Thursday, December 30, 2010

Terminated Employees Retaining Access to Sensitive Data?
Why it is so Prevalent and How to Really Fix it.

The media is full of stories about ex-employees who accessed their former company’s computers after they had been terminated.

Some former employees steal patient or customer data to commit identity theft. Others steal customer lists or intellectual property. A few attempt to blackmail or publically embarrass their former employer.

Customers are Angry
The comments posted in response to these reports are sobering. Members of the general public are livid when the data theft involves customer/patient data and they feel they could have been victimized.

Many incorrectly demand action against the company’s IT security management. A common mistaken analogy is “I had to turn in my office key when I left my last company, how hard can it be to revoke an employee’s access”.

Knowing is the Hardest Part
Unfortunately, knowing an employee’s access should be revoked is the hard part. Every IT Security organization I have known can quickly revoke employee access but they are at the mercy of the managers who must request the access be revoked. It is the human element that is repeatedly the weakest link in the chain.

Terminated but Still on Payroll
I was told about an employee who was escorted to the door with no advanced notice of their termination. But IT was not notified until 6 months later. Why? Because the ex-employee’s severance agreement included 6 month salary so he remained on the payroll and HR systems as an active employee until his severance agreement ended. (And no, I won’t tell you what this angry employee did during those 6 months.)

Manager Mistakes – “I Forgot”
I have been told many variations on the story “the manager did not report the terminated employee to HR for weeks after the last day”. Often managers were busy and knew they gave the employee 2 or more weeks of severance so the manager did not worry about informing HR until it was time for the paychecks to stop.

Other times the manager wanted continued access to the ex-employee’s accounts to help in a transition. A few times the manager had malicious intent of misusing the ex-employees access. (See this blog posting)

Employee ID Baked into Critical Application
There have been other instances where turning off the access for an ex-employee would break an important application because the employee had baked his or her user id into the code to do the data retrieval or update. (And this is not just IT staff but other departments that had hacked their own data access.)

IAM and SSO are Important but Do Not Solve the Problem
Implementing a provision system (IAM/IdM) or single sign-on (SSO) or cracking down on manager not following policy are not a comprehensive solution. All such preventive systems can be subverted for innocent or malicious reasons. The key is to have an automated detective control that can find terminated users and their unrevoked rights so IT is NOT wholly dependent on people and process.

Automatically Discover Unrevoked Access of Terminated Users
Veriphyr is an analytics service that discovers unrevoked access of terminated users on mainframe, midrange, Linux/Unix, and Windows systems.

Every user has an activity profile based on their unique pattern of usage. Veriphyr can differentiate between the activity patterns of current employees verses terminated employees – even terminated employees who continue to access sensitive systems. Veriphyr can even differentiate between full-time employees and those on vacation or contractor accounts between projects.
Learn how Veriphyr Identity and Access Intelligence service effectively prevents or quickly detects patient data loss or theft, even "snooping" by terminated employees.


Wednesday, December 15, 2010

Terminated Nurse Breaches Privacy Rule by Accessing Electronic Health Records (EHR) of Former Patients

Yet another terminated employee was caught accessing their former employer's sensitive data.

"Macon police are investigating a former employee of Coliseum Hospital accused of entering a secure area and accessing patient information" (a)

Investigators believe the former employee was at the hospital for a nurse’s birthday party when she logged into the hospital’s computers.

Privacy Software Does Not Know "Terminated"

Unfortunately traditional patient privacy audit ("snooping") software can not recognize terminated employees as inappropriate if the employee still has his or her access codes. This is because traditional "snooping" products have no ability to differentiate between a terminated employee and a regular employee.

Traditional privacy surveillance solutions would see access by a terminated employee as normal if the terminated employee was accessing patient records similar to those he or she dealt with while employeed.

It is not sufficient for privacy breach detection products to audit for inappropriate patient record activity. Protecting patient privacy requires solutions that understanding both activity and identity.

Fortunately there is a new breed of identity and access intelligence services that can identify terminated employees based on their on-line behavior, even if the employee's access rights were not completely turned off when they were terminated.

