Basel II, the Sarbanes-Oxley Act and the Companies Bill all highlight the fact that board directors and executive management have a duty to protect the information resources of their organisations. As such, network security – preventing unauthorised access to information and data – is of the utmost importance, and the most effective way of achieving this is by deploying an effective provisioning solution that allows the enterprise to determine who has access to which applications and when.
However, implementing an identity and access management programme that ensures the correct level of security and internal controls over key information and data can be a difficult task for many large organisations.
Often, systems and access policies in use today were developed many years ago when security was not necessarily the highest priority. Not only are these legacy systems now unsuitable for use, but, since being implemented, many of the policies associated with them have not been reviewed, and access is granted either manually or by way of ‘home grown’ development.
Furthermore, many of the systems were not developed to cater for temporary changes such as the provisioning and de-provisioning of contract workers or account for a member of staff on leave. Adding to the problem is the fact that, often, companies have myriad systems and access policies, which have merged with another organisation’s policies, systems and architectures.
These issues are now major problems that need to be addressed urgently. As well as the need to comply with corporate governance regulations, the situation has also given rise to an increased security threat; a fact highlighted by the Financial Services Authority’s Financial Crime Sector Report: ‘Countering Financial Crime Risks in Information Security’.
Secure Enterprise Provisioning
The latest enterprise provisioning technology allows organisations to alleviate these problems through centralised management of IT systems and applications, and the users who access them. Enterprise provisioning solutions, which automate the granting, managing and revoking of user-access rights and privileges, solve the problems created by complex user bases and IT infrastructures by enforcing policies that govern what users are allowed to access and then creating access for those users on the appropriate systems and applications.
The solution can execute provisioning transactions dynamically, based on the nature of the request and then initiate the appropriate approval workflows as defined by the appropriate policy. It will also provide robust reporting that enables the IT department to better manage user access rights from a global view. For example, systems administrators can view who has access to particular systems or the status of any individual access request (add, move, change, delete) in real time.
The best of the new breed of provisioning systems enforce organisational policies designed to ensure that financial enterprises comply with regulatory requirements by governing who can access particular systems and the information they contain. Reporting and auditing capabilities enable the organisation to demonstrate compliance by listing who has access to protected systems and reporting on how the access was granted and that appropriate approvals were obtained, thus demonstrating that proper policies designed to comply with regulations are being followed. The software can also demonstrate that users who have left the organisation have had access revoked from all the systems to which they were previously authorised.
These capabilities not only make regulatory compliance straightforward and easy to manage, but ensure increased productivity. Users can be connected to the resources they need to be productive in a fraction of the time, cost and effort previously required. Enterprises can compress the user set-up process from weeks to minutes and application integration from months to just days.
In addition, the IT department’s own productivity will increase dramatically as resources are freed up from the time-consuming tasks of managing user access and building integrations to managed systems and applications.