Archive for the ‘Identity Audit’ Category

Access Audit as a Service

December 4, 2008

NetVision announced our new Access Audit Managed Service offering today.   After years (more than a decade – in fact) of providing software tool sets to our customers we saw a distinct outcome in some customers.  This outcome is fairly common to Enterprise Software overall.  The problem outcome is under-utilization.

Frequently a compelling event such as an audit or a technology migration surfaced the need to measure something discrete.  And tools were bought.  And one of four ouctomes occurred:

1) Successful deployment, value is realized as expected or more (yeah for everyone!)

2) Never deployed.  Shame on everyone – vendors hate this probably more than the buyer hates it.

3) Deployed and well used but champion left the company.  And no subsequent champion stepped into his/her shoes so practices, methodology and value start a downhill slide

4) Deployed but for a very narrow, unsatisfying purpose.  The bloom is off the value “rose” pretty quickly.

Thus our impetus for SIMON (it simply stands for Simple Monitoring).  Our goal is to be able to deliver best practice as an outcome rather than as a capability.  Some of our customers prefer the DIY (do-it-yourself) strategy – that’s fine with us too.  But for those who cannot dedicate a methodology champion or who recognize the problem but perhaps not the breadth of the solution that is available, SIMON delivers the entire methodology and service management so that the customer can just consume the result.

Advertisements

IT Audit – What is it?

February 18, 2008

If you search on “IT Audit” you will return pages and pages of relevant hits. I have no idea how many pages you have to go out before you hit the end of relevance but it’s more than I care to read. And here I am adding one more.

How can I sort out what I need to do about IT Auditing between what the audit firms, vendors, government (regulation), upper management, and Board compliance committee are telling me to do?

I spent just enough time as an internal auditor and an external auditor in my misspent youth to have yet another opinion to express and I’m going to use a couple posts to do it.

When it comes to IT Auditing, the value that should – in theory – be derived is that an uninterested party (not you) can attest with reasonable certainty that what you SAY you are doing is actually what you are doing. Those policies you say are protecting your mission critical information? They’re actually being implemented and followed (two separate tests there) .

There’s a month’s worth of blog fodder there. But to close for today let’s drag out Rule #1 of IT Auditing. It is not possible to audit yourself. Unless you are the only person you need to satisfy with an audit.

By way of example, in Identity Management circles there is a tendency to call something an Identity Audit (IdA) tool if it creates a record of an activity executed by an Identity Management System (IdM). This would, according to Rule #1, be a valid audit if the IdA tool were completely independent of an IdM tool (not from the same vendor for example) and whose audit strategy (implementation and configuration) was controlled by an independent party from you. But most of these tools are not independent of the tool they audit and therefore are incapable of satisfying Rule #1 of Auditing. We could call them attestation tools (they attest to what was done) but they are not audit tools.

Context and Identity again…

January 26, 2008

When Dave Kearns makes a prediction you better think about betting on it or at least pay attention. From his 2008 predictions….

Risk management, which I lump under context-based access control (CBAC), will become very important in 2008.

Source: Risk management and access management come to the fore in ’08 – Network World

So that’s at least the second pundit using the word context in predictions. If I get his drift, Dave is predicting that risk awareness will become a key component to determining access. So context drives smarter preventative controls. Can’t disagree with that.

I believe that risk awareness will also be a key component in determining audit requirements, proof of compliance requirements, monitoring requirements, etc. So context drives smarter detective controls and processes too. I think this will be particularly true given the recent Audit Standard 5 guidance [for a full text treatment] given to auditors which encourages “auditors to use professional judgment in the 404 process, particularly in using risk assessment”.

Is compliance possible?

December 10, 2007

This excerpt from an article caught my eye this morning

Compliance is hardly rocket science-or is it? Directives to use firewalls and change vendor-supplied default passwords are simply security best practices. But in other areas, merchants struggle to interpret the standards, haggling with auditors, consultants and sometimes the PCI Council itself over exactly how to protect cardholder data.

Source: Can mid-market merchants comply with PCI standards? – Network World

It’s referring to the difficulties faced – in particular – by mid market companies in achieving PCI compliance but the principles apply in other regulatory areas too.  It’s a point I made in our whitepaper.  The unfortunate reality is that unless there are very clear requirements defining “success”, many companies will spend unnecessary dollars trying to stay in front of an ill-defined process.  My friend Matt  Flynn (also from NetVision) has put some thought into at least one aspect of this problem that he has published in his blog and on the NetVision site as a whitepaper on “Surviving an Identity Audit”.