"the former employee, who still had her access code, entered a secured area and logged into the hospital’s computer records, allegedly accessing patient information." - Macon.com, November 20, 2010 (a)

Learn how Veriphyr Identity and Access Intelligence service effectively prevents or quickly detect patient data loss or theft, even "snooping" by terminated employees.

Sources:
(a) "Ex-Macon hospital worker accused of accessing patient information" macon.com

Saturday, November 20, 2010

Patient Data Lost More than Once a Year at 60% of Healthcare Organizations - Ponemon Institute Study


Healthcare organizations reported an average of 2.4 data breaches over the past 2 years according to a new study by the Ponemon Institute.

The resulting financial losses, including fines, legal fees, and loss of revenue, are estimated at approximately $2 million per organization.

Protectors of Health Information are Under Resourced
Of those responsible for preventing and detecting data breaches, 71% do not believe they have "sufficient resources to prevent or quickly detect patient data loss or theft."

For example, 28% of the organizations have no staff dedicated to managing data protection and another 35% have fewer than 2 staff dedicated to that effort.

Moreover, well under half the organizations feel they have sufficient technical expertise (42%) or access to appropriate technologies (37%) to effectively prevent or quickly detect the loss of patient data.

"Most likely reasons for data breach is inadequate budget for security and privacy" according to 51% of healthcare organizations." - Ponemon Institute, November 2010 (a)

Overcome the Challenge of Being Under Resourced
So how can healthcare organizations address user access to patient data despite being under resourced?

One approach is to use an on-demand identity and access intelligence service with a pay-per-use model since it is dramatically more cost effective than a traditional licensed software model that requires developing and maintaining specialized technology and technical expertise in-house.

Learn how Veriphyr Identity and Access Intelligence service effectively prevent or quickly detect patient data loss or theft.

Sources:
(a) "Benchmark Study on Patient Privacy and Data Security" by Ponemon Institute released November 9, 2010 (registration required to download report)

Monday, November 1, 2010

Insider Cyber Crime Discovered at 62% of Organizations According to Ponemon Institute Study

62% of organizations experienced cyber crime by malicious insiders according to a new study by the Ponemon Institute that studied a 4-week benchmark period.(a) In healthcare Ponemon has done further research and found criminals and malicious insiders are the root cause for 35% of all data breaches.(b)
$100,300 is the average annual cost of insider crime - Ponemon Institute, July 2010 (a)
Malicious insiders are the second most costly category of cyber crime and account for 19% of all cyber crime costs. Cyber crime is used here to refer to any criminal activity conducted via the Internet and includes viruses and worms, malicious insiders, web-based attacks, malicious code, phishing, botnet, and malware.

Details of the Cost of Insider Crime.
The internal costs of cyber crime are driven by the labor required by each stage of incident response.

As can be seen in the accompanying chart there is great potential for cost savings due to automation and use of pay-per-use services.

Reducing the Cost of Insider Crime
So how can an organizations improve security and reduce the cost of addressing cyber crime by insiders?

You can reduce the incidence of insider crime by detecting employees and contractors with excessive access rights that give them opportunity for financial fraud and data theft.

The same identity and access intelligence that detect excessive acess right can be use do reduce the cost of incident response. Especially the use of an on-demand service with a pay-per-use model since it is dramatically more cost effective than a traditional licensed software.

Learn how Veriphyr identity and access intelligence services effectively prevent or automaticaly detect data loss or theft by insiders.

Sources:
(a) "First Annual Cost of Cyber Crime Study - Benchmark Study of U.S. Companies" by Ponemon Institute released July 2010 (registration required to download report)
(b) "Benchmark Study on Patient Privacy and Data Security" by Ponemon Institute released November 9, 2010 (registration required to download report)

Thursday, October 28, 2010

Correlating User Login IDs to Create Unified Identities for Employees and Contractors

Unifying user logons across distinct applications is essential to ensuring data security and regulatory compliance.

Moreover, unifying user logins it is a critical step in implementing identity and access management (IAM).

But mapping employees to their multiple application logon ids can be a significant challenge at many organizations.

