Policies are not translated into operational processes, and no framework exists to make standardisation possible.
This access issue is what usually generates the most findings during an audit. In the short-term, employees may find the discretionary allocation of access a convenience. But as time passes, allocation of permissions becomes rampant and this will eventually lead to the business being damaged. IAG is a combination of internal control mechanisms limiting the risks from unauthorised access and providing compliance improvements.
The starts with establishing the IST-SOLL situation: the comparison of how the current access rights are implemented with the desired final situation in a roles model.
The identification of related business processes will enable enforcing control and access rights, and will also increase knowledge and control over who has what type of access to systems and corporate information and when. This prevents nasty surprises.
To trace application activities back to individuals, each individual account must be traceable to an actual person recorded in a source registration.
No test accounts may be active in the production environment, as these can be misused for actual transactions.
To prevent the circumvention of functional roles, no account must exist that has all authorisations.
Identity & access management must be implemented using a transparent and consistent organisational structure. This is founded on the so-called authorisation verification process that enforces ‘administrative hygiene’ through the use of analysis software.
Nico Geerts - CISM, Architecture advisor I Informatica J. Van Breda & Co
Our choice to work with Traxion has been the right one. They have proved to be the genuine Identity & Access Management specialists.