A Practical Approach to Achieving Continuous Compliance
For many businesses, the phenomenon of compliance began in the first year of Sarbanes-Oxley. Faced with a hard deadline, business leaders treated the challenge as if it were a one-off project. To clear the initial hurdle, they spent millions of dollars and booked countless hours of auditor, employee and consultant time. What was the result? Well, the audits were completed, and compliance was demonstrated to a minimum level of satisfaction.
On the flip side, however, the organization was left with scores of newly created, manual control processes that continued to sink untold hours of productivity.
It soon dawned on everyone that this first wave of regulatory mandates was not an isolated occurrence. This was now a fact of life. Sarbanes-Oxley was a harbinger of a steady flow of external and internal compliance requirements – HIPAA, PCI, GLBA, FFIEC and Basel II, among others.
Audits would be needed again shortly and compliance would have to be demonstrated once more. Those initial compliance efforts would need to make the leap from project to process.
That meant those budget expenditures that organizations had set aside for the ‘compliance project’ would also need to be made again and again, meaning that something had to be done about those stopgap manual processes that were draining productivity.
In order to compete in this new environment, businesses must achieve a state of ‘continuous compliance’, where audit and control activities are integrated with the right technology framework and tools to transform compliance measures into a repeatable business process that can be automated and optimized – a platform broad enough to capture the full scope of compliance activities, and flexible enough to adapt and change as those requirements change.
While each regulatory mandate and control framework defines its own requirements, they all seek to assign responsibility within business processes. Compliance is ultimately about responsibility, and that responsibility must be assigned to a person. As a result, identity management is the most logical place to start for many organizations.
A prevent, detect, and investigate (PDI) approach provides the business logic for automating and optimizing control activities in a way that integrates into existing processes. You can picture the situation in this way: on one side you have control activities, such as periodic reviews of user accounts, management access approval, and segregation of functional duties. Managers and auditors define these tasks as necessary to demonstrate fulfillment of the control objectives that satisfy compliance regulations.
On the other side, you have an IT control infrastructure – the servers, applications, systems, and tools you use to perform the control activities. PDI is an approach that links the control activities that demonstrate compliance with your existing IT control infrastructure to enable optimization and automation.
PDI accomplishes this by leveraging effective identity management to help you consistently and continuously answer three fundamental questions:
In short, PDI is about creating a sustainable, integrated approach that helps you prevent potential compliance and regulatory conflicts you know about, detect changes in your security and access environment that may compromise compliance and investigate the activities that you previously did not know to prevent or detect.
This cycle allows you to build up a compliance infrastructure that evolves and continuously adapts to your constantly changing external regulatory requirements and internal organizational environments.
At each stage of the PDI cycle, there is an opportunity to take corrective action and enable continuous improvement. With PDI, you have the ability to report on identity-audit information but also the ability to transform this information into actionable correction opportunities.
These corrections are essential for your compliance efforts to evolve in step with a dynamic business environment. The integrated set of core identity management functionality, combined with a consistent workflow, enables you to use information obtained in investigative audits to update and improve your organization’s prevention and detection mechanisms.
One of the most difficult challenges of any compliance effort is preventing compliance issues from occurring in the first place, starting with the assignment or authorization of appropriate access rights.
In many organizations this process is fractured, spanning multiple departments and approvers, both technical and line-of-business. Too often, the result is a process marked by spotty documentation, questionable accuracy, and insufficient accountability.
The wasted time and resources consumed by such an error-prone manual process are reason enough to re-think this approach – let alone the fact that audit standards and regulatory requirements demand it.
So where to begin? As an organization, you can only prevent actions that are already within your understanding of security possibilities or compliance activity requirements. So ideally, the assignment of appropriate access rights should be performed by the party who best understands the nature of the work. In most cases, this is the business manager.
Consider the control activity for avoiding separation of duties conflicts. This control activity is central to many control and compliance frameworks.
At a basic level, there are some things that specific groups of employees should be able to access that others should not, to avoid conflicts of interest. A common case is the accounts receivable and accounts payable groups. As a business, you generally do not want someone that has the authority to both generate an invoice and cut a check to pay that invoice.
In some identity management solutions, the appropriate access rights to systems are automatically provisioned based on a new employee’s role and responsibilities within the organization as determined by the business manager – the manager who decides which systems and access rights are assigned to a person in a particular role is preventing a separation of duties conflict.
Should such a conflict arise, an effective identity management solution should enable the manager to see the conflict and take corrective action, for example by automatically notifying the manager and allowing them to either approve the conflict, or reject the conflict and remove access to one or more systems.
All the while, the solution should be documenting every step, recording who made the authorizations, and generating audit trails that satisfy auditors and regulators.
Detection is aimed at catching the compliance issues that may arise as a result of insufficient control mechanisms for a specific change – such as a reorganization or change in roles – that are still within your organizational understanding of a particular framework.
In the separation of duties example, the accounts payable clerk was initially prevented from having access to accounts receivable systems. Later, that clerk may take a new position in accounts receivable. Without adequate control mechanisms to review access rights or detect the change of roles, the separation of duties conflict appears.
Once again, an effective identity management solution should automatically detect such conflicts and resolve them through a review cycle that identifies known issues.
Attestation and recertification of employees is another example that highlights the importance of effective detection. For Sarbanes-Oxley compliance, when a company’s CEO signs the annual financial statement certifying that he or she knows the information to be accurate, the CEO is implicitly stating that they know the right people had access to the right systems at the right time to prepare the report.
In any reasonably large organization, however, it is impossible for the CEO to have direct knowledge that every employee has appropriate access to the right systems. While the CEO may not be able to attest or certify that a particular accounts payable clerk’s access is correct, that clerk’s direct manager can, using an identity management solution.
For each member of his or her staff, the manager can easily re-certify the employee, revoke his rights, or forward the case to an appropriate administrator. The software should help automate the re-certification and the detection of policy violations. The evaluation of access rights should be delegated to the appropriate level and the workflow automated to optimize the control activity.
Each issue that is detected during re-certification or other review cycles presents an opportunity for correction, enabling the organization to improve its preventative policies and mechanisms to keep the problem from occurring in the same way again.
Even organizations with mature and comprehensive control frameworks will not be able to prevent, or even readily detect, all compliance issues. Some problems may be beyond the scope of normal control parameters, or may reflect a breach of control parameters that have been previously established.
In order to investigate effectively, the business must have an identity management infrastructure that accurately logs each approval, access and authorization. This documentation enables you to find out who did what.
Gathering adequate and relevant information about identity and access activity is a common problem faced by many organizations, particularly those in the health industry. Compliance with HIPAA regulations (among others) requires strictly controlled access to patient data.
With the PDI methodology supported by a good identity management infrastructure, you can precisely limit access to specific systems within predetermined timeframes, and more importantly, gather the information needed to monitor user activity and investigate it. The solution should enable you to practically perform user monitoring control activities while providing the access your employees need to do their jobs.
Problems discovered through investigation are clear opportunities for improving prevention and detection. Previously unanticipated actions or scenarios can now be guarded against by adjusting policies and establishing detection mechanisms that will discover similar problems during scheduled reviews.
In the end, your identity management solution – implemented around the PDI strategy – should enable you to not only prevent, detect, and investigate audit issues in a continuous and consistent manner, but transform static audit data into actionable, corrective opportunities, allowing your compliance infrastructure to evolve in tandem with your dynamic business environment.