"61% of respondents have limited or no knowledge of which systems or applications employees have access to" - October, 2010 survey (a)

The Challenge of Mapping Logons to Identity
Why is it so difficult when all applications can provide a list of logon ids used to access the application?

The problem appears to be the lack of a common user logon identifier and the variety of conventions used to create user logons.

Real Life Example
For example "Edward T Jones" could have logins such as "ejones", "jonese", "ned.t.jones", "njones", "edwjon", or "ejoones" all dependent on the naming convention (and misspelling) of some long gone application owner or administrator.

Existing software packages provide little or no help for mapping user logons to real identities. And why should they since companies do not want to buy and install software for a process they may only do once.

Identity and Access Intelligence Delivers Automated Mapping
Fortunately, there is an on-demand identity and access intelligence service that applies advanced analytics to automate identity correlation - the mapping of user logons to real identities.

The Veriphyr Identity and Access Intelligence service does all the tedious work of correlating disparate logon ids to employees and contractors. And since Veriphyr is a service, it takes care of the entire problem freeing you and your team to focus on more rewarding projects.

"64% are not completely confident they can prevent terminated employees from accessing one or more IT systems" - October, 2010 survey (a)

Veriphyr Service - Fast Effective Identity Correlation
The Veriphyr identity and access intelligence service uses data you already have. It takes data from any application, in any format, even if the data is incomplete, damaged or unorganized.

Since Veriphyr is an on-demand service you get rapid results. There is no time wasted installing hardware or software or developing connectors to existing applications.

Because Veriphyr is a pay-per-use service, there is no ongoing commitment – you pay only for what you need. And the cost is dramatically lower than purchased software or manual alternatives.

For more on the Veriphyr Identity and Access Intelligence Service watch this
3 minute video demonstration.

Sources:
(a) Courion 2010 Access Assurance Survey

Wednesday, September 8, 2010

Business Intelligence from Identity and Access Analytics - Comments on Gartner Blog


Gartner Group's Earl Perkins has a great blog on unlocking business intelligence from the identity and access data that organizations collect. Earl's blog is titled "Time for Intelligence and Clarity in IAM."

Real Life Example of Identity and Access Intelligence
Earl's blog reminds me of a personal experience where Identity and Access Intelligence provided insight into the operations of the business. I was presenting to the CTO and CFO in preparation for an upcoming audit. Our quick analysis correlated HR employee records with user rights and existing application activity to identify dormant accounts, shared logins and levels of application usage.

The CFO got very excited when I presented the reports on application usage broken down by manager. He barked at me to drill down on 6 specific applications. The Identity and Access Intelligence showed usage of 5 applications had dropped off dramatically a few weeks ago and leveled off at around 10% of users, almost all of whom worked for one of three managers.

The 6th application's usage had shot up dramatically around the same time and leveled off at well under 90% of users AND there was zero usage by the staff of the same three managers. Suddenly, the CFO jumped out of his chair and excused himself. We sat waiting for 15 minutes until he came back.............................
Watch a video on the Veriphyr Identity and Access Intelligence Service .
On returning he strode up to the screen, poked at the report, and declared, "Have this report on my desk every day next week because those numbers should dramatically improve, or else." It turns out the CFO had oversight on the global rollout of an application migration where the 5 application were being replaced by 1 new integrated application.

The CFO had been frustrated that the migration had not been going as planned but when he asked for data on who was (and was not) using the application all his staff could provide was cryptic login ids and last login dates. Our Identity and Access Intelligence reports gave him clear intelligence into which managers were not cooperating in the migration based on daily user usage. Hence the 15 minute departure while he "talked" to the three managers about their responsibility to support the migration.

The CTO was pleased the project eliminated dormant accounts and caught shared logins. But the CFO was really pleased that the new applications usage numbers got dramatically better over the next week. This is a clear example of how the information trapped in IAM systems can be unlocked to improve the operation of the business.
"the primary value of IAM ... is to give a context ... to the business knowledge they already possess from other sources...where a business user says 'well now that I know who is doing this, I can make a decision'" - Earl Perkins of Gartner
Sources:
(a) "Time for Intelligence and Clarity in IAM." - Earl Perkins, Gartner Group

Thursday, August 12, 2010

Insider Steals $11 Million Despite Separation Duties Controls


A three person process for approving payments did not stop a lone insider from stealing $11 million by deceiving a separation of duties (SoD) control. How can an organization prevent this from happening to them? What is needed to insure that separation of duties controls do not fail?

