Public CIO - December 2008/January 2009 - (Page 22)

beyond what they actually need to do their job. In companies or agencies where workers have long tenures, entitlement creep is a very real business risk. Prompt removal of excess privileges can significantly lower the risk of access abuse. 4. Do you enforce separation of duty policies? Separation of duty (SoD) policies are designed to prevent fraud by ensuring that no one has excessive control over critical business transactions. The risk around SoD arises not from failure to document SoD policies; most companies have these types of rules captured in spreadsheets or a control grid. The real challenge arises from the complexity and effort required to enforce the policy across dozens or even hundreds of applications and systems. SoD can Performing regular access reviews provides a critical control to detect and eliminate orphan accounts and entitlement creep. A central access database makes it easier to conduct regular reviews, allowing automated workflow to route user access reports to the appropriate managers for sign off. The database also expedites automated policy enforcement. An automated solution enables IT and busi- Identifying high-risk users can be as simple as using rules to “tag” contractors and privileged users so they are more visible; identifying users with policy violations; or pointing out who hasn’t had their access reviewed recently. apply to more than just financial conflicts of interest. How many programmers who are working on developing critical applications also have backdoor access to those same systems in production? The key is to eliminate these types of potential risk by limiting access and preventing “toxic combinations” that enable fraud. The answers to these four questions will help CIOs focus their security policies and procedures before they move to the next phase, which is implementing technology systems to support risk-based identity and access management. The Risk Management Infrastructure Once the policy landscape is defined, the CIO can create the procedures and technology infrastructure to support identity risk management as a regular business process. This entails: • centralizing identity data; • performing regular access reviews; • automating SoD policy enforcement; and • identifying high-risk users. Building an integrated database of identity data across mission-critical applications gives public CIOs enterprisewide visibility into who has access to what. A centralized view enables better management decision-making, fosters transparency and more effectively meets the reporting requirements of auditors and compliance staff. It minimizes redundant efforts and streamlines compliance processes across departments and business units. ness staff to centrally define SoD policies and monitor hundreds of thousands of users by identifying violations and alerting managers to the need for removal of access privileges. Automation also helps make policy enforcement a regular, predictable part of business rather than a timeconsuming and less-reliable manual effort. Identifying high-risk users can be as simple as using rules to “tag” contractors and privileged users so they are more visible; identifying users with policy violations; or pointing out who hasn’t had their access reviewed recently. The goal is to simplify oversight by focusing management attention on potential risk areas. Combinations of factors, such as a privileged user with policy violations who hasn’t had his access reviewed in the last year, represent a much higher risk to the organization and must be immediately identified. Analytical applications running on top of the central access database can make it fast and easy to spot these patterns. Risk is implicit in almost every area of business and government. The challenge is to minimize it without breaking the budget. Risk-based management is a realistic approach to the challenge that uses existing IT and business management organizational structures, supplemented by identity management tools, to provide the combination of security and access that public agencies need to meet the challenges of conducting business in today’s rapidly evolving electronic world. ¨ [22]

Table of Contents Feed for the Digital Edition of Public CIO - December 2008/January 2009

Public CIO - December 2008/January 2009 Contents Contributors Introduction Tense Times Insider Threat Twenty and Counting Labor of Love Putting Process Into Play Crossover Appeal FastGov CIO Central Security Adviser CIOs Pluck BlackBerry Phones From the Field Straight Talk

Public CIO - December 2008/January 2009

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.