Employee Role Changes and SocGen: Good lessons from a bad example
Jerome Kerviel was hired by Société Générale in 2000 to work in its compliance department. In 2005 he was promoted to trader in a business unit that deals with program trading, exchange-traded funds, swaps, and index and quantitative trading. In a classic – and not unusual – failure to properly govern access, Kerviel retained back office system access entitlements no longer appropriate for his new role. As a result, he was able to create an enormous portfolio of high-risk investments, concealing his activities until January 2008 when the bank finally detected his activities and closed out his investment positions. The estimated $7.2 billion in losses incurred by Société Générale made this the largest fraud in banking history.
What's an organization to do?
The Société Générale incident provides a number of universal lessons for companies as they consider how to manage risks associated with providing users access to information resources. A proactive approach to reviewing and certifying the appropriateness of access would have prevented Kerviel from “dragging” his prior access entitlements to his new role as a trader. While this would not have entirely prevented the loss from occurring, recognizing that a trader had entitlements that were not required for his business role would have enabled the bank to quickly remediate the access rights violation, limiting Kerviel's ability to hide his activities and reducing the bank's exposure to loss.
The only reliable way to ensure effective governance of user access is with proper review and certification of access entitlements. The requirements necessary to enforce business policies for governing access include:
Unless an organization fully knows who has access to what resources, and has the context to understand when access for a particular job function could result in sizable risks, it is vulnerable to access-related fraud or misuse.
Organizations must embrace the principle of least-privileged access to reduce and avoid risk. When employees or temporary workers change departments or business roles, the likelihood of access "entitlement drag" occurring is high. This was a major risk factor for Société Générale, as it lacked any form of business role classification to enable it to understand whether access was required and appropriate for the job function.
Dynamic monitoring of access
It appears that Société Générale did not have any automated business rules in place that could have detected a change in job roles and alerted management that Kerviel's access needed to be recertified. Dynamic monitoring, rather than just periodic access review, is required – especially with certain classes of high-risk/high-privilege users such as traders – to trigger an appropriate action in time to eliminate the possibility of abuse or loss.
Classification of access risk
Risk isn't limited to just those with the most privileged access to information resources. The capability to execute transactions can expose the business to potential risks, and all access for executing these transactions must be well-governed. Classifying user access by the level of risk inherent to the resources being accessed would have enabled the bank's IT security team to focus attention on the highest-risk points of access.
There appeared to be little, if any, at Société Générale for governing access. But the responsibility should not fall solely on IT. Audit, compliance and risk teams understand the policies and controls that need to be implemented to ensure compliance. IT can provide visibility into access, automating the processes to ensure consistent adherence to policies. But business unit managers are in the best position to understand what access is required for a job role, so accountability for certifying the appropriateness of access must reside with them.
Don't learn these lessons the hard way
Many organizations are learning the hard way that ungoverned access risk can lead to an expensive, embarrassing disaster. Companies are waking up to the fact that traditional, home-grown systems for governing access to their information resources are inadequate. Others are realizing that their user provisioning systems are not able to address their governance process and policy challenges because they were never designed with this objective in mind. With proper access governance in place, IT security organizations can provide the business assurance that negative impacts to their operations will not occur from unauthorized or inappropriate access.
Brian Cleary is the vice president of marketing for Aveksa, Inc. -- a market-leading provider of enterprise access governance solutions.