Entitlement management
Entitlement management is important not only for your security posture, it is also important for your compliance efforts for SOX and PCI.
The problem with entitlement management is of course to know who has access to what. You probably know who unless you have too broad of an access policy on your information. How would you know if you have to broad of an access? You need to scan for large user groups, and global groups. These groups should not be allowed for sensitive and highly sensitive information. Do you know all the instances within your organization of sensitive and highly sensitive information? You can of course use DLP to scan for these information types. The problem is of course that the DLP solutions do not map back to who had access when.
With these questions/problems, what are you to do?
One, you should scan all your information, and identify where you have highly sensitive and sensitive information.
When this has been identified, you need to keep a persistent classification of the information, so a classification solution must be deployed and implemented.
When you have applied the classification, you need to ensure that the large groups and or global groups do not have access to this information.
For information where you need to validate that users who should have access have access, and users who should not have access does not have access, custodians of the sensitive information are required to validate the users who has access. By forcing the validation at the lowest level possible, you can effectively address the biggest problem in organizations today, which is entitlement creep. Entitlement creep happens when employees move from one job to another, or the job changes over time, and access needs change with them. Most often, when this happens, the employee gets access to the new areas needed for their job, but the old entitlements are not removed. By clearly assigning custodianship at as low of a level as possible, this can be taken care of if the custodians are reminded periodically to validate who should have access, and that they are aware that they are also audited agaist their accountability
In other words, the full solution is to map your scanning of sensitive information to your identity management systems, as well as a classification and remediation solution
How to secure sensitive information, data loss prevention, for sensitive data in corporations and other organizations, (ILP,CLP,DLP). It covers personal identifiable information, personal health information, credit card information, PII, PCI, PHI etc, and how to protect it. All opinions are mine, and not of my employer or any other organization. For terms of use, see first posting.
About Me
Blog Archive
-
▼
2008
(72)
-
▼
February
(16)
- Can you buy PCI compliance, a good article from In...
- Password database of stolen passwords found by Fin...
- New study from SymantecIT organizations are now re...
- Data bases and DLPQuote from article in eweek: ht...
- Amendments to Federal Rules of Civil Procedure, FR...
- Eli Lilly legal documents wrongfully sent to New Y...
- An interesting book from the CEO of Kaiser Permane...
- An article discussing learning to address High Bus...
- Entitlement managementEntitlement management is im...
- According to the Ponemon institute, 69% of employe...
- An article by Rich Mogull about selecting the righ...
- Vontu gets coverage on CNNMoney.com for winning a ...
- Agent versus no agent what is the right answer?Whe...
- Omnibank customer information stolen leading to th...
- Britons working for the UK government are now bann...
- Gartner predicts that users will move to pocketabl...
-
▼
February
(16)
No comments:
Post a Comment