My Experience with Compliance

Complying with identity management
By Dr Martin Kuhlmann – Beta Systems Software AG

In recent years a series of laws, regulations and standards have been introduced in Europe and North America, which directly or indirectly make new demands on companies’ IT security and IT risk management. Whereas in the past IT managers and security personnel largely autonomously determined a company’s IT security policy, IT administrators are now faced with the necessity of analyzing the relevant industry-specific regulations and implementing these in a range of concrete measures.

Having the appropriate tools as well as process models and checklists available to facilitate the control and implementation of regulations can be decisive in managing this task. Identity management (IdM) systems play an important role in this process because they provide “the right data to the right users” and administer user-specific security settings across all platforms.

Regulations are drawn up for three main reasons

There are three reasons for the promulgation of these regulations. Laws such as Sarbanes-Oxley Act (SOX) or the Gramm-Leach-Bliley Act (GLB) serve to ensure the reliability and confidentiality of financial business data as well as investor protection. SOX was, after all, drawn up in the aftermath of the huge financial scandals of Enron and Worldcom.

The second reason for these regulations and standards is to minimize risks for companies. Into this category comes the Basel II Capital Accord, developed under the aegis of the European banking supervisory organization, which requires financial institutions to assess credit risks and operative business risks. The Accord stipulates the holding of reserves, the size of which are commensurate with the risks assessed. The costs of these reserves form part of the business case in considering whether and which IT tools should be used for risk minimizing measures.

The third reason for these legal rules is the protection of personal data, as generally formulated in Europe in the European Data Protection Directive of 1995. In the USA, the Health Insurance Portability and Accountability Act (HIPAA) regulates the confidential handling of patient data and patients’ rights to view and correct personal information.

Multinational companies are affected not only by the laws of their country of origin, but also by the national regulations of all the countries in which they operate. Any infringement can result in criminal proceedings.

The implementation process has already started

Most companies have recognized the urgency of the task facing them and are making great efforts to implement the requirements. According to a survey carried out by the magazine Risk together with consulting company Ernst & Young, companies stated their planned expenses for the controlling operative risks in 2004 at an average of US$19.8 million, an increase of more than 25 percent on 2003. Consultants PwC also forecast an increase in expenditure on legal compliance issues of an average of 23 percent over the previous year in the financial services area for 2005.

Identity management plays a decisive role in helping to implement regulations

Despite remaining uncertainties, it is clear to those responsible for IT in large companies that many demands are being made on them which sometimes overlap extensively in the detailed measures, but which need to be separately verified for every regulation. The time, effort and cost involved is high, but the appropriate tools can help them to manage compliance. As well as products dealing with global risk management, systems can also be implemented which reveal concrete operative risks in the IT area and enable countermeasures to be taken. Cross-platform identity management solutions play a key role in the areas of user management and access controls, simplifying risk analysis and improving security levels. Identity management especially addresses the following points:

Protection of business-critical data

IdM systems enable the correct assignment of rights for all IT platforms according to users’ needs. Using so-called provisioning rules, user accounts and authorizations are automatically administered and reliably deleted in accordance with the company’s guidelines on rights assignment.

Administration processes

The definition of and compliance with administration processes form the basis for reliable assignment of authorizations. As well as a clearly arranged user interface, an IdM system should also provide an electronic application procedure for authorizations where the application workflow with the individual steps in the approval process is configured.

Auditing authorizations

Many risks can easily be identified by IdM systems, such as user accounts that are not blocked, but are no longer assigned to any internal or external user.

Traceable Administration

Logging enables a complete audit of all administration tasks, rights applications and approval steps. IdM systems, which can reconcile their central repository with local platforms' security definitions, can also give users an overall picture of locally executed administration tasks.

Correction of defects

A central IdM system speeds up reporting, enabling any security breaches to be recognized quickly and reacted to immediately.

In conclusion it can be stated that IdM systems play an important role in IT-related measures for complying with regulations. They provide vital basic information for risk assessment, reduce the time and effort involved in reporting, and actively and measurably improve IT security levels.

