Showing posts with label Access Governance. Show all posts
Showing posts with label Access Governance. Show all posts

Monday, September 16, 2013

National Health IT Week

September 16-20 has been designated National Health IT Week by the Health and Human Services (HHS) Office for Coordinator for Health Information Technology (ONC).

Health IT Week will highlight the path to Interoperability, which depends on five elements: "adoption and optimization of electronic health records (EHRs) and health information exchange (HIE) services, standards, financial and clinical incentives, privacy and security, and rules of engagement."

"National Health IT Week raises awareness of Health Information Technology’s power to improve the health and health care of patients all across the nation, and at lower cost."
- HHS Office for Coordinator for Health Information Technology
Privacy and security will be addressed in a Tuesday, 9/17, webinar during which policy chief Jodi Daniel will update HIE governance activities.

To build trust among HIE participants, low-cost on-demand SaaS analytics services are being utilized for access governance as well as proactively detect patient data privacy breaches.

Download a white paper on patient privacy breach detection. Learn how to proactively identify unauthorized breaches of patient data privacy, even by authorized users - with no hardware and no on-site software.
Sources:
(a) National Health IT Week - www.nationalhealth.org, 09/13/2013

Tuesday, April 24, 2012

Webinar - Chase Away Cloud Challenges: User Access Governance & Compliance

If you are interested in cloud technology and enjoy this blog, be sure to catch my webcast on "Chase Away Cloud Challenges: User Access Governance & Compliance". The talk was on May 23, 2012, 4pm Eastern (1PM Pacific) and you can watch it here

Whether you are taking advantage of cloud-based commercial application or moving your own custom application to a cloud infrastructure, the cloud brings new challenges for user access governance and compliance.

My talk will cover what you need to do both contractually and operationally to ensure the user access of your cloud-based applications is as secure and compliant as your data-center applications.

Topics covered will include
  • Key contract terms you need to be able govern user access?
  • Architectural components are critical to user access governance.
  • What about cloud-based Identity & Access Management services?
  • Operational components are required to support user access governance.
  • How user access governance is evolving to meet cloud compliance.

Thursday, November 17, 2011

Report: Government Insider Breaches on the Rise

A report conducted by Telus and the University of Toronto's Rotman School of Management indicated that reported breaches of confidential information by Canadian federal and provincial insiders rose in 2011. The study found that forty-two per cent of breaches in government were perpetuated by insiders either misusing authorized access or violating access controls entirely.

Violations of access control by insiders are among the most difficult types of attack to detect. This is so because of the need to manually review mountains of log data and compare actual usage with authorized permissions to detect violations of policy. Worse, users may have accumulated unnecessary or obsolete rights as a result of job changes. The personnel who perform the analysis may not have the knowledge of what is legitimate business access and rely on business leaders for review. The result is lots of time spent chasing false positives – it’s no wonder that most businesses neglect this type of review.

Veriphyr Identity and Access Intelligence is a SaaS application that automates the review of user access activity with rights without the need to deploy hardware or software on-premises. We take uploads of raw, unfiltered, and unmapped exports of your directory rights, access control lists, and system and application activity logs to automatically correlate identities, rights, and activity to detect violations of access policy.

Veriphyr delivers reports on policy violations that are quickly and easily grasped by non-technical business leaders.

Visit Veriphyr to learn more. Other vendors deliver technology; Veriphyr delivers answers.

Source:

Tuesday, July 26, 2011

Information Security Luminary Steve Katz Joins Veriphyr Advisory Board

Identity and Access Intelligence SaaS Provider Taps Prominent Financial Services Expert as Strategic Counselor

Veriphyr, a leading provider of Identity and Access Intelligence (IAI), today announced that Steve Katz, one of the leading authorities on information security for the financial services sector, has joined the company as the first member of its Board of Advisors. Mr. Katz will provide strategic technology, go-to-market, and business development counsel to Veriphyr’s management team.

