User access-related business risk comprises a broad array of potentially damaging events that may be caused or made possible by inadequate governance of access to an enterprise’s information assets. Such events range from relatively minor policy and compliance violations to disastrous business losses. The stakes involved in access-related risk have risen dramatically in recent years as organizations have become thoroughly operationalized by technology.
W H I T E P A P E R Managing Risk for Effective
Access Governance
JANUARY 2008IntroductionThe business risks associated with providing users access to information resources include a broadarray of potentially damaging events that are caused or made possible by inadequate governance.Such events range from relatively minor policy and compliance violations to disastrous business losses.
The demands of regulatory compliance are among the factors driving corporate IT and securitymanagers to improve their access governance processes, but the issues are broader and deeper thanthe scope of any regulation.While access-related risk cannot The stakes involved in access-related risk have risen dramatically in recent years as organizationsbe entirely eliminated, it must have become thoroughly operationalized by technology. With nearly every facet of large enterprises'be monitored, managed, and operations now dependent on or supported by automated systems, risks related to unauthorized ormitigated through a sound inappropriate access can appear anywhere within an organization at any time and spread rapidlythrough the business. All it takes is a single person with the wrong access. The potential cost to theapproach to governance. business in terms of lost revenue and increased expense or in damage to customer relationships aswell as the loss of corporate brand and reputation is virtually unlimited.
However, the same trends that have extended technology to every corner of the enterprise have alsodictated that legitimate users - whether employees, contractors, or partners - be granted accessquickly whenever they need it. An organization's IT infrastructure today must be responsive to userdemands and somewhat porous in order for business to be transacted. Enforcing security can't beat the expense of the business being able to move forward and take advantage of marketplaceopportunity. While access-related risk cannot be entirely eliminated, it must be monitored, managed,and mitigated through a sound approach to governance.
Corporate boards of directors and senior management teams are focusing on access-related risk asnever before, but primary responsibility for managing it usually still resides with the IT security organi-zation. As a result, many IT security managers are caught between the competing pressures to provideready access to legitimate users while not allowing access-related vulnerabilities to turn into operatingperformance problems, information theft compliance violations, or shareholder valuation concerns.
In fact, the 2007 Deloitte Global Security Survey of financial services executives revealed what Deloittetermed the "Security Paradox" - a situation in which business executives are becoming more awareof IT security issues, but where support for a solution still lies with the IT department. This is high-lighted by the fact that only 10% of survey respondents had Information Security led by a businessline leader.
Other findings of this year's survey include:
. 91 percent of participants are concerned about employee security weaknesses. 1. 79 percent of participants cite human factor as the root cause of information security failures.
2 | Enterprise Roles-based Access GovernanceWhen does access-related risk become unacceptable?The foundation of any access risk management initiative should be adherence to the principle of leastprivileged access: legitimate users should have no more access than the minimum required to do their jobs.
Least privileged access transcends the concepts of identity and entitlement management. The conceptof least privileged access encompasses variables such as business roles and levels of entitlement withinparticular IT resources. Only by understanding this full context can a user be matched with entitlementsin such a way as to ensure that access is limited to the minimum required to execute a job functionOnly by understanding this full and that all noncompliant access is eliminated.context can a user be matched with Unacceptable access risks begin to appear when this principle is violated, and they often result fromentitlements in such a way as to one of four causes.ensure that access is limited to the Entitlement inertia is the failure to remove previously issued entitlements once they are no longerminimum required to execute a job necessary or appropriate. It is not unusual, for example, for employees to accumulate unnecessaryf... [download for more]
