Deloitte, in their 2010 Financial Services Global Security Study, reports that excessive entitlements, also known as excessive access rights, was the top audit finding over the past year -- for the third year in a row. It's not an isolated issue: according to Deloitte, excessive entitlements was the top audit finding in retail and commercial banking, insurance, investment banking, and globally across all financial service segments.
Since all major regulatory frameworks, including SOX, PCI DSS, GLBA, NERC and HIPAA, require entitlement controls, many thousands of companies globally are obligated to prevent excessive entitlements and yet, according to the Deloitte survey, have failed to effectively do so.
IDC states that up to 60% of entitlements on most systems are expired and therefore dormant. It's no wonder that auditors can readily uncover excessive entitlements.
Contrast that with entitlements managed by online billing systems, where typically 0% of entitlements are dormant. What's the difference? Why are billing systems able to manage their entitlements effectively, while enterprise IT departments cannot?
The answer? Money.
Billing systems turn entitlements on or off based on payment activity. If an end user stops paying for any reason, the billing system notifies the client company and the associated product or service is no longer made available. If it were not so, the company would lose money by providing products or services for which there is no associated revenue -- in other words, operating at a loss. Because they have a financial incentive to get it right, these companies manage entitlements effectively.
Now consider financial services enterprises. When users are transfered from one department to another, or are assigned new roles in the company, they often retain their legacy entitlements through a transition period for support and training purposes. It's safer to keep these entitlements in case questions come up regarding the prior role. But no real incentive exists for end users to later relinquish their now excessive entitlements, and these entitlements often fall through the cracks of IT and compliance tracking systems. An enterprise may spend hundreds of thousands if not millions of dollars on entitlement management systems. But with up to 60% of accounts in the dormant state, the challenge is simply too great without having line-of-business managers and IT staff spend an unreasonable amount of time trying to stay on top of the issue. As a result, most enterprises have found that effectively managing entitlements and access controls is simply not possible.
Financial incentives work, as demonstrated by online billing systems. So why not try that approach in large enterprises? Considering the risk to the business from failed audits, it's time to think outside of the box. So here's an idea:
What if every user had a payroll deduction for every entitlement that is unused for a certain period, let's say 60 days. The "fine" amount goes into a reserved account, and is refunded once the entitlement is relinquished. This establishes a gentle but real incentive for end users -- not IT, not the compliance group, and certainly not HR -- to manage entitlements. By putting the issue into the hands of the only people who know whether their entitlements are required or not to perform their job functions, and underlining it with a mechanism to ensure visibility and remediation, the problem of excessive entitlements could be solved once and for all.
No comments:
Post a Comment