There’s a specter haunting IT departments around the world: increasing identity and access management risk. Left unchecked, this trend will quietly raise the impact and likelihood of an IT security event. Unlike other corporate problems such as fraud or high employee turnover, detecting and controlling this risk is difficult. There’s a way to make it through this process.
The Dangers of Misunderstood Corporate Risks
When you don’t understand a risk, you’re more likely to make harmful mistakes. Think back to the financial crisis of 2007-2009. Financial institutions created exotic, complex investments that made tremendous profits for a few years. However, these products were difficult to assess when the markets experienced problems. Limited understanding of risk is one reason why some companies took significant losses and went out of business.
Security and technology risks are similar in many ways. Like complicated financial instruments, IT security is perceived to be so complex that regular people cannot understand it. There’s some truth to that statement, but it’s easy to take it too far. IT leaders need to define, measure, and understand this risk themselves and communicate with the business accordingly. Otherwise, senior management won’t be able to direct staff to make smart decisions about their IT practices and habits.
Your Path from Chaos to Order: 5 Steps to Contain Identity and Access Management Risk
To bring identity and access management risk under control, use this process. Your work starts by carrying out analysis and then engaging stakeholders beyond the IT department.
1. Review Your Overall IT Risk Appetite
You can’t evaluate identity and access management risk in isolation. Instead, you’ll see better results by considering it as one factor in an enterprise risk appetite. In this step, we recommend reviewing your organization’s overall IT risk appetite.
Not sure what risk appetite is? According to the Institute of Risk Management: “Risk appetite can be defined as ‘the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. Organizations will have different risk appetites depending on their sector, culture, and objectives. A range of appetites exist for different risks, and these may change over time.”
For example, your organization may be pursuing an aggressive innovation objective to develop new technology. In that case, you might have a relatively high tolerance for IT risk. On the other hand, a mature business that’s focused on quality and customer service will likely have lower risk tolerance.
2. Define Risk Tolerances for Identity and Access Management
In managing IT risk, you rarely encounter simple black-and-white scenarios. Instead, you have to decide how much risk you’re willing to tolerate. Let’s take a simple example: user access management.
- Risk tolerance for managers and executives: You may decide to have a low risk tolerance for this user segment. As a consequence, you’ll apply enhanced assessment, monitoring, and oversight to address this risk. You might also use biometric multi-factor authentication to reduce the likelihood of unauthorized access.
- Risk tolerance for hourly employees: In many companies, hourly employees such as cashiers have limited authority on the rest of the organization. As a result, applying intense IT monitoring to these users doesn’t add much value. Therefore, you might decide to assign this user group as “high risk tolerance.”
3. Establish a Risk Reporting Process
So far, we’ve designed a framework and thresholds for clarifying how you think about identity and access management. Now, you need to take that theory and apply it to your business. When you first start monitoring identity and access management risk, we recommend a monthly report.
Every organization will monitor different factors; however, consider some key points as a minimum. Monitor any IT audit findings related to identity and access management (IAM). Track the number of IT tickets related to IAM. You should also track the number of exceptions to your IAM policy.
4. Identify High-risk Areas and Practices for Monitoring
As your risk-reporting process develops, we recommend adding new areas of focus periodically. For example, examine inactive user account risk in detail. In another quarter, analyze completion rates for your employee password training. If an internal audit or a consultant identifies high-risk practices, monitor those issues through your reporting.
By reporting on high-risk areas, you’re more likely to get managers and employees to act on the problem.
5. Implement Risk Mitigation Strategies
Responding to heightened IT risks takes several forms depending upon your judgment. You may decide that a failure for your website for more than an hour is unacceptable, so you purchase a complete “hot site” backup solution. In other cases, you may consider the likelihood of significant impact remote. In that case, consider a different mitigation solution, such as purchasing cyber insurance.
The above risk mitigation strategies help to cope with a risk event once it occurs. It’s much better to prevent problems from occurring in the first place. Use Compliance Auditor to review your user accounts regularly and identify problems before your auditors find issues. You can easily manage high-risk users by using the multi-level approval feature. If you find IAM practices that are worrisome, you can make confidential notes about those issues directly in the system.
Using a software solution such as Compliance Auditor is one of the best strategies to reduce IAM risk. By using it, you have a single book of record for access, so you never have to worry about tracking down approval messages.
The Cost of Inaction
Your identity and access management risk exposure will keep growing year after year unless you manage it. Make the decision today to use a solution such as Compliance Auditor to get your identity and access management risk under control.