What Went Wrong?
The thief's unauthorized access to unused computer accounts for two other employees allowed her pull the strings and make it appear financial payments had the necessary three “independent approvals” required by the separation of duties control. (a)
“Records showed they were approved by Cawthra and two of her former subordinates who no longer worked there when they supposedly approved the refunds.” (b)
The thief was a manager at the Colorado Department of Revenue. She may have taken over user accounts by “forgetting” to request the accounts be terminated when staff left and learned passwords by asking her staff - “just in case of an emergency.”

Controls - People-based vs. Fact-based
Relying solely on people-based controls, such as deprovisioning users on job change or manager review of access rights, can be a recipe for failure because these controls rely on managers, some of whom may be dishonest.

An effective line of defense could be a fact-based control in which user access rights are compared with user activity by an independent party. This control could have prevented or caught this theft by identifying dormant accounts, shared logins, and other rights/access patterns indicative of fraud.

Manual Review is People Intensive
Unfortunately, traditional methods and tools for reviewing access and activity create an enormous amount of work. Someone has to manually comb through user access rights and activity for every sensitive systems and applications in an organization.

Eliminate the Work and Get Actionable Answers
The Veriphyr Identity and Access Intelligence (IAI) service eliminates manual grunt work by applying advanced analytics to an organization’s existing rights and activity data to identify access policy exceptions.

Veriphyr Identity and Access Intelligence Services
Just as importantly, because it is a pay-per-use service, Veriphyr involves no long term contracts, no software to install, no hardware to procure, and no scripts or connectors to maintain.

You just upload the data you already have (in whatever format it is already in) to Veriphyr’s secure data center. The Veriphyr service does the rest and puts user access policy exceptions and actionable remediation into the rights hands.

For more see a video demonstration of the Veriphyr service.

Sources:
(a) Man Sentenced To 58 Years In $11M Tax Refund Plot
(b) State Employee Accused In $5 Million Fraud Scheme


Thank you to W. Benson Dana for bringing this incident to my attention.

Friday, July 30, 2010

Gartner Creates New Category in Identity and Access Mgmt:
Identity and Access Intelligence (IAI)

Gartner has created a new category - "Identity and Access Intelligence" - in their July report "Hype Cycle for Identity and Access Management Technologies, 2010".

Identity and Access Intelligence is the technologies and processes that are applied to identity and access data to produce actionable, context-specific insight for business and technical decision making.

Access compliance reporting for users and applications remain a key requirement in information security, privacy, and risk management programs, and there is a need for products to address these requirements.

IAI addresses these regulatory compliance requirements and IAI activities can be performed weekly, bi-weekly, monthly, quarterly or yearly, as security officers and IT auditors require.
Click here for more on the Veriphyr Identity and Access Intelligence service. Learn about this on-demand, pay-per-use IAI service that requires no hardware and no on-site software.
Sources:
(a) "Hype Cycle for Identity and Access Management Technologies, 2010" - Gartner, July 2010


Tuesday, July 27, 2010

Material Weakness Reported by KPMG in Internal Controls for User Access


KPMG recently reported “access controls contribute to a … significant deficiency that is considered a material weakness in IT controls” at the Federal Emergency Management Agency (FEMA). (a)
CFOs lost their jobs within 3 months of reporting a material weakness in more than 60% of such cases. - A.R.C. Morgan (b)
Specific weaknesses highlighted by KPMG include:
  • Application, database, and network accounts were not periodically reviewed for appropriateness and resulted in inappropriate authorizations and excessive access rights.
  • Application, network, and remote user accounts were not disabled upon personnel termination.
The importance placed on weaknesses in internal controls for user access is understandable in light of IDC reporting that “Out-of-date and/or excessive privileges and access control rights for users are viewed as having the most financial impact on organizations.”(c)
"Deficiencies identified in FEMA's access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities. – KPMG FEMA Report (a)
Material weaknesses at FEMA are estimated to take several years to remediate using conventional methods, but the Veriphyr Identity and Access Intelligence Service can put a sustainable internal controls in place in days, not months. Moreover, this can be done with zero hardware, zero software, and no work.

