***Editor's Note: For an in-depth look at the next wave of attacks targeting your company, replay ebizQ's Threatscape 2008 right here.
IT controls around user access, regardless of the internal business policy
or industry regulation, are the common denominator for surviving audits and
ensuring compliance. However, the creation and enforcement of access policy
for job-critical applications and systems is an increasingly complex undertaking,
especially for organizations with large transient workforces. Adding to the
complexity is the rapid adoption of new technologies that support increased
enterprise collaboration and virtualized or remote access. In the coming years,
organizations' approach to addressing compliance requirements will be put under
a microscope, especially as high-profile data breaches continue to make headlines,
and repercussions for non-compliance weigh heavily on companies' reputations
and their bottom line.
With the constant pressure of audit cycles required to demonstrate compliance
with business policies or guidelines such as the Health Insurance Portability
and Accountability Act (HIPAA), the Payment Card Industry (PCI) Data Security
Standard and the Sarbanes-Oxley Act (SOX), many organizations are being pushed
into "reactive mode." They scramble to simply meet the next deadline,
and pass the current audit -- not able to plan ahead for what the next one may
entail. This often comes at a cost with many resources dedicated to the latest
fire-drill approach to get through the audit of the day.
Fight back against security threats by getting ebizQ's Security Newsletter delivered to your inbox. Sign-up here.
In order to break out of that reactive rut, business mangers, who are increasingly
shouldering compliance responsibilities, need to be able to proactively evaluate
the risks associated with access created (intentionally or not) within new virtualized
or collaborative work environments. This means being able to answer critical
questions related to where the exposure is and what policy is being enforced,
and in some cases, determine how they can go back and build policies around
new access compliance exposures that are not currently being addressed.