Mar/Apr 2003 by Carol Hildebrand
Data integrity and you
For most people, "the good old days" refers to the halcyon years of their childhood. But when it comes to data security, the good old days for IT were just a few years ago.
Since Y2K, the notion of data security across an enterprise has faced significant changes, forcing IT leaders to re-examine exactly what it means to provide a secure data environment. "The changes in the corporate world over the past several years should serve as a wake-up call to the CIO," says Chris Stone, the vice chairman of Novell Inc. "From new regulations to the intertwined systems that make up a modern supply chain, the landscape has changed when it comes to data security."
Chief among the changes: the new Sarbanes-Oxley Act, signed into law in response to corporate scandals such as those that rocked Enron and Tyco. (See Sarbanes-Oxley in a Nutshell.) This law seeks to curb corporate fiscal malfeasance by making CEOs and CFOs legally responsible for the veracity and integrity of their financial statements. Faced with such binding responsibility, boardrooms want every assurance from CIOs that the data that make up the financial systems are irreproachable in content and provenance.
"There’s certainly more pressure on CIOs," says Jamie Lewis, the CEO of the Burton Group, a research and advisory firm specializing in security and identity management. "Sarbanes-Oxley is a relatively blunt instrument that makes CIOs focus on making sure that they are reporting accurate information and that they know where it’s coming from."
As the scrutiny of corporate data intensifies, the results of internal IT auditing teams are bubbling up to the boardroom—and they’re not pretty. "A lot of people are having bad days when they see their results," says Lewis. Many companies are being dinged on the lack of security in their systems—particularly those that can’t track user activity within a system, making it very difficult to build an audit trail.
Further adding to the problems of building a secure data environment are the business realities governing today’s supply chains. More and more, companies seek to link their systems with partners and suppliers both up and down the supply chain, and that means exposing corporate data to an entirely new level of risk. In the past, IT executives worried traditionally about internal user management. But as they open processes to external parties, IT managers need to address identity management for external users, too.
Adding to these new realities is the old truth about information security: Most of the danger to corporate data lies within. According to a 2002 survey jointly conducted by the Computer Security Institute and the Federal Bureau of Investigation, 64 percent of the 502 responding companies faced some kind of insider attack on their systems in 2002. Yet despite this haunting truth, IT organizations have difficulty maintaining tight control of their identity management and access systems. But while the boardroom is looking to the CIO for reassurance on all of these issues, the CIO is looking to IT managers to execute new projects to ensure data integrity. It’s incumbent upon IT leaders, then, to understand the full scope of these new pressures—and the viable solutions.
The bottom line: a new equation in data security. IT leaders need to manage, monitor and control information access to ensure enterprise security. One of the best strategies is to create an agenda for securing information access and control in today’s new world. Among some of the recommended steps to success:
action item 1
Manage Identity Access Across The Enterprise
Although this sounds like common sense, building a corporate-wide identity access program that works as a single entity is actually a huge challenge. A quick examination of a company’s individual applications reveals the reason: most have identity checks built into each individual system, resulting in a hodgepodge of identity management methods with no discernible overarching strategy. "The typical internal IT environment is hugely fragmented," says Lewis. "IT generally does identity management on an application by application basis, and they have hundreds of applications out there."
Since it’s nearly impossible to manage these systems as a whole, it’s easy for users to fall through the cracks. It’s not unusual to find user accounts that are still active even though those people have left the company; or people’s job descriptions have changed, yet they still retain access rights related to previous jobs. It’s equally difficult for users to keep track of their access routines in such a confusing environment. As a result, many resort to easy-to-solve passwords such as names of children, family birthdays or family pets. "When users can’t keep track of their many passwords and end up putting a sticky note full of passwords on their computer monitor, you know you don’t have a secure workplace," says Wendy Steinle, director of marketing for Novell Security and Identity Solution.
