Being a CTO or a CIO today is tougher than ever. As if aligning IT with overall business strategy while keeping pace with rapidly changing technology wasn’t hard enough, CTOs and CIOs must deal with an increasingly heavy compliance burden. Various federal and industry-specific regulations to ensure data security and privacy, such as PCI, Sarbanes-Oxley, HIPAA are designed to keep sensitive customer data safe.
Often, the rules are open to interpretation with little in the way of exact specifications. Nonetheless, failure to comply with them can be costly in terms of fines, penalties and other negative repercussions such as loss of trust.
Fortunately, identity and access management (IAM) solutions can be used to meet numerous compliance requirements. As stated in the often-quoted definition by Gartner, IAM is “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.”
If an organization is audited and has a solid IAM program, it can prove that it has measures in place to mitigate the risk of data being stolen or misused. IAM can also help meet the more specific criteria associated with various regulations, including those that follow.
SOX applies to the financial services, banking, and insurance industries. Section 404 specifically mandates that adequate internal controls are in place, tested and documented for preparing financial reports and for protecting the integrity of the financial information going into these reports. Among the ways IAM can address this is by:
GBLA is a federal law that mandates that all financial institutions maintain the confidentiality of non-public customer information and protect against threats to it. It includes the Financial Privacy Rule, which regulates the collection and disclosure of private financial information, and the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information. Then there are the Pretexting provisions, which prohibit the practice of accessing private information using false pretenses. This is the area where IAM can provide the biggest compliance boost by:
HIPAA establishes national standards for processing electronic healthcare transactions, requires covered entities (healthcare or other organizations that handle protected health information) to implement secure electronic access to health data, and mandates compliance with privacy regulations set by the U.S.
Department of Health and Human Services (HHS). The HIPAA omnibus rule provides guidelines for business associates of covered entities.
IAM can assist organizations in ensuring HIPAA compliance with access and identity management. That includes the use of federated identities, single sign-on (SSO), least privileges, regular credential rotation, multifactor authentication, and role-based policies for account provisioning and de-provisioning. (IAM can also help comply with the Health Information Technology for Economic and Clinical Health Act known a HITECH.)
FERPA is governance access to student records maintained by educational institutions and agencies, and applies to all federally funded elementary, secondary, and postsecondary institutions. It requires that these organizations use “reasonable methods” to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing or permitting access to personally identifiable information (PII).
While FERPA doesn’t mandate specific requirements regarding “reasonable methods,” best practice suggestions include components inherent in IAM solutions including:
NERC Critical Infrastructure Protection (CIP) Standard 002-009 outlines core technical requirements for cyber security, including accountability throughout the authentication, access control, delegation, separation of duties, continuous monitoring and reporting of electronic access to critical infrastructure. NERC CIP 005, 004, 007 and 008 also require all electronic access be audited, monitored and archived so that an organization can reproduce detailed privileged user sessions 24 hours per day, 7 days per week.
IAM can help meet many of the requirements in numerous ways. In terms of access management, that includes centralized authentication and SSO. For example, CIP 003 (Security Management Controls) and CIP 005 (Account Management) both require access controls. IAM can help meet this requirement by enforcing a 'least-privileges' model, which can prevent accidental or malicious damage to systems and critical data breaches.
PCI DSS is an industry-accepted security standard for companies that manage major credit cards. IAM can help meet many of its components through data access management. For example, PCI DSS limits the number of employees who can access payment card data.
IAM can be used to meet this standard by granting users only the least privileges necessary to complete their work. IAM also can be used to meet much of PCI DSS requirement 8.1, which states “Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components …” That includes ensuring that each user as a unique ID; automatically revoking access to terminated users and removing or disabling inactive user accounts within a set timeframe.
The GDPR goes into effect 25 May 2018. It’s the EU directive that aims to consolidate data protection regulations across EU member states. It has many organization worrying because of its heavy non-compliance penalties - as much as 4% of the annual global turnover or €20 Million (whichever is greater). Key functionalities provided in an IAM solution can help organizations avoid those penalties, including:
For example, IAM can help organizations comply with GDPR requirements such as managing consent by individuals to have their data recorded and tracked, responding to individuals’ right to have their data erased and notifying people in the event of a personal data breach. Watch for future blogs on IAM and GDPR compliance.
Just about any regulatory or legal requirement pertaining to data privacy and security can be met by controlling data access. That’s what IAM does best.