leaves a company and when all his or her access privileges are turned off. If it takes several weeks or more, you need to address the issue.
- Built up privileges over time. Auditors know that people often change jobs within the company. They also know that it is less common to reduce access than to grant it. Auditors check whether employees have more access than they need to do their current job.
- Access transactions in conflict. Auditors are looking for employees who have access to systems that are in conflict with business rules. A classic example of this is when a user can specify vendors for payment in one system, and can issue payment to that same vendor in another. Such a situation is ripe for fraud.
- Uncontrolled access authorizations. Auditors look for a controlled business process for granting and denying access privileges. If your system for provisioning access privileges is a series of random e-mails between business managers and the IT department, auditors see a red flag.
- Lax password policy enforcement. Auditors want to see that all key systems are guarded by a manageable, enforceable password policy.
SOLUTIONS
- Enforce segregation of duties. Identity management standardizes user access by role, organization, and geographic location. It also enables you to specify custom security policies. If your security policy states that users with access to Accounts Payable cannot also have access to Purchasing, you won't be exposed to the potential fraud risk described above.
- Restrict access. Identity management centralizes your security policies, including user permissions, privileges, and profile data, and applies these policies across your entire infrastructure, restricting access to sensitive data, applications, operating systems, and key infrastructure.
- Automate access management. Identity management provides an environment where privileges are created, approved, and issued via an automated workflow process. This ensures that all appropriate parties approve access before it is granted. When a person changes roles or leaves the company, the workflow process automatically deletes the old set of access privileges immediately.
- Provide automated reports. Identity management can produce regularly scheduled attestation reports for management review and detailed reports of access, based on automatically captured and aggregated audit data.
- Demonstrate controls are in place and working. Identity management provides the detailed audit data and reports you need to prove that you have the necessary controls in place and that they are working.
Identity management prevents violations and proves to auditors that it's working. This is why identity management software has become a key infrastructure system for a growing number of organizations to help meet their compliance needs.
Learn More
See how Oracle's best-in-class identity management solutions can improve your compliance with a multitude of government and industry regulations.
back to the top
|
