Automating IT Compliance Audits |

Automating IT Compliance Audits

Automating IT Compliance Audits

By Dean Wiech, Managing Director, Tools4ever

Sarbanes-Oxley, HIPAA and the Gramm-Leach-Bliley Act have been around for many years. Companies, though, often still struggle with compliance to one or more aspects of these statutes; dealing with the IT infrastructure and access rights can be an especially time consuming aspect. However, having the proper controls in place at the front end of the process can make audit reporting relatively painless.

The normal questions in an IT audit include:

  • Who has access to what?
  • Is their access level justified for their position?
  • How did they get the access?
  • Is the risk of access acceptable?
  • Should the access continue as is or be modified?
  • Are controls in place to ensure access is granted appropriately?

Identity management (IM) and access governance (AG) systems were once the purview of large, multi-national organizations owing to their expense and lengthy implementation process. It was normal to spend upwards of $100 per employee and expect the deployment cycle to last a year or even more. In the last few years, the products have migrated down market as costs have decreased dramatically and implementation time shortened to months rather than years.

IM and AG systems are designed to automate the user account lifecycle, all the while ensuring that the access provided to users is appropriate for their position, title, department and location within the organization. This ensures that when a user starts at a company, they are given the exact applications and access to data they need to perform their job – no more and no less. If their role changes over time, their access rights are modified appropriately; some rights may be removed while others may be granted. When they leave the organization, all of their rights are terminated and access revoked across all systems.

In an ideal world, this would be sufficient. The IM system looks at data in the HRM system and compares it against the model in the AG system, and then assigns and revokes rights as appropriate. In the real world, however, there are always exceptions to even the most comprehensive set of rules. For example, a person in one department is loaned, to another for a short term project, and requires access to a different set of applications and data. In these cases, automating is not feasible and another type of system is required.

A workflow-based self-service portal can assist with these out of norm situations. A user can log into a portal and request access to systems, security groups or data shares that they currently do not have privileges to. This request is then automatically routed to the appropriate managers and system/data owners for review, for approval or denial. If approved, the change can be set in place on permanent basis or for a specific time period. Notifications can also be sent to the user and managers prior to expiration to see if a renewal is warranted.

Access to applications and data shares is determined by a set of programmatic rules and any deviation from the rules is approved in advance before it is awarded. To take this one step further, many organizations run regular attestation and reconciliation reviews.  In this process, managers and system owners review the access rights by individual, application, and share to “attest” to the fact that the access is accurate and the risk associated with the access is correct. If deviations are found they are reconciled and access is revoked immediately. 

Configuring a system to accomplish all of the above does require time and effort to implement. The most common installs first evaluate where a company is in their maturity level of access governance and use what is currently in place, such as spreadsheets, as the starting point. Progressing from there, the processes are refined until every task that can be automated is realized and all one off requests are handled via workflow based portal.

The end result is a security officer’s dream.

About the Author

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions. He is responsible for Tools4ever’s US operations, and has written dozens of articles about identity and access management, security, IT audits, strategy, cloud, BYOD, the cloud and managing IT solutions for small businesses to enterprise systems.

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now