Access management comes first

Sure, tools are useful, but only after you have identified which staff need which information, and you have processes in place that can deliver and control that access.

Corporate IT Forum members are minimising internal security threats - whether accidental or intended - by sharpening processes and policies around access management and implementing solutions for identity authentication and authorisation, writes Ollie Ross, director of research at The Corporate IT Forum.

But access management isn't a quick-win technology project. It's a long-term commitment demanding significant organisational buy-in, a thorough examination of business and company processes, probably unprecedented co-operation between functions or departments, and very often a shift in company culture.

Accrued access

Because access management means ensuring staff get access only to the information and systems they require to do their job - regardless of company status or seniority - it inevitably means taking away access from some who have previously enjoyed it such as senior executives, time-served employees and "movers and shakers" within the business.

In fact, it's these groups - where trust is very often implicit and access-all-areas is associated with power and position - where the risk of malfeasance carries the greatest impact and gaining buy-in to change is hardest.

It's common for those progressing through and up an organisation to carry their "access" with them as they move, and here lies a big challenge. While there's often a major driver to provision access so that people can take up new positions, there often isn't an equivalent driver to decommission access.

However, the business risks and security implications must be fully understood by all departments involved in the position change and an audited process must be put in place for movers as well as starters and leavers.

Priviliged accounts

Another focus for IT security chiefs is that of "privileged accounts" - elevated access granted to computer room staff, systems and database administrators and the like in order to fulfil their administrative requirements. Here again, the risks are high and strict rules and procedures around rationing privileges, authorisation checking, usage and password monitoring are required to manage the lifecycle of these accounts. Some members of Tif's specialist security service have even instigated mandatory training courses and compulsory examinations for would-be privileged account holders.

I've not mentioned tools so far, not because there aren't any, but because most organisations only turn to tools once they have outgrown their manual process, and the wisest know that you should never try simply to automate existing processes.

Tools are invaluable, but secondary. They belong to the later stages of an effective access management programme and should be considered only once you have identified who needs what and what processes you use to control this.

Ineffective access management poses business risk >>

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management