Increasing regulatory requirements demand enhanced security and information technology oversight. Regulators want to know not only where the sensitive data came from, but also who might have seen it or changed it. Today’s regulations look beyond financial data into the business processes. This expanded scope, and the attestation requirements that Sarbanes-Oxley levies on publicly traded firms, broadens the risk portfolio that enterprises and their security operations must manage.
The largest new area of risk concerns people. Specifically, the greatest exposure resides in attesting to the integrity of the personnel systems. Who had physical and computer access to financial data? Who granted them that access? When was it granted? When was it revoked, if ever?
The key question: How can CFOs, CSOs, CISOs, CIOs and auditors confidently attest that user entitlements accurately reflect their organization’s privacy and business policies if they cannot clearly see into the provisioning process itself?
Seeing’s believing
Simplifying attestation begins with an understanding of what is required (or reasonable) to establish confidence. Auditors verify whether reporting is accurate through several steps. Auditors verify: