Posted on Fri, Jul 02, 2010 @ 07:30 AM
Yet again, another Federal government agency has been identified as having serious access management and access governance failures. As reported by InformationWeek, a new report from the Department of Homeland Security Office of the Inspector General identifies serious access governance issues at the Federal Emergency Management Agency (FEMA).
FEMA Cybersecurity Fix Could Take Years
"FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out."
It's not surprising that the Federal government is lagging behind commercial enterprises. In fact, this is issue was reflected in the findings of recent research conducted by the Ponemon institute and commissioned by Aveksa.
Based on the responses of the 100 government IT practitioners that participated in the global multi-industry survey, the results show that FEMA is not the only government agency with access related issues that must be resolved. Some of the findings included:
1. Access Management is a worsening problem for government organizations:
- Most respondents in government (79 percent) said their users have too much access to information resources that aren't pertinent to their role in the organization.
2. Government organizations can't keep pace with access change:
- Three out of four respondents (75 percent) say that they can't respond quickly enough to changes in employee access requirements
- More than half (60 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
3. Access policies are not regularly checked and enforced:
- Sixty percent of organizations do not have or do not strictly enforce access governance policies
- Sixty-three percent do not immediately check user access requests against security policies before the access is approved and assigned.
4. Organizations lack the budget, resources and staff to effectively govern user access:
- More two-thirds (68 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies.
- Fifty-nine percent of organizations reported that they don't have enough technologies to manage and govern end-user access to information resources
Click here to download the Ponemon Institute 2010 Access Governance Trends Survey
With the number of failures that continue to be identified, it's time for all government security Czars to focus on tackling the issue of governing user access as its a straightforward initiative that can be easily dealt with right now. The Federal government should look to the security thought leaders in industry that have tackled the access lifecycle management and policy enforcement challenge as they understand the best practices and have a framework for dealing with access change.
We would welcome a conversation with any Government agency or department security Czars on how to instantiate a set of effectively access governance business processes and policies. We would also be happy to connect these Czars with some of Aveksa's thought-leading customers to help them understand the an implementation roadmap and maturity model for achieving continuous access management and governance.
Posted on Wed, Apr 14, 2010 @ 11:40 AM
Aveksa sponsored a research survey conducted by Ponemon Institute on the state of Access Governance. This is the second survey that we've worked on with Ponemon Institute and this one has some interesting trend analysis on how well organizations are achieving their objectives for properly governing user access over the survey findings in 2008.
We like to invite you to join Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, and Deepak Taneja, President and Founder of Aveksa, as they review all the survey findings and discuss a set of recommendations for improving how access is managed. Attendees of the 2010 Access Governance Trends Survey web seminar will also get a link to download a free copy of the complete report findings.
Date: Thursday, April 22, 2010
Time: 1:00pm ET/12:00pm CT/10:00am PT
Duration: 60 minutes
Register to attend this webinar
This study surveyed several hundred experienced IT practitioners from both multinational corporations and government organizations. The overall objective of this study was to understand how well IT practitioners are achieving governing user access to information resources within their organizations.
Posted on Sat, Jan 23, 2010 @ 01:15 PM
Aveksa was featured in a recent edition of Health Management Technology Magazine in their Forecast 2010 article on Electronic Health Records.
While modernizing the nations health care records system from paper-based to electronic is crutiual not only to improving patient care but also to lowering administrative costs. But in the race to digitize patient records, robust access security must be addressed as the number of users that might have access sensitive patient data will increase substantially, especially with some of the federated models that are being implemented by health care networks across the nation.
As more and more medical and administrative processes related to patient care and data are being outsourced to third parties for cost efficiencies, health care providers and payers must be concerned about the effectiveness of the security and access governance frameworks with their business associates. At the end of the day you can't outsource your business or regulatory liabilities when an access control failure materializes.
The damage to a health care organization's brand, reputation and the potential for loss of revenue as well as increases to operating expenses are very real risks that can materialize from an access governance failure.
