We May Not Need an IT Compliance Manager Solution

“We May Not Need an IT Compliance Manager Solution”
Written by: Ilan Sharoni/Eurekify

I heard this statement in one of my visits lately to a small, but fast growing company.
It was clear to me where and why this statement come from since it was voices by the security technical manager, which yet manages to provision and manage compliance issues manually.

By the way: this customer does not have IdM yet, and plans to use Eurekify for Role Modeling, Management and Compliance management and from Eurekify provision access right to all systems.


Before Eurekify, the provisioning scenario is done like this:

1. A new employee is registered in the HR department

2. The new employee reports to his boss

3. The boss, requests the security manager to grant this new person the required access rights

4. The Security manager ask the boss about the name of another employee which has the typical access rights that are required (the security manager plans to copy all the access right of that person to the new person)

5. The security manager now needs to check if granting new access rights do not exceed business licenses for limited software’s.

6. Since there is no automatic compliance management solution, this process is done manually, and the speed relies on how good is the memory of the security manager.

If no mistakes are done the new employee is provisioned and ready to work !!


Wow ! what a process.

Since there are no “Roles” in the organization, current employees which are considered to be “typical users” are considered as “Roles”

Since there is no automatic repository list of all resources that are limited by licenses and their limit, this checkup may take a while.

This customer deployed Eurekify and successfully manages:
1. Roles and access rights (Roles are automatically granted based on user's HR attributes)
2. Policies checkup (license limits and many other SoD policies)
3. Cleansing.
4. Grant access new hires and movers – Automatically !
5. Upload access rights to the target system


I was impressed with the results which made a huge change of how the security manager manages the business access rights today and how they are provisioned.

If you want to talk with me about your provisioning systems on role modeling, compliance and more, feel free to contact me at:
isharoni@eurekify.com

Ilan Sharoni
http://www.eurekify.com/

Effective Risk Management via Business Polices

Written by: Ilan Sharoni/Eurekify

Following the latest financial crisis at Societe Generale, Mr, Lagarde, French Finance minister encourage banks to effectively monitor and manage risks.
Today, awareness for risk management is done via 2 ways:
1. Monitor actual transactions as they occur.
2. Preventive measures via business policies.

Businesses, especially in the financial space are adopting solutions that will enable them to electronically & automatically trace potential violations or risks that can be prevented before the situation is escalated to a global crisis that can jeopardize the stability and the existing of the company.

Societe Generale did not deploy effective internals mechanisms in order to prevent or take preventive actions to the coming disaster.

What could be done ? The answer is “a lot” , especially if the bank was using any risk management solution and/or business compliance rules monitoring.

Eurekify solution which is SOX oriented, enables the security auditor to:
1. Request access rights and privileges attestation by privileged employees and their managers.
2. Periodic and automatic monitoring of the business compliance rules database (“real time).

Business Policies (SoD - Segregation of Duty rules) can be defined upon any business object as transactions, access rights, ad-hock permissions and more.
Every rule should be associated with “risk level” which represents:
1. The risk of that rule to the business.
2. The actions that needed to be taken (reporting flow) in case that this Business Policy is violated.

Trusting people to perform this task manually or semi-manual is prone to human errors or security breach that the auditor may not be aware of.
Therefore, automatic Risk management and Business Policies management solution must be deployed in every business.

Additional huge benefit, and very important, of those systems (As Eurekify Business Compliance Manager) is to easily manage, maintain and knowledge transfer of all the business rules.
Automating this process would enable the customer to easily track violations and add many new rules.

Best Regards
Ilan Sharoni
http://www.eurekify.com/