The Veriphyr identity and access intelligence service applies analytics to data you already have and eliminates the grunt work of identifying user access policy violations. Plus the Veriphyr identity and access intelligence service delivers actionable remediations and monitors the resolution of the remediations.

If you want to avoid a material weakness of internal controls in your next audit be sure to view a video demonstration of the Veriphyr identity and access intelligence service.

Sources:
(a) Information Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2009 DHS Integrated Audit
(b) A.R.C. Morgan: More than 60 Percent of CFOs Resign or are Pushed when a Material Weakness is Disclosed
(c) Insider Risk Management: A Framework Approach to Internal Security” by IDC

Tuesday, July 20, 2010

Jail Time Due to HIPAA Patient Privacy Violation


A former UCLA Healthcare System employee was fined and sentenced to four months in federal prison plus one year of supervised release.

His crime? He had been terminated from his job (but retained his access to the medical systems) and accessed the records of Drew Barrymore, Tom Hanks, Arnold Schwarzenegger, Barbara Walters, and others.(a) 
“In his plea agreement, Zhou admitted that he obtained and read private patient health and medical information on four specific occasions after he was formally terminated from the UCLA Healthcare System.” (b) 

The Challenge of Meaningful Use and the Security Rule
The HIPAA security rule requires that healthcare organizations “Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.” (c) But the problem of employees retaining access after termination has been shown to be especially difficult to prevent using conventional methods that depend on managers informing IT or HR systems informing IT.

Conventional Methods are Not Sustainable Controls
There have been reports of firing managers not informing HR or IT for weeks after a termination because they are too busy to complete the paperwork. In at least one firm the HR systems did not inform IT for several months after the terminated because the terminated employee’s severance agreement involved payments for several months after terminate, and therefore he was classified as an employee for HR regulatory purposes so no notification was sent to IT.
Learn how the Veriphyr Identity and Access Intelligence service supports meaningful use by identifing terminated users, as well as, detecting inappropriate access to patient medical records
Identity and Access Intelligence (IAI) Discovers Terminated Users
Fortunately, there are more sustainable controls for identifying terminated employees and notifying IT to terminate access. Identity and access intelligence eliminates the dependency on people and automatically identifies terminated employees based on their on-line activity. Several firms claim to provide identity and access intelligence, but only Veriphyr offers an on-demand Identity and Access Intelligence service that can be up and running in 24 hours and requires zero zero capital expenditures (CAPEX).
HIPAA’s criminal privacy provisions protect not only celebrities, but all of us from curious neighbors, disgruntled co-workers, and other snoopers.” - Acting United States Attorney George S. Cardona(d)
Sources:
(a) KTLA.com
(b) United States Attorney's Office
(c) “Security Standards for the Protection of Electronic Protected Health Information,” - 45 CFR Part 164.308(a)(3)(ii)(C)
(d) Department of Justice

Tuesday, July 13, 2010

Can Patient Privacy be Secured when Non-Employees are Given Access to a Hospital's EHR?

A Colorado Springs hospital claims a city employee accessed 2,500 electronic medical records in violation of the HIPAA/HITECH privacy rule.

How can a hospital maintain patient data privacy when it is required to allow non-employees access to the hospital's medical records? Given the drive toward health information exchanges (HIE) how can hospitals protect their patients' data privacy? Your thoughts?
"From my understanding, she was accessing the [electronic medical] records when she wasn’t at work. She wasn’t doing it as part of her job." - Hospital Spokesman
The city employee had worked as an occupational health nurse for eight years. As part of her job she was authorized to access the hospital's medical records related to her patients.

