Browse archive

Latest news

Experts highlight top data breach vulnerabilities

Review: Logging and Log Management

Commission wants to minimize U.S. IP theft economic impact

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

Guantanamo cuts off Wi-Fi access due to OpGTMO

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

From identity and access solutions to access governance

by Mike Small - Analyst at KuppingerCole - Monday, 20 August 2012.

Who is responsible?

The responsibilities for identity and access lay with the lines of business, the owners of data and applications, and IT management. The actual division of responsibilities will vary among organizations, and the following provides an illustration.

The owners of data and applications services are responsible for classifying the sensitivity of data.
The lines of business managers are responsible for defining what access individuals within their organization should have to the applications and data.
The HR department, in conjunction with line management, is responsible for performing background checks on new employees, initiating the on-boarding processes that give the access to IT systems, and initiating the off-boarding processes that remove access rights for employees leaving the organization.
IT management is responsible for ensuring that the identity and access infrastructure is installed, configured and functioning correctly.
The legal department is responsible for setting up legal agreements to identity federation with partner and supplier organizations as required by corporate management or line of business owners.
Lines of business owners are also responsible for the control of access to systems by external users such as customers and partners.

Monitoring and control

In order to govern identity and access, there needs to be a set of measures against which performance can be judged. It is important that the performance at the IT process level can be related back to the strategic business requirements. For example, if a strategic goal of an organization is to comply with EU privacy legislation, then it needs to process the personally identifiable data that it holds within legally defined parameters. The identity and access processes necessary to meet these requirements include:

The organization needs to know what relevant data it holds and to classify this data accordingly.
Identity management processes need to correctly manage the user’s lifecycle in a timely manner.
The access management process needs to control which users have access to information. It also needs to ensure that users with privileged access do not make unauthorized access to data.
Processes must be in place to monitor and review which users have access rights to the personal data and which users have actually made access.

Conclusion

Managing who can access what is fundamental to information security and to compliance with laws and regulations. Experience has shown that a technology-led approach to this is not effective; what is needed is good governance rather than more technology. One way to attain this is by adopting a holistic governance and management framework such as COBIT 5.