Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

ID SYSTEMS: Compliance. That Risky, Dirty Word

By William S. Malik, CISA
April 2, 2006
Increasing regulatory requirements demand enhanced security and information technology oversight. Regulators want to know not only where the sensitive data came from, but also who might have seen it or changed it. Today’s regulations look beyond financial data into the business processes. This expanded scope, and the attestation requirements that Sarbanes-Oxley levies on publicly traded firms, broadens the risk portfolio that enterprises and their security operations must manage.

The largest new area of risk concerns people. Specifically, the greatest exposure resides in attesting to the integrity of the personnel systems. Who had physical and computer access to financial data? Who granted them that access? When was it granted? When was it revoked, if ever?

The key question: How can CFOs, CSOs, CISOs, CIOs and auditors confidently attest that user entitlements accurately reflect their organization’s privacy and business policies if they cannot clearly see into the provisioning process itself?

Seeing’s believing

Simplifying attestation begins with an understanding of what is required (or reasonable) to establish confidence. Auditors verify whether reporting is accurate through several steps. Auditors verify:

  • The sources of the data
  • The path that information follows
  • Which personnel are involved in those systems
  • The business processes by which those individuals are granted physical and computer access
  • The oversight and security measures in place that govern granting access
  • The process of denying access (i.e., Is access denied/removed? Who is notified?)
  • How access is removed when no longer appropriate
To perform this verification, the auditor needs to see the business process itself. Identity management solutions automate the provisioning of user entitlements to IT and other resources. If an executive or auditor is to be able to confidently attest that entitlements to critical systems have been provisioned appropriately, the system must provide full and intuitive visibility into provisioning processes. Two product requirements in particular will determine the solution’s ability to enable simple and confident attestation.

The Best Advice

Fully research competing offerings before buying identification, physical access and IT security solutions. What is the underlying architectural model? How much extra effort and cost is an audit capability? Does the solution force a static view of all identity data across all systems, or can it integrate with a dynamic operational environment?

Is a unitary, cohesive, holistic architecture underlying all functions within the suite? Once a system is provisioned, are all its provisioning actions auditable?

An efficient identity management system will allow senior leadership and the auditor to understand and rely on its functioning. As enterprises and their chief security officers realize benefits of transparency and clarity that effective identity management systems offer, deployments will move beyond those systems directly concerned with compliance to the wider infrastructure. A well-designed identity management system will be ready and able to take on that greater responsibility.

Programming-free workflow creation. User entitlement instructions are executed within identity management objects called “workflows.” Avoid solutions that require access and entitlements to be programmed into workflows. Auditors must work with consultants to decipher the program’s intent and outcome, resulting in significant delays, increased risk, reduced confidence and greater cost.

Programming-free workflows are robust. They enable the entire provisioning process to be visually illustrated end-to-end, and implemented using graphical tools without resorting to any programming or scripting. The result is a self-documenting provisioning process that can be easily and quickly validated.

Immediate and centralized logging of identity-related events. Unfortunately, nearly all identity management offerings today result from the acquisition of generations of diverse products, each with its own unique underlying architecture, data structures, scripting and programming environments.

Audit trail challenges

The largest problem from an audit and compliance perspective lies in the logging (or absence of logging) of each piece-part offered. Disparate or absent log data creates uncertainty and risk for an organization because no amount of testing can prove that the system is functioning correctly. For example, assuming audit records exist, the auditor must attempt to correlate disparate log entries with provisioning requests as they proceed through the system. This makes the auditor’s job complex, risky, error-prone and costly.

The only resolution is architectural integration, something not possible with pre-2005 solutions. Organizations should only consider security and IT solutions whose integration results from a unitary, cohesive, holistic architecture underlying all functions where any and all identity-related events can be centrally recorded in real-time. This enables comprehensive audit as a core capability, not as an expensive add-on product, and provides the clarity auditors need.

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

William S. Malik, CISA, is a Fischer International Corporate Advisor. He can be reached at wjm@malikconsulting.net.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing