'Evolved' IAM Programs Can Boost Compliance, Efficiency
Regulations aimed at protecting IT operations and edata aren't going away and companies should evolve their compliance environments into cost-effective, sustainable programs, according to experts speaking at a Sept. 13 webinar, "The Evolution of Controls for Compliance -- The Next Phase: Controls Automation & Monitoring."
The webinar was sponsored by CA, a N.Y.-based IT management software provider.
To keep compliance efforts moving forward, Deborah Golden, principal, Deloitte & Touche, advised companies to consider working to advance their identity and access management (IAM) programs with an eye to:
Maintain business and IT process controls; Leverage automated controls; Automate inefficient and risky manual controls and business and IT processes; Maintain user access and segregation-of-duty controls; Monitor configurable controls and system setup configurations; Monitor transactions for control issues and anomalies; and Monitor changes to master data.
But it is critical first to understand specific compliance requirements and how and where you should prioritize leveraging IT controls versus manual controls, she said.
While manual controls are slower, they are sometimes sufficient, she said. However, technology-enabled controls reduce testing efforts by, in part, cutting down on individual "self-tests," making smaller sample sizes work and making testing automatic rather than human-driven, she said.
Also, one of the biggest value propositions for technology as an IAM compliance tool is its adaptability to address requirements from different regulations, Golden said.
And getting IAM right can help a company avoid a lot of troubles, said Sumner Blount, CA's director of Security Management Solutions. He noted that seven of the top 10 IT-related design control deficiencies cited by IT-governance respondents to an Information Systems Audit and Control Association survey in 2004 were IAM related. -- Michael Causey