Former CISO at Citibank, JP Morgan, and Merrill Lynch
Mr. Katz is one of the preeminent figures and leading thinkers in matters of financial services information security. He is the former Chief Information Security Officer (CISO) for Citibank, JP Morgan, and Merrill Lynch, and was appointed as the Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury. Mr. Katz is a founder and president of Security Risk Solutions LLC, a leading information security consulting firm.
Veriphyr has developed a very powerful platform for analyzing mountains of identity and access rights, policy and usage data to extract actionable security and regulatory compliance intelligence,” said Steve Katz. “The applications for this technology in the highly regulated and risk sensitive financial services arena are significant. I am looking forward to working with Veriphyr to help them expand their footprint in this market.”
Veriphyr’s identity and access intelligence SaaS solution proactively detects data privacy breaches and inappropriate access to applications, databases, and systems. The company’s advanced data analytics transform identity, rights, and activity data to expose threats and regulatory violations that span privacy, compliance, risk, and security.
Steve Katz is one of the most respected, knowledgeable, and connected information security experts in the financial services industry,” said Alan Norquist, Founder and CEO of Veriphyr. “His decision to join the Veriphyr advisory board gives our technology a major credibility boost in the financial services market. We are extremely pleased to welcome Steve to our team, and are fortunate to have him as a trusted advisor.”
About Veriphyr
Veriphyr Identity and Access Intelligence (IAI) service discovers data privacy breaches and inappropriate access to applications, databases, and systems. Veriphyr applies advanced data analytics to transform identity, rights, and activity data into actionable intelligence for business management in privacy, compliance, and security.

Editorial Contact:
Marc Gendron
Marc Gendron PR
781-237-0341
marc@mgpr.net

Veriphyr is a trademark of Veriphyr, Inc. in the United States. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Saturday, July 2, 2011

$19 Million Embezzled from CitiGroup by VP with Excessive Access Rights

A former Citigroup vice president in the internal finance department is charged with embezzling over $19 million.

Between July and December of 2010 the defendant allegedly transferred money between numerous Citigroup corporate accounts and his personal account at JPMorgan Chase.
"The defendant allegedly used his knowledge of bank operations to commit the ultimate inside job." - Loretta E. Lynch, US Attorney, Eastern District, New York
The former VP appears to have accrued excessive access rights to sensitive banking systems so he could both authorize and initiate eight large transfers of cash. Excessive access may also explain how he could associate fraudulent contracts and deal numbers with the wire transfers and make them appear to be for existing contracts.

According to the complaint, Citigroup only discovered the fraud many months after it occurred as part of an internal audit of the department.
In the time between the crime and its discovery the defendant allegedly used some of the money to purchase a Maserati, a BMW, and six properties, including a home with a half-million-dollar entertainment system.
For other insider frauds see: Insider Steals $11 Million Despite Separation Duties Controls

Sources:
(a) Former Citigroup Vice President Charged With Bank Fraud For Embezzling More Than $19 Million - US Attorney's Office, Eastern District of New York, June 27, 2011
(a) US Attorney's Office Complaint - US Attorney's Office, Eastern District of New York, June 27, 2011
(a) Arrest in Alleged Citi Fraud Former Employee Charged with Embezzling $19 Million; 'Ultimate Inside Job' - Wall Street Journal, June 28, 2011


Sunday, June 26, 2011

"Abuse of System Access / Privileges" is #1 Means for Stealing Intellectual Property and Classified Information

According to the Verizon 2011 Data Breach Investigations Report (DBIR), "Abuse of System Access / Privileges" is the top threat action type used to steal intellectual property and classified information.

Verizon's Real World Example
An example from the Verizon report is a Nigerian fraud ring that gained key positions within some of America’s largest banks which allowed them to steal personally identifiable information, access and/or create bank accounts, and other nefarious activities.
"Another lesson ... is the importance of quickly deprovisioning user access and privileges when they are no longer needed. Year after year we investigate breaches involving former employees or business partners." - Verizon 2011 Data Breach Investigations Report
Top Threat Types Used To Steal Intellectual Property and Classified Information
(excludes those only involving payment card data, bank account information, personal information, etc)
Learn how Veriphyr’s Identity and Access Intelligence as a service discovers abuse of system access and privileges - with no hardware and no on-site software.
The Verizon 2011 Data Breach Investigations Report (DBIR) provides a view of “What it means for the general community." This chart is part of Verizon effort to release some of the most-requested segmentations of the DBIR's 761 incidents to answer the question “what it means for specific segments.”

Sources:
(a) New views into the 2011 DBIR - Verizon Security Blog, June 23, 2011
(a) Verizon 2011 Data Breach Investigations Report - Verizon Security, Apr 19, 2011


Sunday, May 1, 2011

"Regulatory Compliance" - #1 Issue for Information Systems Audit and Control Professionals

Regulatory compliance topped the list of business issues according to a recent survey by ISACA, a global organization for information security, audit, control, and governance, professionals.

