In this blog series we briefly cover seven trends that impact your Identity and Access management strategy. In this part we cover the Increase of rules and regulations from internal and external governing bodies and how you can incorporate them in your IAM strategy.
The importance of being compliant with internal and external rules and regulations is key to run a secure and healthy organization. Organizations follow these guidelines to improve processes, meet regulatory requirements, strengthen security processes or for business purposes such as a planned IPO or a business partnership. There are several regulatory frameworks that companies have to abide by and this has an enormous impact on your IAM Strategy.
These frameworks can be enforced by internal and external auditors or stakeholders to evaluate implemented controls within the organization. It’s also possible that these frameworks are leveraged by third parties such as investors or potential partners as they need to be able to evaluate the potential risks of doing business with an organization.
So which external regulatory frameworks are there and what is their impact on your IAM strategy? Well, there are several frameworks out there, some only apply to certain industries others are more generic and apply to all organizations. Let’s have a look at a couple of eminent ones and how they impact IAM.
If your company is a public company or if you’re looking to go public with your company, the 2002 Sarbanes-Oxley Act (commonly known as SOX) applies to your company and is mandatory. This law was passed to counteract fraud and was passed after some critical accounting scandals (E.G. WorldCom and Enron). This law enforces several security requirements for systems and applications that process financial data. This impacts your IAM strategy as you need implement these requirements in terms of access management, access controls and segregation of duties in order to be “SOX proof”.
If your company processes credit card data either as an online shop, as a card issuing bank or as an app developer that allow users to purchase items in app, the Payment Card Industry Data Security Standard (PCI DSS) applies to you. This standard aims to protect the security of cardholder data when processed by companies.
The level of interaction your organization has with credit card data determines the level of PCI compliance that your organization needs to comply with. Besides implementing certain controls and procedures in your IAM strategy to be compliant with your PCI level. You might also need to perform regular network scans, self assessments and be subject to on-site security audits by independent external auditors, where you need to be able to proof your compliancy.
A more generic framework is the ISO framework. This consist of several sub frameworks that can apply to your organization depending on the industry you’re in and organizational goals your organization has. In terms of improving your Information Security processes and systems you can find helpful guidance and controls in ISO/IEC 27001 that you can implement in your IAM strategy. By doing so you can manage employee details, third party information or intellectual property in a secure way. Being compliant is not obligatory but it helps companies to implement best practices while other companies want to be ISO certified to re-assure their customers and clients that the ISO recommendations have been followed.
Another regulation that is more commonly known by the public is the General Data Protection Regulation (GDPR). This regulation lays down rules relating to the protection of natural persons with regards to the processing of personal data and rules relating to the free movement of personal data. This has been a hot topic within companies in recent years, especially after a court case against Facebook for allegedly breaking this European privacy law. In order to be GDPR compliant you need to know what data your company possesses on natural persons and you need to classify this data to determine what needs to be protected and what data needs additional security restrictions as they can be seen as a potential risk.
In order to become compliant with these frameworks you need to know what they entail and have the IAM processes and tooling in place to be able to enforce them.
One Identity Manager is a solution that easily allows you to implement compliance frameworks that can then be used to classify attestations policies, compliance rules and company policies according to the regulatory requirements. You can even organize them hierarchically by assigning a parent framework to make sure the most important framework will be leading.