The HITECH Act gave the HIPAA some real teeth and it's now apparent that the Federal Trade Commission (FTC) will be the enforcement arm for this regulation. The FTC has already demonstrated in past consumer privacy breach settlements that it will issue heavy fines and penalties on organizations that fail to implement the right access controls to protected information.
Posted on Mon, Nov 02, 2009 @ 10:30 AM
We recently read a post on Earl Perkin's blog (Research VP at Gartner) regarding "the continuing problem of IAM business justification."
In his post he states..."Sure, I've seen press articles with a title that include "IAM business justification", and they do a decent job at outlining key drivers of IAM and some of the benefits, but those articles usually have two consistent characteristics: (1) they are PRIMARILY about the key drivers rather than benefits, and (2) when benefits are discussed, they are seldom tied to objective, measurable metrics, the type of metrics that business decisionmakers like to see before signing over a couple of million in dollars, euros, or yen to such an effort."
Aveksa has seen the exact same trend with customers. We get asked quite often to help build a business value/ROI justification by organizations that are considering an Access Governance solution to automate the processes associated with access certification, enterprise role lifecycle maintenance, access request and access change management.
Earl's right, establishing metrics to measure are key. And he is spot on that organizations focus too much on just cost containment when they should also be considering the importance of cost avoidance associated with the the operational business risks that can materialize from the misuse of access (compliance audit findings, fines and penalties as well as the potential for increases to operating expenses and the loss of revenue and brand reputation).
As he states, "customers focus too much on operational efficiency to the exclusion of possible justifications in the process or governance area of IT? The answer is ‘maybe'. While we would like to think that IAM has moved beyond its "pipes and pumps" view by our main customers, the fact is that we not produced enough in the way of identity intelligence, risk management and workflow optimization to warrant (yet) a seat at the big-boy table when discussing matters of IT governance or business process improvement. We're close, though (e.g. compliance reporting), and perhaps it's important that we include a justification rigor to run concurrent with efforts to deliver these higher-level IAM functions. (I'm actually giving advice to myself to ensure future research in these areas reflects this, so consider this a ‘note to self' comment as well as one to you.)"
Including metrics for cost avoidance will help to build a more complete value justification for investing in process and policy automation by providing metrics for business assurance (access risk management). It's what the organization really values IT security for - providing the assurance that the "bad events" won't happen.
If you want to learn more about how to build such a business case to justify an investment in your access governance initiative, click here.
Posted on Thu, Sep 24, 2009 @ 09:21 AM
IT Policy Compliance Group (IT-PCG) has issued a new report entitled, "Guidance for Best Practices in Information Security and IT Audit." Covering more than 100 of the most common practices for information security and IT audit, the report also identifies guidance for practices that are responsible for better outcomes, including managing:
- The integrity of information
- Compliance with regulatory audit
- Business risks related to the use of IT
- Information security practices and procedures
- Information security policies
To view the report click here:
http://cmpgnr.com/r.html?c=1528530&r=1527189&t=1418553616&l=1&d=91229392&u=http%3a%2f%2fwww%2eitpolicycompliance%2ecom%2fresearch%5freports%2f&g=0&f=-1
This is some of the best benchmark research that we have seen regarding IT governance practices, including how well organizations are rating against access policy and control best practices.
Some interesting findings from the report include:
Only one-in-ten experience the best operating outcomes
- About 1 in 10 organizations (12 percent) experience the best outcomes for information security and IT audit with the lowest levels of data loss or theft, least business disruption and fewest problems with audit
- A majority of organizations, nearly 7 in 10 (69 percent) are experiencing higher rates of data loss or theft, higher levels of business disruptions from IT failures, and more difficulty with passing regulatory audits in IT
Almost 2 in 10 organizations (19 percent) experience the worst outcomes with the highest rates of data loss or theft, the highest levels of business downtime, and the most difficulties passing audits in IT.