Audit committees have been faulting CIOs on inadequate password management for years, but Sarbanes-Oxley has turned up the heat on this issue. And as the Board of Directors puts pressure on the CIO to adhere to more stringent audit requirements, this neglect will no longer be tolerated. In fact, failing to improve password management could become a career-threatening move. In order to satisfy common audit complaints IT managers will have to implement software that solves the problem or companies will hire people who can.
action item 2
Overhaul Your Policies
The advent of Sarbanes-Oxley means that many companies must overhaul their financial systems to make absolutely sure that the information contained is 100 percent accurate, protected and secure. Executives need to know that when they sign 10Ks, there are clear information access and tracking records that back up the validity of the data. In fact, many experts think that the need for financial systems overhauls will be a big factor in IT spending in the second quarter of 2003 and beyond.
But to get the most accurate data, companies must ensure that security policies have been updated to reflect the state of the new systems. The simplest way to satisfy that requirement is to use identity management software that’s built on a policy-based foundation.
action item 3
Build An Impeccable Audit Trail
In order for the CEO and CFO to feel comfortable certifying the integrity of their company’s financial statements, they need to know that the information in those documents hasn’t been tampered with or tainted in any way. Before audit/tracking, companies need to know that they have systems in place that control who has access to what—circumventing possible breaches.
On top of that, with audit/tracking in place, should there be a breach companies can find out who breached what and when the breach occurred. One of the best methods of assurance is the ability to track user activity in critical accounts. According to many security experts, it’s vital that IT organizations create clean data trails that can stand up to audits and possible litigation.
Unfortunately, many companies are challenged to build a data trail to satisfy the new requirements. Without a systematic method for managing identity and access, it’s nearly impossible to track user activity with confidence. CIOs can take the first step towards comprehensive identity management by using a system than can be customized to fit company policies. For example, if the company policy is to give people in a certain job access to certain resources, a policy-based system turns those policies into rules that get executed in real life. This can be extended to the auditing process by using software to produce reports that show who has access to these systems, and track their activity.
action item 4
Work With Suppliers And Partners To Build Policies
In today’s global economy, corporate IT systems don’t stop at the front door. Rather, businesses derive competitive advantages by tightly interlinking their systems with those of suppliers and partners up and down the food chain. While this is a huge benefit from a business point of view, it does raise issues of data security when external personnel have access to internal information. Companies need to work together to create common, agreed-upon policies and procedures around identity management at the inception of the business partnership.
action item 5
Institute Tight Policies Around Employee Actions
While the regulatory landscape is indirectly driving changes in how companies report and process financial information, one of the biggest issues in information access and management has been the same for years: most security problems come from within a company through mismanagement of applications, carelessness on the part of system administrators, accounts that aren’t deactivated in a timely manner and disgruntled employees.
The trouble is that many IT organizations still handle issues of employee access on a system-by-system basis, and manage the process manually. Such administrative busywork is one of the first things to slide, to the detriment of information security. In order to make it simple to institute and enforce procedures around employee hirings and terminations, corporations must automate the process.
action item 6
Evaluate Identity Management Software
The Novell Security and Identity family of secure identity management solutions can provide the comprehensive identity management environment that enables enterprises to deliver the right resources to the right people—and conversely—keep the wrong people from accessing and tampering with sensitive information. Novell Security and Identity puts each customer’s business policies into action and automates the process of creating, managing and deleting user identities across company-wide systems. So, with a single update to an authoritative source, CIOs can be confident that the people who power their business have immediate access to the resources they need, and when the relationship comes to an end, access across all systems is rescinded in real-time.
This is made possible by linking all instances of common identity information so that companies gain a "virtual single identity" for each user. "Many companies need to manage identities from within different applications," Novell’s Steinle points out. "Security and Identity solutions give them the flexibility to manage identities from any location they want, but at the same time gain a central view of each user’s comprehensive profile, plus the efficiency and cost improvements of automating management."
