Happy tax season.
Are you one of the many US taxpayers preparing for Apr 15th?
It was once said, “Death and taxes may be inevitable, but they shouldn’t be related.” And nor should complying with industry regulations and impeding your business productivity.
Beyond the common misconception that being compliant will ensure security, nothing gives executives more pause than not passing an audit. After all, failure to demonstrate compliance can be extremely costly. Google recently found this out in January 2019 when it suffered a fine of $57M (50M Euros) for not adequately informing users of their privacy rights with accordance with GDPR regulations.
CISOs, CIOs and even CEOs are feeling the heat in the new regulatory environment, and this is driving consensus. C-suite executives are realizing that compliance is not a part-time job. It shouldn’t be a full-time job either. Regulations proposed to direct best practices to prevent fraud and improve overall security span a lot of areas of business. The bottom line is that compliance is everyone’s job.
When it comes down to it, most regulations in the alphabet soup of industry standards, HIPAA, FERPA, PCI, SOX, FISMA, GDPR, DFARS… and the list goes on, have in common the need to protect data. After all its past high-profile data breaches that have forced the creation of many of these regulations. Upon further examination of these breaches we can find two very common situations: 1) Organizations did not know where potentially sensitive data was stored and 2) they did not know who had access to it.
Because users are the ones that hold the keys to accessing sensitive data, it only makes sense that IT security should revolve around them. So, in turn updated regulatory requirements have demanded that organizations have a better understanding of who has access, should they have that access, and if so what are they doing with that access. These requirements are dictating the need to govern the digital identities, including software bots, in our organizations
And it’s not just about controlling user access to applications. Sensitive information located in local and cloud file shares has become an even greater concern. The point where many enterprises lack the proper controls is with access to unstructured data, such as SharePoint or e-mail servers which may not have the same oversight as corporate applications. With Gartner estimating unstructured data to be 80% of all enterprise data, this is not a small problem.
To solve this problem, extend traditional identity governance processes to how you manage access to sensitive data.
- Automatic, periodic access certification assures that users have the right access to the right data at the right time.
- Electing proper data owners keeps data healthy and ensures access requests are granted and rejected appropriately.
- You can then further expand your identity governance program to include forensic data classification and role management, among other security aspects, to even further protect your sensitive data.
Identity governance helps your organization proactively meet and demonstrate compliance requirements. It provides the intelligence and business insights needed to strengthen preventive and detective controls and protect information assets.
While death, taxes, and compliance may all invoke the same visceral response – identity governance can at least address your compliance issues. For the other two, we’d recommend regular visits to the doctor, vitamins, and a good CPA.
To learn more see our webinar on where identity meets security and compliance.