Sarbanes-Oxley and the impact on IT Infrastructure
By Dave Hartley, Managing Consultant, Xantus Consulting

Section 404 of the Sarbanes-Oxley Act is only four paragraphs long so there is no impact on IT infrastructure and the CIO can let the business channels worry about this? Think again. The SOX compliance programme is driven by the core business, but systems, data and infrastructure components are critical to the financial reporting process.

In today’s environment, financial reporting processes are driven by IT systems. Such systems, whether enterprise resource planning (ERP) or otherwise, are deeply integrated in the initiating, authorizing, recording, processing and reporting of financial transactions. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes, for compliance with SOX.

Currently a leading insurance company is establishing a program to address SOX IT requirements for it’s head office operations, but crucially the program has been designed to address a whole range of compliance, risk and security issues, not just SOX. These include: Information security; technology recovery; data center risk assessment; ITIL threat assessment; and Sarbanes-Oxley.

A significant operational infrastructure change to achieve these changes is to introduce rigorous systems management and incident monitoring – without this control at a basic level it would not be possible to demonstrate that adequate financial controls exist with the organization as required by Sarbanes.

This approach reflects that of many organizations in that they recognize that many required initiatives have many common IT infrastructure threads to them, and to take a ‘silo’ approach will increase cost significantly. An opportunity will also be missed to move towards a more integrated IT infrastructure.

But where do you start? At the simplest level the organization must assess the current state of its IT systems, identify what needs to be done to achieve compliance, and structure a roadmap to get there.

Certainly a lot of focus is being placed on recording and archiving transactions and communications, but it is important to focus on systems that are clearly linked to financial reporting, and for these areas some general controls include:

• Data center operation controls – Controls such as job setup and scheduling, operator actions, and data backup and recovery procedures
• System software controls – Controls over the effective acquisition, implementation and maintenance of system software, database management, telecommunications software, security software and utilities
• Access security controls – Controls that prevent inappropriate and unauthorized use of the system
• Application system development and maintenance controls – Controls over development methodology, including documentation, change management, testing and signoff
• Outsourcing – many organizations now outsource processes and systems that include core financial reporting elements. It is important to contractually ensure the supplier will support the organization in whatever way is needed to comply with SOX.

Apart from core systems and infrastructure, other areas that require consideration include:

• E-mail management – policies and archiving approaches.
• Problem management – formal mechanisms for reporting and managing problems.
• Instant messaging – auditability, control and central archiving.
• Business continuity – system resilience during important reporting periods.
• Document management – policies, new systems.
• Printers/fax – archived records of activity.

Don’t re-invent the wheel

It is important to recognize that it is not only senior management that must assess the effectiveness of controls annually – the external auditor must also review the controls and make its own assessment. The more the CIO can adhere to standard approaches and frameworks the greater understanding and control there is on the IT infrastructure – it then becomes much easier to prove compliance.

Established best practice methodologies and frameworks can provide a basis for addressing some of this including the ITIL framework for IT Service Management, and PRINCE2 for tight control of projects. The international security framework ISO17799 is also an important standard that can be used.

Hooking into corporate compliance programmes

The CIO must ensure IT is a core part of the business SOX compliance programme, as is happening with the insurance company cited above. This is the only way that an effective IT change programme can be designed to deliver what the business needs for compliance. Just as recognized frameworks such as ITIL can be used to implement best practice at an IT management level, the SOX act stipulates that a recognised risk and control framework must be used to ensure overall compliance. In the UK the Turnbull recommendations can be used, but the CIO must be a core part of the business programme to understand what this means for IT.

CIOs must take the initiative

Despite there being growing resentment in Europe at the unwanted pressure from the US, companies are even threatening to de-list from the US exchanges to avoid the legislation. But SOX is only one of a number of compliance requirements including Basel 2, Freedom of Information Act, International Accounting Standards and others, and cannot be ignored. The CIO must be pro-active and:

• Get involved early.
• Take the Integrated Approach – getting existing systems and processes into shape and driving towards an integrated environment will help ease compliance pain.
• Evaluate Outsource Options – where appropriate use outsourcing to help shift the compliance burden.
• Take the Positive Approach – cleaning up systems for compliance can provide competitive advantage.