Why Lax Access Governance Leads to Trouble
February 13 2008 by Fayazuddin A Shirazi
If Societe Generale, had effective access management controls, the bank wouldn’t have had a severe beating in the form of a $7 billion loss, triggered by an overzealous 31-year-old rogue trader, say industry experts. Last month Societe Generale, the second largest public sector bank in
Security experts say that lack of proper access control mechanism in companies has resulted in an unwanted exposure of information to employees, which exposes the company to enterprise risk.
“The loss of more than $7 billion at French bank SociÃ©tÃ© GÃ©nÃ©rale might have been averted had better internal controls been in place to prevent Jerome Kerviel’s apparently disastrous financial trades. And Steven E. Hutchins Architects might not have lost an estimated $2.5 million in architectural data to the alleged actions of a disgruntled employee had the firm implemented better security measures,” says a report published in Information Week . Late last month the Hutchins Architects, a small architectural services firm based in Florida, reported an incident of data sabotage where an agitated woman employee, misinterpreted a help wanted ad in a local news paper, by her employer as a threat to her job and allegedly leveraged her access to destroy seven years of crucial data worth an estimated $2.5 million.
In an interview to CE Online, Brian Cleary, an access management and controls expert and VP of marketing at Aveksa, a corporate security vendor based in Waltham,MA, who explained the significance of safeguarding crucial company information by enhancing access management tools, says that employees have access to too much of information, which is otherwise not required by them at all. “The risk of someone misusing such access to unsought information remains high,” he says.
IT analysts believe the Societe Generale rogue trader had the in-depth knowledge of the control procedures resulting from his former employment in the middle office, which he used while at his new role. “The employee in question managed to drag access permissions to most of the applications from his earlier role at the back office to his new role at the front office,” says Brian. Experts say once the bank changed Jerome Kerviel’s role, it should’ve taken care of sanitizing all the access information he had earlier.
If SocGen, Brian feels, had instituted strengthened access controls and ensured proactive management of the potential business and compliance access risks, it could’ve extenuated the loss at least to some extent. “Had the bank cautiously implemented the automated access certification process, it could have identified the security breach much earlier and mitigated its loss,” asserts Brian Cleary.
According to an IT survey – 2008 National Survey on Access Governance- conducted by Ponemon Institute, an information management and research firm based in Michigan about 78 per cent of 700 IT professionals polled from the public and private organizations, believe both their employees and the independent contractors have too much access to information assets that are not pertinent to their job function, and that access policies are not being regularly checked or enforced by their organization.The survey also found that 69 per cent of respondents believe that access policies in their organizations were poorly enforced or ignored. 55 per cent of respondents rated their companies’ ability to grant information access rights to be poor and in some cases nonexistent.
The most common problem pointed out by the survey is “entitlement creep,” in which workers move to a new business unit and their information access rights fail to get updated to match their new roles. Business units tend to leave this to IT organizations, a failure believes Cleary to appreciate that it’s the obligation of the business units, and not the IT department to understand the roleand job requirements of its people. This is what has precisely happened with SocGen and the rogue trader took leverage of the key access to information he had in his earlier role, feel experts.
Brian calls upon the organizations to consider the benefits of having an enterprise-wide access governance process that is based on collaboration among different business functions. “The objective is to have an effective process for managing access rights, ensuring that policies are enforced consistently and understanding the business function that is accountable,” he says.
|A Short Guide to Better Access Management|
Experts recommend consistent monitoring of access management controls to keep a tab on the free flow of information to employees