Archive for January, 2008

Cost of Compliance

January 29, 2008

Deloitte’s Center for Banking Solutions published an interesting study on compliance based on a survey of 20 of the top 50 financial institutions in the U.S. As my friend Mark Macauley (his identity blog) has said to me many times, “compliance is a cost center”. Here are a few excerpts from the study that I doubt are unique to financial institutions….

  1. “As costs have risen, financial institutions appear to have responded more by applying people resources to monitor compliance versus technology resources to manage it. “
  2. “Only 10% of financial institutions reported that compliance information was always effective and 15% that it was always timely.”
  3. Compliance related spending has jumped from 2.83% of net income in 2002 to 3.69% in 2006.
  4. Of compliance spending, 18% was for computing infrastructure (hardware, software, etc) while 60% was for compensation (people presumably).
  5. Overall 95% of the respondents reported that their management and administrative employees were spending more time on compliance than before and fully 40% saying that the time they devote to compliance has increased by 22% to 25%.

Ouch. Talk about an area of opportunity for improvement.


Context and Identity again…

January 26, 2008

When Dave Kearns makes a prediction you better think about betting on it or at least pay attention. From his 2008 predictions….

Risk management, which I lump under context-based access control (CBAC), will become very important in 2008.

Source: Risk management and access management come to the fore in ’08 – Network World

So that’s at least the second pundit using the word context in predictions. If I get his drift, Dave is predicting that risk awareness will become a key component to determining access. So context drives smarter preventative controls. Can’t disagree with that.

I believe that risk awareness will also be a key component in determining audit requirements, proof of compliance requirements, monitoring requirements, etc. So context drives smarter detective controls and processes too. I think this will be particularly true given the recent Audit Standard 5 guidance [for a full text treatment] given to auditors which encourages “auditors to use professional judgment in the 404 process, particularly in using risk assessment”.

Is Your IT Policy Working? IT Quality Assurance

January 17, 2008

This statement grabbed my attention this week. Mostly because it seemed to be concisely obvious (a good thing).

“You can generate all the polices that you want, but unless you have some kind of monitoring and enforcement mechanism, you don’t know if a policy is working or not,” says Bob Gorrie, information security project manager at USEC, a supplier of enriched uranium fuel for commercial nuclear power plants based in Bethesda, Md.

Source: Data loss start-ups sell out – Network World

Having spent more than a few years at Intel (read: manufacturing) I often view IT processes and relate them to manufacturing practices and see parallels. In a manufacturing world you would never think of establishing a process without establishing control limits and tests to tell whether you were operating within control limits. It would be a disaster for manufacturing to “run off the rails” and for you not to notice it until large quantities of defective goods were produced.

I think the same methodology (design process, design tests) is hugely beneficial to IT. Hooray for you (truly) for you if you are a practitioner of the “process determines results” school of thought in IT. And that you have great policies, broadly communicated and understood and practiced. But frankly, if you don’t have a way to routinely tell if your policies and processes are working the way you intend, you’re missing IT Quality Control.

In the context of NetVision, If you have great role definition and automation and processes for giving out rights and managing identities but you don’t have an arms-length (read: independent, 3rd party) check on the state of the system and the effectiveness of your controls – you probably are missing the element you need to stay on track for your desired goals and to improve.


Identity Provides Security Context

January 3, 2008

We were talking to Eric Norlin about 2008 trendspotting. Given NetVision’s core raison d’etre we see a growing groundswell toward what we are calling “context” (see Eric’s post). Eric expanded our definition – which is good. But let me clarify what we mean for in our narrower definition for a second.

What we’re seeing is identity management monitoring (at least in a corporate context) being used as a stalking horse for achieving proof of compliance and risk management regarding the insider threat. As in: “I am required to demonstrate that I have control over admin rights so I need to monitor this group membership for all changes”, and other similar examples.

What we’re also observing is that providing such security (or evidence thereof) requires trolling through a lot of event data – often after the fact. As a result we’re seeing more and more customers asking us to link our risk assessment product with our change auditing product so that the search for risky behavior isn’t unguided. That’s what we mean by context. Instead of looking at the universe of data after the fact in order to document a conclusion you instead target your data gathering to areas of risk and obvious policy violation in the first place.

I am no expert on the subject of listening in on the phone calls of the world to find evidence of a threat to national security. But I believe what we’re talking about is metaphorically equivalent to whatever the national government does in order to decide what to listen to.

The question we hope to answer is: “Can this be done without creating a false negative” or overlooking a breach of security or policy which doesn’t rise to theoretical definition of risk. More on that later but opine if you have one.