Evolving Towards a Holistic Application GRC Program
At the turn of the century, when IT departments moved on from their several Y2K projects, where it is estimated private and public companies spent over $100 Billion to solve, it was back to business as usual and companies started looking more into protecting their networks and systems. The emergence of new tools and technologies were gaining incredible momentum. Soon after Y2K, in 2002, due to fraud and collusion occurring on several occasions, the Sarbanes Oxley Act (SOX) came into being, and the world of controls took on increased scrutiny. External and internal auditors began changing their audit approach and important controls started being tested annually. The PCAOB, which was established in conjunction with SOX, created a standard to which auditors would be held accountable. Companies scrambled to define their internal control environments, using frameworks such as COSO or COBIT, and companies and their auditors alike had spent months trying to decide which controls should be key and which should not be considered key. Concepts like Test of Design (TOD) and Tests of Operating Effectiveness (TOE) were key elements for testing by auditors. A few of the categories that never really changed much with the coming and passing of Y2K or the advent of SOX was the importance of access controls or maintaining the confidentiality, integrity and availability of an organization’s data. Yet in this time of technology growth, some have argued that security programs have become less focused and even fractured. The growing reliance on systems and technology operations have become overwhelming for many organizations. While the testing of controls were being strengthened and security organizations scurried to respond, the implementation of point solutions arose and was aimed at fixing symptoms for problems that were much more systemic in nature.
POINT SOLUTIONSImagine you have 20 different applications that are in scope for SOX and each application is being administered by different people who all have their processes to reassure the business doesn’t shut down because of them. It was, and continues to be, a very typical situation. Auditors demanded strong controls around access to the applications, as well as the servers and databases that supported them. Several of the controls that existed were manual and there was a large push to automate wherever possible. As previously mentioned, this resulted in point solutions for different applications and supporting systems. There was no focus, no strategy, no governance and no coherent program. Strangely, not much has changed. Access governance and data governance strategies continue to treat symptoms with various band-aids or technologies that only solve one or two problems instead of implementing enterprise programs that treat their problems systemically as a whole. There are several regulatory compliance initiatives around the world that are now prescribing solutions for specific and distinct types of data; like payment card information, personal data, or health data. However, companies continue to fail to come up with a mature, systemic solution. Point solutions are prescribed to protect access for certain systems or who might have access to sensitive data in others, although it seems seldom these point systems can be integrated or offer the same level of governance across the enterprise. This is especially true with the increased adoption of cloud, mobile, and big data technologies. An organization’s most critical applications is crossing organizational boundaries and security teams are grappling to understand where sensitive data exists, who might have access to it or what they might be doing with it.
AN INTEGRATED, HOLISTIC SOLUTIONCompanies need to embrace an integrated, holistic solution; one that can be universally applied across their enterprise. Something that provides insight into the overall ecosystem so that companies can find gaps in their security and compliance profile, regardless of the security model being used by a given application. Because security models vary so much among different applications and platforms, getting insight into your infrastructure as a single entity is critical and has never been more important. These are some of the critical components that should be included in an effective governance program:
- Identity Lifecycle Management – The ability to collectively assimilate requirements in handling identity lifecycle events, access requests, and exception scenarios for all applications and systems across the enterprise and in the cloud.
- Continuous Compliance and Proactive Security – The ability to proactively apply controls that prevent security violations from happening or alert the organization when they may have potentially occurred.
- Data Governance programs – The ability to take what information an organization has defined as critical to their organization and to apply controls upon that information across the enterprise systematically.
- Access Governance – The ability to apply access controls across all applications and systems across the enterprise and to understand segregation of duties and sensitive access as it applies not to just one application, but across all key systems and applications. These applications and systems are integrated. Shouldn’t the solution being applied to monitor access be integrated too?
- Privileged Access Management – The ability to systematically apply controls around privileged access or emergency, “break-glass” procedures, as well as the ability to provide insight into what was performed when the privileged access was being utilized