Efficiency and cost reduction are always important objectives. But one of the most compelling drivers for secure identity management is, obviously, security. Security and Identity shores up security holes, from within and without, by centralizing security policies and consistently applying them across the entire enterprise. It solves many of the security risks commonly raised in IT audit reports such as password management and access control to business resources and information by internal users and external customers and partners.
With Security and Identity, companies can select from robust password policies to single sign-on or strong authentication using biometric recognition. Strict policies and procedures must be in place which authenticate the identity of internal and external users and ensure that they will have access to only the information that they need.
In the end, information security is more than a simple byproduct of the new regulatory environment—it’s a matter of plain, good business practices. Smart IT leaders will realize that by putting information security at the front of the IT organization’s agenda, they ultimately help drive the business agenda. And Novell Security and Identity does that.
audit report findings—how to improve them
Receive a less-than-glowing audit report?
Here are some of the common problems—and easy steps you can take to fix them.
User Access Settings
Problem: Although password controls are in place, they can be improved.
Recommendation: Implement software to improve audit trails and logs of activity in systems.
Business Continuity Planning
Problem: An alternative data processing site is not in place in the event of a catastrophic event. Critical business systems may be offline for extended periods of time.
Recommendation: The business continuity plan should provide for an alternate location in the event of an outage. The plan should identify corporate procedures and controls to guide the recovery period.
Problem: Some user administration processes have not been adequately implemented for certain applications.
Recommendation: Implement a policy-based solution that will formalize user administration processes and documentation. The solution should grant user access appropriately, terminate users' accounts in a timely manner, and formally review all users' system access rights. Consider limiting the number of users with a high level of system access.
what IT leaders need to know about sarbanes-oxley
There are a number of provisions within Sarbanes-Oxley that affect CIOs. Compliance with the law may mean that publicly traded companies could face some systems upgrades or renovations in order to meet the new requirements for more accurate, detailed and timely filings. forewarned is forearmed, so here's a quick list of the big items:
- Faster Filing: The time to file quarterly reports has been reduced from 45 to 35 days after the end of a quarter. The deadline for annual reports has shrunk from 90 to 60 days after the end of a fiscal year. As a result, CIOs may have to build higher performance systems to meet the new need for speed.
- Data Diligence: Since the CEO and the CFO will be required to sign a legally binding document attesting to the accuracy of all financial filings, many companies are now closely scrutinizing their information systems to make sure that the data contained therein is perfect. The onus is on the CIO to keep that data irreproachable. Many are opting for strict access control and user activity tracking as a way to cover their bases.
- Rapid Reporting: Any significant events that could affect a company's quarterly financials now must be disclosed two days after the occurrence of the event. Companies must also disclose any company stock deals by corporate officers within 48 hours. Again, the CIO must make sure that the systems can handle the timeframe of these new regulations.
- Assumed Accountability: The CIO can probably expect to be signing off on the accuracy of the data contained within corporate financial systems. It's the trickle down effect in action—if the big guys have to sign, you can bet that they'll want all their subordinates on the hook, too.
Sarbanes-Oxley in a nutshell
The Sarbanes-Oxley Act was passed by Congress on Jan 23, 2002, and signed into law six months later on July 30 by President Bush.
Named for Sen. Paul Sarbanes (D-Md.) and Rep. Michael Oxley (R-Ohio), the purpose of the Act is to protect investors by improving the accuracy and reliability of corporate financial statements and by establishing stiffer penalties for auditors, corporate officers, company directors and others who violate the Act.
CIO Magazine, in its January 15, 2003 issue, detailed some of the key elements of Sarbanes-Oxley with which IT leaders should be familiar—especially if they serve on any corporate boards of directors.
For more information about Sarbanes-Oxley, visit the SEC’s website of frequently asked questions at http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm
Novell Security and Identity solutions in a nutshell
Novell Security and Identity Solution includes directory, meta directory, provisioning and access management technologies. find out more at http://www.novell.com/solutions/identityandaccess
|Proof Point - Thinking Outside of the Box|