Security - Baseline
Home arrow Security arrow Managing Identity Data Through Corporate Restructurings

Security Slideshow:
Managing Identity Data Through Corporate Restructurings



These are tumultuous times, characterized by shot-gun mergers, acquisitions, and corporate restructurings resulting in mass lay-offs. This corporate churn forces companies to change employee access to sensitive corporate data on very short notice, grant access privileges to new employees, adjust access privileges for re-assigned employees, and terminate access for former employees and contractors.

Organizations that are "identity aware" can successfully - and proactively - manage the IT risk associated with changing user access to applications and systems. In this presentation, SailPoint's Founder and CEO, Mark McClain, provides advice to help IT organizations prepare for these scenarios.



Slideshow Archive
Slideshow Archive
 
  • These are tumultuous times, characterized by shot-gun mergers, acquisitions, and corporate restructurings resulting in mass lay-offs. This corporate churn forces companies to change employee access to sensitive corporate data on very short notice, grant access privileges to new employees, adjust access privileges for re-assigned employees, and terminate access for former employees and contractors.

    Organizations that are "identity aware" can successfully - and proactively - manage the IT risk associated with changing user access to applications and systems. In this presentation, SailPoint's Founder and CEO, Mark McClain, provides advice to help IT organizations prepare for these scenarios.

  • 1. Take formal steps to manage your identity risk before a merger, acquisition or downsizing takes place:
    • Catalog all sensitive information assets affected
    • Identify all workers impacted (joiners, movers, leavers)
    • Define all internal controls to be used to manage risk and ensure compliance
  • 2. Perform an identity inventory on assets that will be affected by the restructuring, in order to create an authoritative record of "who has access to what?"
    • Aggregate user and access information from various systems into a single repository
    • Use correlation rules to resolve inconsistencies between resources to obtain a unified view
  • 3. Perform a "data cleanup" certification to establish a reliable baseline of data:
    • Require application owners and people managers to review and certify the access privileges of all users in their departments
    • Identify the list of all access privileges to be revoked based on this initial review
    • Organizations typically find that between 10-25% of user access privileges are inaccurate or inappropriate and should be revoked.
  • 4. Proactively identify and manage high-risk users
  • Include those with privileged accounts and those most likely to be affected by a restructuring and ensure they are visible to all certifiers
  • Use the principle of "least privilege" to remove any high-risk access privileges not needed to perform job functions
  • 5. Assess your governance and risk management status based on your baseline certification:
    • Identify gaps with established controls
    • Identify areas where corporate policy is being violated
    • Analyze the overall identity risk posture of users and systems
  • 6. Centrally define the policies required to meet corporate and regulatory requirements across all critical resources. Identity policies that should be defined include:
    • Separation-of-duty (SoD) rules to prevent users from holding "toxic combinations" of entitlements that could make it possible to commit fraud or misuse data.
    • Any specialized rules required to manage the corporate restructuring (e.g., rules that determine how newly acquired workers are allowed access based on a department code, location, etc.)
  • 7. Before a merger or acquisition occurs, focus your corporate controls on users and systems being merged into the enterprise to ensure a smooth, compliant transition:
    • Inventory and certify users and their access privileges
    • Scan and detect any policy violations before the transition
    • Identify users that pose the greatest risk and revoke any unnecessary or inappropriate privileges
  • 8. Before a layoff occurs, take proactive steps to protect sensitive applications and data:
    • Certify your identity data in advance so that you have current, accurate information about all users and their access to critical corporate assets
    • Ensure managers and the IT organization are prepared to disable all access to user accounts upon delivery of termination notices
  • 9. Ensure security continuity by implementing a higher-than-usual level of activity monitoring.
    • Ensure logging is turned on for systems that may be subject to sabotage or theft
    • Pay special attention to high-risk or privileged users or any workers with access privileges that do not conform to policy (e.g. allowed exceptions)
  • 10. Following any transition, schedule a special-purpose access certification to mitigate risk.
    • Refresh your correlated identity data and confirm that all accounts have been removed
    • Pay special attention to any changes detected (new users, new policy violations, or new entitlements)
  • 11. Maintain audit continuity by requiring explicit reviews and approvals for all new access requests to sensitive information.
    • During and after any transition, take special care that you don't re-introduce policy violations that could place the enterprise at risk
    • Involve audit and compliance staff to ensure future compliance requirements are being met
    •

    Baseline:  

    Issue Index | Contact Us | About | Media Kit | Magazine Customer Service | Navigation Guide

    Quick Links:  

    Project Planners | Enterprise Resource Planning | Network and Online Security | Data Analysis | Process Management | Storage Devices| Link to Us

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    Tech RSS Feeds | White Papers | Tech Podcasts | Tech Video | VARs | System Builder

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | Security IT Hub | Strategic Partner | Web Buyer's Guide | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2010 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.