Fischer Identity Suite

kettleproduceSoftware and s/w Development

Dec 2, 2013 (4 years and 6 months ago)


Fischer International White Paper:
Auditing Identity Management for Regulatory Compliance:?
Are you at risk?
Identity Management & Compliance Series
William J. Malik, CISA
Fischer International Corporate Advisor
Secure Your Risk. Increase Your Bottom Line.™
The Future is Now!
Fischer Identity Suite

Fischer International Corporation
Naples, FL 34104
+1 239-643-1500
3073 Horseshoe Drive South
Compliance and attestation require that Identity Management processes be audited and verified. An organization's ability
to reduce the time, cost, and disruption to business resulting from such audits is directly related to the architectural
"completeness" of the Identity Management solution. This white paper discusses three varieties of Identity Management
solutions, and their impact on simplifying (or complicating) audit and compliance. After examining the technologies, there
is no grey area – to shorten, simplify, and improve the accuracy of Identity Management audits, the solution must be
"architected," not "integrated," and with compliance throughout the architecture.
We live in an age of increasing regulatory oversight. Not only the United States but many nations are levying broader
mandates on firms to understand and verify the integrity of the systems they use when developing financial data or
handling personal information. One useful beacon through this fog of procedural complexity is the focus on the individual,
both as actor and as subject. The discipline of identity management is becoming crucial to meet substantial elements of
these new regulatory demands.
Identity management brings together the procedures for creating and updating an individual’s profile and permissions
within a firm. The individual might be a customer or an employee. The profile information may include sensitive data that
is itself covered by regulation, such as the individual’s social security number, personal health information, financial data,
and the like. The permissions include rights of access – that is, which systems and processes the individual can access;
as well as the context for granting those rights – that is, who authorized a particular access right, when it became
effective, for how long, and under what conditions access will be granted.
However the firm manages identity information, compliance and attestation require the firm audit its identity management
processes. The more robust the identity management systems, the easier these audits are. Conversely, if the identity
management system is helter-skelter, auditing will be much more time-consuming and expensive. The auditor must
validate that the firm has an effective policy, and that the policy is in conformance with applicable laws and regulations. If
the policy is implemented piecemeal across diverse applications, the auditor must test that implementation. In particular
the auditor must verify that a change request is completed successfully, and that each step in processing that change
request is effectively logged or documented.
Firms that have deployed identity management solutions may feel that they are protected from audit findings. This is not
necessarily the case. Effective identity management solutions come in three dominant varieties, each with different
degrees of clarity in handling sensitive information and each with different degrees of logging. Some identity
management solutions are accumulations of independent tools developed by separate firms over time, and later acquired
by a software vendor. These aggregates pose the greatest challenge to an auditor and account for the highest auditing
costs. Logs are actually carried separately, log events are generated at different elements of the process, and even
though the vendor may have done some integration at the front end, to give the aggregate a consistent look and feel, the
back end data remains distributed in various formats across multiple data stores. An effective audit requires that the
auditor trace a change request to validate that the steps in the process take place in accordance with policy, and that
exceptions are properly identified and handled without generating inconsistent or incomplete states.
Auditing Identity Management for Regulatory Compliance: Are you at risk?
Fischer International White Paper
The second variety of identity management solution is not an aggregate but a consistent suite created before the current
regulatory environment arose. These products generally do have a common back end data store as well as a consistent
look and feel. However, comprehensive auditing and logging capabilities were not part of the original product architecture.
The product’s vendor has to retrofit logging and policy validation into the otherwise well-architected system. This
introduces the likelihood of incomplete, partial solutions. The auditor facing such systems must test that the apparent
policy statements are effectively implemented across all stages of the employee life cycle. While this is less labor-
intensive than auditing aggregates, these retrofitted solutions still demand a detailed and rigorous series of tests to
confirm effective attestation.
The third and final variety of identity management products are those architected with the current regulatory regimen in
mind. Within the core architecture of these solutions lies the compliance infrastructure – the structures and functionality
needed to seamlessly interact with all identity modules, and provide effective tools for logging, for policy embodiment,
and for audit. Auditing these well-architected solutions is a straightforward exercise. The auditor simply verifies that the
policies deployed in the solution conform to the appropriate regulatory model, exercises the model for each class of
employee lifecycle transformation, and verifies that the implementation delivers the expected outcome. This variety of
Identity Management solution provides a much higher level of algorithmic certainty at a far lower cost than the preceding
In sum, regulatory and attestation requirements are increasing globally. Firms can address substantial portions of these
requirements with an effective identity management infrastructure. However, an identity management solution that
consists of an aggregate of diverse products may not be thoroughly auditable. Auditors may only be able to issue a
statement of a likelihood of conformance with policy, a confidence level less than 100 percent that the tools actually
perform as required. These environments will demand appreciably more manual labor-intensive audit activities. An
identity management solution that retrofits compliance may achieve a higher level of confidence but will require significant
investigation to support the audit goals. Finally, a well-architected identity management solution will provide the auditor
with a clear and verifiable depiction of its policy and processing, allowing efficient and accurate validation of its
performance with high confidence at the lowest audit cost level.
Deploying Identity-Related Compliance: Best Practices
Fischer International White Paper
© 2006 Fischer International Corporation. All rights reserved.
Fischer Identity Suite™ is a trademark of Fischer International Corporation.
All other trademarks and product names are the property of their respective holders.
Secure Your Risk. Increase Your Bottom Line.™
The Future is Now!
Fischer Identity Suite

Fischer International Corporation
Naples, FL 34104
+1 239-643-1500
3073 Horseshoe Drive South