The nurse had signed forms agreeing to abide by HIPAA/HITECH privacy requirements, but according to a reporter at The Gazette, a local newspaper, the nurse did admit to accessing the electronic medical records for personal reasons, such as looking up the phone number of a friend that she had lost.
"“I guarantee that accessing the [medical records] database for stuff like that is rampant in the medical community. If you talked to other medical people, you’d find out that it’s pretty damn common." - Nurse accused of unauthorized access
The Hospital only learned of the 2,500 privacy breaches when it was notified by the city. The nurse's supervisor raised a concern because of unusual patient access activity by the nurse, including a high frequency of access and access from unusual locations.

The nurse claims her supervisor was fishing for an excuse to fire her after the nurse's 'psychic' abilities revealed her supervisor had a life-threatening condition. The nurse admits to looking at the supervisor's medical records to see if the supervisor heeded her advice and sought treatment.

As a results the hospital is looking into a software service to more quickly alert hospital officials to unusual activity surrounding electronic medical records.

Sources:
(a) Memorial Patient Records Improperly Accessed - Memorial Health System, July 11, 2011
(b) 'Psychic' nurse says she is unfairly targeted in hospital records case - The Gazette, July 11, 2011


Thursday, July 1, 2010

Will Your Employees Be Bribed to Steal Patient Data?

A hospital was victimized by a trusted employee who was enticed into stealing patient data by the promise of a few thousand dollars.

What are you doing to help your employees avoid the lures of organized crime? Do your employees feel they are certain to be caught if they steal patient data?

Corrupted by the promise of $4,000, a surgical instrument technician at a Pittsburgh hospital stole patient names and Social Security numbers. The criminals who recruited him used the patient data to file unauthorized tax returns to claim $84,190 in tax refunds.
""He did not know that these numbers were going to be used for fraudulent tax returns. He's ... almost a victim himself." - Attorney Anthony Bittner, who represents the defendant
The hospital technician, who said he never received the promised cash, plead guilty to unauthorized disclosure of personal medical information in violation of the HIPAA federal law. He faces up to one year in prison and a fine of $50,000. The people who corrupted him escaped prosecution by fleeing the country.

The crime was detected when patients of the hospital discovered that their tax returns already had been filed, they alerted the U.S. Postal Service, IRS and U.S. Secret Service. Those organizations conducted an investigation that led to the indictment in this case.

Download a white paper on medical records privacy breach detection as a service. Veripyr delivers a credible detective control that discourages employees from violating patient privacy - with no hardware and no on-site software.
Sources:
(a) Zambian man pleads guilty to identity theft of hospital patients - Pittsburgh Post-Gazette, July 1, 2011
(b) Former UPMC Shadyside Hospital Employee Pleads Guilty to HIPAA Violation - US Attorney's Office, Western District of Pennsylvania, June 30, 2011


Sunday, June 20, 2010

Gartner - Access Solutions Delivered as a Service Gain Market Acceptance

Veriphyr's delivery of User Access Compliance as a subscription service is part of a fast growing trend of identity and access (IAM) management offerings delivered as a service (SaaS).
According to Gartner "purchase of IAM functionality delivered as a SaaS is expected to accelerate over the coming years. This is confirmed by a Gartner survey of 111 end-user respondents in North America and EMEA showing that 27% of the businesses interviewed during the 2009 IAM Summits agreed, pointing to an expected increase in spending on SaaS IAM products by 2011."
View a 5 minute video demonstration of the Veriphyr service.

Sources:
(a) Gartner Says Worldwide Identity and Access Management Market Will Grow 8 Per Cent in 2010 to Reach $9.9 Billion

Tuesday, June 15, 2010

IT Compliance Remediation Spotlighted
in the “Top 5 Security Initiatives” List




Audit and compliance are in the spotlight according to security executives who participated in the 2010 global security survey conducted annually by Deloitte.(a)

“For the first time, information security compliance (internal /external audit) remediation is a top-five security initiative as organizations gear up for increased regulation and legislation.” – Deloitte 2010 .(a)

New Initiative Reflect Importance of Compliance

Thursday, June 10, 2010

#1 Top Audit Finding for 3 Years Running is
Excessive Access Rights - Deloitte Survey




Excessive Access Rights is the #1 audit finding according to Deloitte's 7th annual security survey.(a) Moreover, excessive access rights was the #1 audit finding in the previous two annual surveys.(b & c)


Given that excessive access rights are often due to job changes and terminations it is no surprise that the #5 audit finding is "Lack of clean up of access rules following a transfer or termination."

