Rx for ProgressBy Samuel Greengard | Posted 2009-08-04 Email Print
In today’s data-centric world, organizations are striving to do a better job of recognizing and containing risks.
Rx for Progress
Over the last quarter-century, regulatory requirements have become a fact of life for many organizations. And Sarbanes-Oxley is only the beginning. A dizzying array of initiatives—Basel II, the Gramm-Leach-Bliley Act, HIPAA, NERC, COBIT, COSO, RoHS, WEEE and many others—force a growing number of organizations to adopt policies and procedures that ensure compliance.
“It has gotten to the point where an organization’s enterprise risk management strategies affect its credit rating,” Huron’s Kispert explains.
Mark Pfefferman, director and assistant vice president of identity management for Western & Southern Financial Group, is among those who clearly understand the gravity of risk management. The Cincinnati-based Fortune 500 firm, rated among the top 10 insurance companies worldwide ($2.78 billion in 2008 sales), must adhere to the Model Audit Rule (MAR), a body of regulations that dictates auditing requirements and data access rules. HIPAA and Gramm-Leach-Bliley regulatory issues also apply.
“We have to address regulations and requirements without pushing up our head count and overall costs,” he says.
A data breach could result in the company losing the public’s respect and, in a worst-case scenario, losing its charter to conduct business in Ohio and beyond. In the past, Western & Southern Financial had mostly manual controls in place.
“Unfortunately, humans are very poor monitors,” Pfefferman says, adding, “There’s a huge cost associated with having people dedicated to manual controls, and it’s extremely difficult to audit the environment.” In fact, an audit could require hundreds or thousands of pieces of paper or spreadsheets.
No longer. The company now provisions access rights and privileges based on roles and then certifies that individuals are slotted into the correct roles with the desired level of access. Using Novell Access Governance Suite, Western & Southern Financial is rolling out the system department by department, until all 4,000 employees are using it.
The advantages include better reporting, more granular access controls, improved auditing capabilities, and reduced administration and personnel costs, according to Pfefferman. The solution also has “a very tight system for terminating rights,” he says. “We’re able to avoid orphan accounts that could lead to unauthorized access to systems.”