Now that we are a little more than halfway through the calendar year, many organizations are already underway with or are about to undertake a midyear audit of access rights and general cybersecurity controls. The data that an IT team will need to gather varies from organization to organization come audit time, and can also depend on a variety of organizational factors, including:
- The type of business (manufacturing, financial services, energy, etc.)
- The size of the organization (# of employees, publicly traded or not, etc.)
- Where the business is located
- Where customers are located
- Where data centers are located (whether in the cloud or on-premises) and the physical location where data is processed and stored
Some examples of specific legislation based on the above criteria are as follows. Certain organizations like hospitals are, of course, faced with meeting the Health Insurance Portability and Accountability Act (HIPAA), or financial services companies in the US must adhere to the Gramm-Leach-Billey Act to protect confidential data. Sarbanes-Oxley (SOX) is legislation enacted to fight financial fraud for publicly traded companies. Landmark legislation like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) affect businesses that operate in Europe or California, respectively, as well as any business that has a European or Californian clientele. There are also audits like SOC 2 to help cloud vendors to demonstrate the security controls that they use to protect customer data in the cloud. There are of course many more, which you can read up about in our post from February – A Brief History of Compliance, but the one constant when faced with an audit, can be the feeling of dread whenever an audit is approaching or underway.
Before figuring out the technicalities of how to meet an audit, consider first, that in order to meet audit and/or compliance requirements the organization should understand the following concepts. Many of these things can be accomplished by implementing an Identity Governance and Administration (IGA) solution:
- Implementing roles. This means defining and documenting distinct roles and responsibilities for each user group in the organization. This includes full-time employees, IT administrators, third-party contractors, data processors, and more, and creating roles and contexts based on their job function, employment status, location, seniority, or otherwise. Organizations can implement role and access management to help standardize core processes for authorization management, granting and approval of access rights, and assigning entitlements based on someone’s assigned role. Implementing roles also means continually certifying and validating that access controls are current, based on conducting access surveys, something that is likely to emerge in an audit. Oftentimes, organizations will have to demonstrate that the right people have access to the right resources, for the right reasons, which leads us to our next point.
- Enforcing least privilege. This is a broad term that gets thrown around for a lot of things, but within the context of an audit, the auditor will likely need to see proof that only certain people have access to the information they need to do their jobs, particularly with sensitive data like personally identifiable information (PII), health care records, credit card information. To do this, setting up roles is a helpful start, but also ensuring that as people join, move, and leave the organization, their access rights are properly assigned is critical. Consider a retail organization where IT team members are temporarily assigned to manage and process customer data as orders are made at holiday time. It can be a productivity hinderance if they must wait several days to get access to these types of internal applications, but also can be a security hole if they have access that lingers when they return to their normal job. Auditors will likely require proof that people only have the minimum levels of access they need to do their jobs effectively, with any justifications documented for something that does not fit into the standard.
- Separation of duties. This typically aligns with a SOX audit, but Separation of Duties (SoD) refers to the concept that no user should be given enough privileges to misuse the system on their own, without checks and balances. This is enforced by defining potentially toxic combinations of access (i.e. a person in accounts payable also being responsible for accounts receivable, and vice versa), or by enforcing control in real-time. Also, having the ability to detect and resolve violations and conflicts as they happen can be the difference between a security incident and tranquility, and/or passing an audit or failing. Auditors will likely ask for proof that people do not have conflicting levels of access, as well as proof that there are policies in place to ensure that toxic combinations are not granted when basic access requests are reviewed.
- Data logs. Auditors will typically need evidence of well-defined user roles, responsibilities, and policies. They will also sometimes need records of who has requested access to what, for what reasons, and who reviewed those access requests. This helps to reduce risk by organizations shining a light into existing compliance issues, violations, and irregularities, and how they were subsequently dealt with. These data logs should also serve to identify applications, systems, and data that are uniquely subject to specific regulations, and implementing something like a PCI tag for any credit card information that is processed as a normal business process.
The other complicating factor in any audit is allocating the right people to help meet the requirements and making sure that there is enough time to gather all of the data needed. Knowing what the questions during an audit are can give a head start to gather data around things like:
- If people have switched jobs; particularly those with privileged access
- New access policies or procedures
- Access that was granted for one-off projects, and why
- How long certain types of customer data is being stored locally
- Who is responsible for granting certain types of access
Having an IGA solution that can automatically keep records of who has access to what, and why, as well as keeping order for the governance of customer data and records can be an immense time saver in meeting audits, whenever they may happen. For more information, check out this eBook on how IGA helps organizations meet various compliance measures.