Why are Excessive Access Rights so Prevalent?

Saturday, June 5, 2010

Credit Unions' Top Challenge is Identity and Access Intelligence Says the National Credit Union Administration (NCUA)


Most Significant Issues for Credit Unions
Gigi Hyland, board member of the National Credit Union Administration (NCUA) highlighted Identity and Access Intelligence issues as the #1 and #2 "most significant information security threats to credit unions" in a new podcast interview with Tom Field, editorial director for Information Security Media Group.

#1 Issue - Former Employees Retain Access and Steal Data
When asked "What do you see as the current information security threats that pose the biggest challenges to your member institutions?", Hyland listed "first and foremost" theft of data by former employees after termination.
"Unfortunately, the agency is learning of cases where disgruntled former employees pilfer or otherwise corrupt key data after their employment with the credit union ends. And this creates, as you can imagine, a great deal of risk to the institutions, and I think what we are seeing is that in order for credit unions to be proactive from an internal control standpoint, management really needs to ensure that policies are in place for coordinating data access." - Gigi Hyland, NCUA board member

Saturday, May 1, 2010

Interactive Poll on User Access Reviews (aka User Access Attestation)

We have over fifty great comments on LinkedIn about the poll questions in my last blog. I thought those of you not on LinkedIn might want to join the discussion, so I am posting an interactive poll that anyone can access here . Look forward to your thoughts and will blog about the results when we close the poll in about 4 months.

View a 3 minute video demonstration of the Veriphyr service.

Tuesday, March 23, 2010

3 Question Quiz - Are You Ready for Identity and Access Intelligence as a Service



Working with companies on identity and access intelligence (IAI) , I see organizations working through each stage of implementing identity and access policies, processes, and tools.

Some are managing separate silos of access for individual servers and applications, others are in deploying provisioning systems, and others have mature provisioning and directory infrastructures.

A common topic of discussion is when in the process can they start using identity and access intelligence as a service. Can a IAI service enable compliance even before they have implemented MS-AD or another directory product? Is a provisioning system a requirement? What if the access rights are full of problematic rights?

In response, I recently created a 3 part quiz to help companies measure their readiness for identity and access intelligence as a service. Although it is slightly tongue-in-cheek, here it is, enjoy:

Wednesday, March 10, 2010

Identity and Access Management to Reach $11.9 B by 2013

Gartner predicts the Identity and Access Management (IAM) market will grow to $11.9 billion by the end of 2013.

This builds on the Gartner prediction that IAM revenue will reach $9.9 billion in 2010, an 8 per cent increase from 2009 revenue of $9.2 billion.
"IAM technology is a critical component of enterprises' security strategies, and Gartner clients have indicated that approximately 8 per cent of their security budgets are dedicated to IAM." - Ruggero Contu, principal research analyst at Gartner
Sources:
(a) Gartner Says Worldwide Identity and Access Management Market Will Grow 8 Per Cent in 2010 to Reach $9.9 Billion - Gartner, March 3,2010


Thursday, March 4, 2010

Regulatory Priorities for the Financial Industry in 2010


The Financial Industry Regulatory Authority (FINRA) just released its annual letter highlighting the examination priorities for 2010.

Once again in FINRA expects Identity and Access Intelligence (IAI) to be a significant priority for regulatory examiners.

This continues a regulatory focus on IAI seen last year when FINRA's 2009 letter stated:
"Insider threats remain an elevated risk, especially during this time of corporate downsizing in response to current economic conditions. FINRA has seen several high-profile problems result from poor IT account management within the employee ranks. Systems that are used to control employee activities and provide a check and balance should be reviewed to ensure that only currently authorized personnel are granted access to these systems. The same holds true for other systems, such as trading systems that can be used to commit firms to a trade or contract.  Weaknesses in these controls can be costly and can significantly damage a firm’s business and/or reputation."

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.