More from my interview on system-access risks with Courion vice president Kurt Johnson (including step-by-step guidance on developing a sound access assurance program) …

Eric Krell: How can companies better manage this systems-access risk?

Kurt Johnson: Companies can better manage systems-access risk by ensuring a strong access assurance strategy. Specifically, do the right people have the right access to the right resources, and are they doing the right things with it?

Organizations need to recognize the risk and build a strategy that includes the following:

1. Know where the sensitive information is. Find it. Categorize it. Identify it. Then, determine what the areas of highest risk are. We don’t need to be so worried about the company softball site as we do the engineering development site that details product plans or the customer database with credit cards and social security numbers.

2. Know who has access to this information. Which people have access to this data? What job functions do they perform? Is there a need for them to have this access?

3. What are users doing with this data? Understand baseline trends. It may be perfectly normal to view 100 transactions a day, but if those transactions are sequential, it may be a security violation. Is someone accessing information after hours? Are we seeing a peak in people downloading information on drives? Are they sending sensitive information over personal emails or copying on USB devices?

4. Automation is the most efficient form of control, so automate the process to manage user access to this data. When someone starts a job, have the proper people approve their access to this information, and make sure that they can only request access to information and resources within their role in the organization. When someone leaves the organization, the system knows exactly what access they have and can immediately disable that access. When people change jobs, they get the new access they need (within policy) but the access they no longer need is turned off. It’s best to link this right to HR so when they’re turned off from payroll their data access is also turned off.

5. Conduct ongoing, periodic review and attestation. Have business managers look at exactly what access their users have and attest that it is appropriate. Highlight the most sensitive and highest-risk areas. Also, have a manager take immediate action if they are seeing activity outside the scope of “normal.”

EK: Based on your experience, who within the company (what function) is responsible for addressing this risk. What can and should the role of the corporate finance executive be in addressing this risk?

KJ: This really is a cross-organization activity. Generally, it is the Chief Information Security Officer (CISO) who shoulders the burden of ensuring that an access assurance strategy is in place. Then, it is a coordinated effort between HR (who is handling the onboarding and offboarding procedures for employees); business managers doing the hiring, promoting, transferring, and terminating; and IT to ensure the ties are in place to the appropriate systems.

It is important that the executive team drive the strategy and institutionalize the processes involved with developing and executing access compliance policies in conjunction with corporate risk mitigation policies.

The corporate finance executive should work with the CISO or IT manager to determine how the company can afford to deploy and maintain an identity and access compliance solution. In many cases, this process can be tackled in phases so it doesn’t impact the bottom line at all and actually saves money in the IT or security budget.

Companies need to put an action plan in place to prevent these types of data breaches, because when they happen, they involve everyone and can have serious implications for the entire business. ###