Significant Gaps for Individual Practices
In addition to comparing practice domain implementation levels, significant gaps exist between the level of implementation of specific practices between most organizations and the best performers. For example, the practices with the most consistent significant gaps include:
- The frequency of controls assessments
- Employing common controls between IT audit and information security
- Conducting self-assessments of procedural and technical controls
- Automating procedural and technical controls
- Protecting IT security data
These five practices contain the largest gaps between the levels of practice implementation when compared with the best performers for almost 9 of every 10 organizations. The rank ordered list of the top "must improve" practices with the largest gaps compared to the best performing organizations changes as organizations approach "nearly best-in-class."
Baseline Practices for Better Outcomes
Another baseline practice among best performing organizations is the use of automation to detect and prevent unauthorized changes to critical IT assets. By preventing changes to assets and information that are violations of policy, the best performing organizations are eliminating problems and costs associated with recovering from problems that are more prevalent among organizations with less well developed practices.
Practice Improvements Pay Off
Top line results, including customer retention, revenue and profitability
- Annual audit expenses
- Time spent - labor - in IT on audit
- IT resiliency and business service levels
- Financial risk from data loss or theft
This supports the recommendations that Aveksa makes to its customers. Implementing a roles-based access governance control framework not only enables organizations to manage access request and change more effectively, it pays off dividends by lowering inherent business risk related to access control failures, improving IT security operational efficiency while reducing internal audit costs as well external audit fees.
Posted on Sat, Sep 19, 2009 @ 02:56 PM
Aveksa will be showcasing its access governance solutions at the following events this fall:
Gartner Identity and Access Management Summit - November 9 to 11 in San Diego, CA
http://www.gartner.com/it/page.jsp?id=838920
Identity Management 2009 - November 3 in London at the Britannia International Hotel
http://www.idm2009.co.uk/
Stop by our exhibit to learn more about Aveksa's access governance platform and how we are solving the access certification, enterprise role management and access request challenges for some of the world's largest customers.
Posted on Wed, Sep 16, 2009 @ 04:11 PM
Aveksa was recently quoted in the September edition of OpRisk & Compliance Magazine regarding the insider access risk threats to organizations. While organizations have done a good job securing the perimeter, they must put the proper access governance control framework in place to understand who has access to what specific entitlements; determine how they got the access and who approved it; understand whether it is truly required for their job or functional role; know about events that require access to be reviewed or changed; and most important of all is to validate that access change requests have been made. At Aveksa, we call this our Joiner, Mover, Leaver Access Control Framework (sm).
###
OpRisk and Compliance Magazine
September 1st 2009 / Vol 10 no. 9
A firm's own employees can be a persistent and potentially cancerous internal source of risk. Data security breaches, unauthorised trades or internal frauds can cause the loss of sensitive information or just plain cash. And at the top of the spectrum, there are threats to the competitive fibre of the company, trade secrets and intellectual property.
Staff turnover has increased throughout the global economic downturn, and organisations are becoming more concerned about insider risks. "We've never seen workforce reductions on a scale this large," says Cleary. "Previous reductions have been in the order of 1%, 2% or perhaps even 5%, but we are seeing some organisations making job cuts in excess of 10%. We are talking about thousands and thousands of employees. Organisations need to ensure that all terminated employees' access has been revoked across all applications in the enterprise as soon as the reduction action is taken. Most organisations aren't set up for that level of automation."
http://www.aveksa.com/news-events/upload/OpRisk-and-Compliance-Magazine.pdf
Posted on Fri, Sep 11, 2009 @ 01:26 PM
Energy/Utility organizations are under a deadline to comply with the FERC/NERC mandate. As part of compliance, the implementation of access controls is called out under the Critical Infrastructure Protection (CIP) section.
SC Magazine ran a recent article written by Aveksa on the access compliance controls requirements that can found here -
http://www.scmagazineus.com/How-a-pragmatic-approach-to-access-governance-can-help-energy-companies-with-FERCNERC-compliance/article/147289/
If you want to learn more about the access controls needed for CIP under the FERC/NERC mandate, you can download a whitepaper on this topic by going to the Aveksa Information Resource Center.
http://www.aveksa.com/company/resource-center/index.cfm