In recent years a series of laws, regulations and standards have been introduced in Europe and North America, which directly or indirectly make new demands on companies’ IT security and IT risk management. Whereas in the past IT managers and security personnel largely autonomously determined a company’s IT security policy, IT administrators are now faced with the necessity of analyzing the relevant industry-specific regulations and implementing these in a range of concrete measures.
Having the appropriate tools as well as process models and checklists available to facilitate the control and implementation of regulations can be decisive in managing this task. Identity Management (IdM) systems play an important role in this process because they provide "the right data to the right users" and administer user-specific security settings across all platforms.
Regulations are drawn up for three main reasons
There are three reasons for the promulgation of these regulations. Laws such as America's Sarbanes-Oxley Act (SOX) or the Gramm-Leach-Bliley Act (GLB) serve to ensure the reliability and confidentiality of financial business data as well as investor protection. SOX was, after all, drawn up in the aftermath of the huge financial scandals of Enron and Worldcom.
The second reason for these regulations and standards is to minimize risks for companies. Into this category comes the Basel II Capital Accord, developed under the aegis of the European banking supervisory organization, which requires financial institutions to assess credit risks and operative business risks. The Accord stipulates the holding of reserves, the size of which are commensurate with the risks assessed. The costs of these reserves form part of the business case in considering whether and which IT tools should be used for risk minimizing measures.
Other frameworks and catalogs of measures, such as those of the British standard BS7799 derived from the ISO17799 standard, or those of the IT baseline protection audit developed in Germany by the BSI (The German government's department of IT security), are also aimed at enterprise-wide security levels and risk reduction.
The third reason for these legal rules is the protection of personal data, as generally formulated in Europe in the European Data Protection Directive of 1995. In the USA, the Health Insurance Portability and Accountability Act (HIPAA) regulates the confidential handling of patient data and patients' rights to view and correct personal information.
Multinational companies are affected not only by the laws of their country of origin, but also by the national regulations of all the countries in which they operate. Any infringement can result in criminal proceedings.
The implementation process has already started
Most companies have recognized the urgency of the task facing them and are making great efforts to implement the requirements. According to a survey carried out by the magazine Risk together with consulting company Ernst &Young, companies stated their planned expenses for the controlling operative risks in 2004 at an average of 19.8 mill. USD, an increase of more than 25% on 2003. Consultants PwC also forecast an increase in expenditure on legal compliance issues of an average of 23% over the previous year in the financial services area for 2005.
Finding the way to the right IT security measures
While standards such as ISO 17799 are relatively detailed in dealing with IT, the laws mentioned usually include only general formulations, which need further interpretation. ISO17799 explicitly deals for example with access controls for computer networks and the BSI's IT baseline protection manual also contains detailed descriptions of potential dangers and catalogs of measures for all standard IT technologies from stand-alone PCs, through heterogeneous networks, right up to IBM mainframes. The European Data Protection Directive makes explicit demands on data storage and processing security, requiring that "appropriate technical and organizational measures be taken to protect personal data from accidental or illegal destruction, modification, unauthorized publication or access." National implementation and detailed execution of these measures has so far been partially pursued, in Germany with the Bundesdatenschutzgesetz (Federal German Data Protection Act) of 2001, and in the UK with the Data Protection Act, for example.
In contrast to this law, section 91 of the German Aktiengesetze (Corporate shareholders Act) contains only a comprehensive requirement that: "The board must take the appropriate measures, in particular to institute a monitoring system enabling any developments posing a danger to the continuity of the company to be recognized quickly." Section 404 of SOX also establishes a general "responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting". The original text of the Basel II Capital Accord defines an operative risk as "the risk of loss from insufficient or omitted internal processes, human actions and system or external events," but does not otherwise expressly mention IT risks, rather setting a framework for general risk evaluation.
These generalized formulations need careful interpretation if companies and managers are not to be rendered liable in cases where doubt may exist. Many organizations have therefore set about interpreting these laws and developed methods and a catalogue of measures for complying with them. Mandatory requirements for SOX were drawn up in detail by the Public Company Accounting Oversight Board (PCAOB) and described in detail in the so-called COSO framework. Section 75 of the PCAOB Audit Standard No. 2 emphasizes the role of information security: "The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting." The IT Governance Institute has developed the Control Objectives for Information and related Technology (COBIT), which specify measures for authentification, access controls and user management specially for the IT area.
Implementation of section 91 of the AktG (Corporate shareholders Act) in financial institutions is governed by the Bundesanstalt für Finanzdienstleistung (the German government's financial regulatory agency) in its circular 1/2000 on Internal Revision. As well as being responsible for these controls, they must also ensure the "prompt removal of any defects identified during a check." There are already a series of approaches towards a concrete definition of risk management under Basel II, some of which remain a subject of some controversy among experts.
Identity Management plays a decisive role in helping to implement regulations
Despite remaining uncertainties, it is clear to those responsible for IT in large companies that many demands are being made on them which sometimes overlap extensively in the detailed measures, but which need to be separately verified for every regulation. The time, effort and cost involved is high, but the appropriate tools can help them to manage compliance. As well as products dealing with global risk management, systems can also be implemented which reveal concrete operative risks in the IT area and enable countermeasures to be taken. Cross-platform Identity Management solutions play a key role in the areas of user management and access controls, simplifying risk analysis and improving security levels. Identity Management especially addresses the following points:
Protection of business-critical data from unauthorized access. This includes financial and personal data.
Compliance with administration and approval processes
Auditing of existing authorizations and security settings in IT systems
Traceable administrative and Help Desk activities.
Fast correction of any defects identified in the above mentioned areas.
Protection of business-critical data
IdM systems enable the correct assignment of rights for all IT platforms according to users' needs. Using so-called provisioning rules, user accounts and authorizations are automatically administered and reliably deleted in accordance with the company's guidelines on rights assignment. Products such as Beta Systems' SAM Jupiter IdM system enable the necessary rights for each workplace profile to be confined into user roles. Each user receives a bundle of rights tailored to meet his or her needs on the "need-to-know" principle. Rules on the separation of functions can be implemented in the IdM system. Roles-based administration ('profiling') also simplifies security-specific resources classification
The definition of and compliance with administration processes form the basis for reliable assignment of authorizations. As well as a clearly arranged user interface, an IdM system should also provide an electronic application procedure for authorizations where the application workflow with the individual steps in the approval process is configured.
Automated administration enables the period between a change of workplace and changes to rights to be reduced, avoiding accruals of rights arising from a forgotten withdrawal of rights.
Many risks can easily be identified by IdM systems, such as User accounts that are not blocked, but are no longer assigned to any internal or external user.
Logging enables a complete audit of all administration tasks, rights applications and approval steps. IdM systems, which can reconcile their central repository with local platforms' security definitions, can also give users an overall picture of locally executed administration tasks.
Correction of defects
A central IdM system speeds up reporting, enabling any security breaches to be recognized quickly and reacted to immediately.
In conclusion it can be stated that IdM systems play an important role in IT-related measures for complying with regulations. They provide vital basic information for risk assessment, reduce the time and effort involved in reporting, and actively and measurably improve IT security levels.