Loading ...
where necessary and collaborate where it made sense. Security managed a central entitlements store and hosted an access control and review infrastructure but the various investment groups had to manage their own roles. It was an evident example of Information Security as a business partner.
Not every organization has the financial ability or compelling need to invest in the kind of technical infrastructure required for global finance. My current organization hosts a fraction of the sensitive data, though with many more associates in a greater diversity of roles and a more expansive geographic reach. A simpler approach is both necessary and achievable. While we are initiating our own access control and review processes right now and our specific experiences may not be relevant to other organizations, there are some universal lessons that may help others launching the quest for better controls
First, talk up the benefits of roles-based access controls with likely stakeholders – the senior managers who often end up as owners of access control-related audit findings. Their pain tends to be perpetual, but since it is more throbbing headache than burst appendix, they typically pop a few aspirin and grimace through the pain. They are likely fertile ground for an access control model that is simpler and more transparent. Others are the operational teams responsible for user provisioning. They often incur significant time and financial costs enabling and disabling user access, and to help you sell your proposal to senior management, can often provide figures that document those costs. Prepackaged role access, even if it must be enabled and disabled manually, can still reduce the provisioning overhead significantly, as my financial services