Issues within regulatory compliance were managing and sharing personally identifiable information (PII), the costs associated with required controls, compliance process management, and the segregation of duties and privileged access monitoring.
"Keeping up with the ever evolving legislative and regulatory requirements is time consuming and expensive as IT must design and maintain systems." - ISACA Survey Report
The top seven business issues identified by the survey are
  • Regulatory compliance
  • Enterprise-based IT management and IT governance
  • Information security management
  • Disaster recovery/business continuity
  • Challenges of managing IT risks
  • Vulnerability management
  • Continuous process improvement and business agility
Cut the time and expense of user access compliance. See how Identity and Access Intelligence as a service addresses user access compliance - with no hardware and no on-site software.
The results are based on a survey of 46,101 ISACA members and 2,405 responses (6.9 % response rate). The survey was conducted between 10/12/2010 and 11/19/2010.

About ISACA
ISACA is global organization for information information security, audit, control, and governance, professionals. The ISACA information system auditing and control standards are followed by practitioners worldwide.

Sources:
(a) ISACA - Top Business/Technology Issues Survey Results 2011 (registration required) - ISACA, 2011

Sunday, March 6, 2011

Discovering Identity - Who Used those Access Rights, How?

Mark Dixon at "Discovering Identity" raises a new question for identity auditing - "Who used those access rights and how did they use them?"

Mark contrasts this with the standard questions of "Who has access to what?" and "Who granted those access rights, when?". He also points out that while IAM suite vendors have tools to address the last two questions, they currently lack a good solution for the first.
"The [last] two questions address the assignment of access rights to individuals; the [first] question addresses actual use of access rights after assignment." - Mark Dixon, Discovering Identity
For more see Mark's blog Who Used those Access Rights, How?

Thursday, January 20, 2011

Excessive Access Rights + Disgruntled Employee = Trouble

Excessive user access privileges let a disgruntled employee cause $7 million in damages. The trusted employee was a wiz at fixing any IT problem so she accumulated privileges far beyond her job requirements. When the company outsourced IT, she planted logic bombs that crashed racks of servers after she left the company.
"There is this tendency to give these people more privileges than they need because you never know when they'll need to be helping someone else out." - Larry Ponemon, Ponemon Institute
Learn how the Veriphyr Identity and Activity Analytics Service discovers users with excessive access privileges so you can avoid "privilege creep" disasters.
This is what happens when privileges are granted to an individual to handle a specific task but are not revoked when the person no longer needs them. - Larry Ponemon, Ponemon Institute
The company continuity plan kicked in and they switched to their backup servers, but the woman had put logic bombs on the backup servers. It was very difficult for the company figure out the problem and recover because the crashes seemed to have no common cause.
"A malicious employee [who's] angry can do a lot of damage in a way that's hard to discover immediately and hard to trace later. " - Larry Ponemon, Ponemon Institute
Sources:
(a) Security Fail: When Trusted IT People Go Bad - Computerworld, Jan 18, 2011
(b) Ponemon Institute

Tuesday, July 27, 2010

Material Weakness Reported by KPMG in Internal Controls for User Access


KPMG recently reported “access controls contribute to a … significant deficiency that is considered a material weakness in IT controls” at the Federal Emergency Management Agency (FEMA). (a)
CFOs lost their jobs within 3 months of reporting a material weakness in more than 60% of such cases. - A.R.C. Morgan (b)
Specific weaknesses highlighted by KPMG include:
  • Application, database, and network accounts were not periodically reviewed for appropriateness and resulted in inappropriate authorizations and excessive access rights.
  • Application, network, and remote user accounts were not disabled upon personnel termination.
The importance placed on weaknesses in internal controls for user access is understandable in light of IDC reporting that “Out-of-date and/or excessive privileges and access control rights for users are viewed as having the most financial impact on organizations.”(c)
"Deficiencies identified in FEMA's access controls increase the risk that employees and contractors may have access to a system that is outside the realm of their job responsibilities. – KPMG FEMA Report (a)
Material weaknesses at FEMA are estimated to take several years to remediate using conventional methods, but the Veriphyr Identity and Access Intelligence Service can put a sustainable internal controls in place in days, not months. Moreover, this can be done with zero hardware, zero software, and no work.

The Veriphyr identity and access intelligence service applies analytics to data you already have and eliminates the grunt work of identifying user access policy violations. Plus the Veriphyr identity and access intelligence service delivers actionable remediations and monitors the resolution of the remediations.

If you want to avoid a material weakness of internal controls in your next audit be sure to view a video demonstration of the Veriphyr identity and access intelligence service.

Sources:
(a) Information Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2009 DHS Integrated Audit
(b) A.R.C. Morgan: More than 60 Percent of CFOs Resign or are Pushed when a Material Weakness is Disclosed
(c) Insider Risk Management: A Framework Approach to Internal Security” by IDC

Popular Posts

Copyright © 2010-2011 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.