Key regulatory standards – including PCI-DSS, HIPAA, Sarbanes-Oxley and others – share common requirements when it comes to securing privileged identities
Governance Risk and Compliance
There are serious issues with treating IT security as a set of policies. They can all be captured in one thought – security is a battle, not a concept.
Managing and governing end user access separately from privileged access opens organizations up to unnecessary risk. The silo approach creates security gaps and deprives organizations of a complete view of identity context for access-related decisions.
The GRC process is not a one-time fix, but a way of making organizations more robust and secure against a range of cyber threats that are mostly unknown to executives and their staff.
Too often, data breaches exploit shared privileged account passwords used for administrative logins, privileged service accounts, and application-to-application communications. The requirements of mandates such as PCI DSS, HIPAA, Sarbanes-Oxley and others require that these powerful passwords be audited and updated regularly to prevent abuse
As we look back on the cyber attacks of the past year, one of the recurring themes was that there was no way the hacked companies could have expected or prevented the attacks that hit them. In legal parlance, the concept of reasonably unexpected and unstoppable events that disrupt a business and its contracts is called force majeure. With that position, many of the hacked companies, prior to being attacked, purchased cyber security insurance and then proceeded to cut investment in IT security.
In recent years we have witnessed more and more organizations fail to adequately secure their systems. When examining the evidence, there are common practices that have lead to these failed IT audits and security breaches. How many of the top five are you guilty of?
Here’s where privileged identity management helps with regulatory compliance. These products inventory all systems, accounts and passwords – and track where they’re used.
CAG Control 12 (formerly CAG 8) lists precisely the minimum controls necessary – and the actions you’ll need to take – to secure privileged credentials.
I contend that there is no place for the concept of “trust” in IT security. Trust, as it relates to business security, is a wholly unreliable concept because of human nature and the laws of unforeseen consequences.