Whether it's Basel II, Sarbanes-Oxley, or the FSA's updated Combined Code, many organizations are struggling to meet current compliance requirements. But it seems the burden is only set to get worse.
Implementation of the new capital rules is not due until 2007, although Basel II requires that compliant systems are in use well before then. This means companies have to act now to introduce and integrate the technology required to meet regulatory requirements.
Reducing and managing operational risk is a common theme running through the new regulations. It forms a core element of the evaluation method set out in the Basel Capital Accord for calculating minimum capital adequacy requirements. Most of the operational risks defined by the accord relate to "access to computer data by physical persons," or in other words, identity management and access control.
In the information economy, IT security is paramount, not only to protect against external threats, but also to prevent the internal misuse of systems and data. Financial services firms need to be able to provide an audit trail of who accessed what information and for what purpose, for example, which requires granular control of user access based on identity management. Poor access management can open the door to operational risk that can directly translate into major financial losses.
As well as minimizing risks, identity management and access control technology can also streamline the deployment of procedures critical in a banking environment, such as "de-provisioning" and role-based management.
Of the seven types of operational risk defined by the Basel Capital Accord, ID management and access control have a critical role in addressing three of them.
Understand the risks
Operational risks related to users are primarily linked to the reliance on passwords as the main method of access control. For example, if a resource can only be accessed by a password, the user will tend not to refer to that resource.
Another problem is that if employees are required to use and remember a large number of passwords, then they will tend to note them down on paper or in another non-secure format. This can facilitate internal fraud.
Often, teams are given a single password, potentially giving individual employees over-generous access rights and enabling them to access data not normally associated with their role. This also raises issues of non-repudiation.
Sometimes a single password is allocated for all the resources an employee can access. In this scenario, a hacker need only break the security on a single system to gain access to all other systems and data.
Another major area of operational risk is administration of access rights. Ever-changing IT environments, promotions, internal moves, staff re-assignments and employee churn make keeping a tight control on access rights a complex job. This creates the potential for operational risks. Access rights allocation is often delegated to systems engineers, who see this as a secondary task. Changes or updates are therefore often delayed or are prone to errors.
Access rights of leavers are often not comprehensively revoked – companies often fail to keep a complete inventory of authorizations granted. Leavers can often still gain access to systems even though they are no longer employed.
Passwords are often forgotten, resulting in calls to the helpdesk. The volume of password-related calls in large companies means a large number of helpdesk agents are given administrative rights to change or re-set passwords, providing a route for internal fraud.
Using a "provisioning" solution with identity management will significantly reduce the risks outlined above. Allocation (and cancellation) of access rights is easily done from a central console. This allocation of rights is done on the basis of organizational criteria, by trustworthy persons – with no technical know-how required. All these administrative operations must of course be logged so that they can be audited.
Centralized identity management and access control significantly simplifies the work of the operational risk management team and can be used to complement intrusion detection systems (IDSs), which, in isolation, provide insufficient coverage of all IT risks.
A large percentage of operational incidents involve access gained using stolen or incorrectly-used passwords and will therefore not necessarily be prevented by an IDS. An ID-management and access-control solution will enable the source of the access and the conditions in which access rights were wrongly granted to be quickly identified and remedied. Operational incidents are often directly attributable to staff and take place internally. As a result, there is no external access attempt to be blocked or denied.
An IDS will centralize alert data, but not the means of remedying these alerts. After detecting an operational incident, network appliances (such as firewalls and routers) have to be reconfigured using their own associated administration tools. An identity-management and access-control solution, on the other hand, allows the immediate correction of the source of the incident from one central console, whatever the platform (mainframe, website and so on).
ID-management and access-control solutions deliver a range of benefits. These include an immediate reduction in operational risks (and, potentially, insurance costs) with a corresponding reduction in operational incidents (and consequent financial loss and penalties).
Another benefit is auditable information on access rights and authorized or unauthorized system/data access that can be integrated with existing reporting tools to give a clearer picture of operational risk. You will also have more granular, centralized control enabling faster reaction to access risks as they are detected.
Identity-management and access- control solutions also deliver significant productivity gains. For example, users save time by only needing a single password, and no longer have to wait days for new access rights as systems administration is streamlined. Helpdesk costs are slashed. And administrators can set up new accounts or change or cancel access rights more quickly.
It is clear that identity management and a centralized approach to rights management are key to reducing operational risk.
But with the unreliability of passwords, how can a financial organization be sure that an employee is who they say they are? For a company to be completely accountable, and trace fraud and other internal security breaches, it needs to be certain who is doing what within its IT system.
Charles Hayhoe is a senior executive with NEC business solutions division