Wednesday, February 09, 2005 11:32:30 AM
The table "Regulations at a Glance" is a presentation in the original document showing the regulation, mandating organization, security requirements, affected companies, and deadline. Unfortunately it didn't transfer very well (lost all its formatting). Quite a world of opportunity!
-Richard
RSA whitepaper (partnered with Accenture) on "Identity and Access Management"
http://www.itbusinessedge.com/offer.aspx?o=00560001KR
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
Companies today face a growing number of regulations that have broad
implications for information security. Governments worldwide are mandating
the protection of information, whether it’s to safeguard consumer privacy for
health and financial records, ensure data quality in the production of drugs
or re-establish trust in financial reporting systems.
What these laws have in common are requirements for ensuring that only
authorized users gain access to information and the ability to control and
examine user activity. Implementing an Identity and Access Management
(I&AM) solution is an effective way to address the requirements of these
regulations and build a unified compliance strategy.
This white paper has been developed by RSA Security in conjunction with our
strategic partner, Accenture, as a resource for organizations to help them
understand the requirements of a wide spectrum of the regulations and
implement an I&AM solution that will address many of the key provisions.
Although each of the regulations has specific deadlines, it is well understood
that compliance is an on-going effort since the implementation of controls to
protect information is not a one-time project, but rather a continual,
dynamic process as an organization’s operations and environment changes
and technologies advance. This white paper is intended to help organizations
implement an I&AM solution that will not only meet the on-going demands
of complying with these regulations but also key business objectives.
Implementing Identity and Access
Management for Regulatory Compliance
WHITE PAPER
WHITE PAPER
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
TABLE OF CONTENTS
RSA SECURITY AND ACCENTURE
I. THE COMPLIANCE CHALLENGE
II. COMMON THREADS ACROSS
REGULATIONS
Best practices in Information
Security (sidebar)
III. SOLVING THE COMPLIANCE
CHALLENGE WITH IAM
Primary Components
of an I&AM Solution
Success Factors for
Implementing I&AM
I&AM Solution Principles (sidebar)
TABLE: REGULATIONS AT A GLANCE
APPENDIX: OVERVIEW OF EACH
REGULATION
Sarbanes Oxley (SOX)
Gramm-Leach-Bliley (GLB)
HIPAA
21 CFR Part 11
Annex 11 Computerized Systems
European Data Protection
Directive
Basel II
Japanese Data Protection Directive
TABLE: RSA SECURITY’S I&AM
SOLUTION AND REGULATORY
COMPLIANCE
ABOUT RSA SECURITY
ABOUT ACCENTURE
PAGE 1
PAGE 1
PAGE 1
PAGE 2
PAGE 3
PAGE 3
PAGE 4
PAGE 4
PAGE 5
PAGE 6
PAGE 6
PAGE 6
PAGE 6
PAGE 7
PAGE 7
PAGE 7
PAGE 8
PAGE 8
PAGE 9
PAGE 10
PAGE 10
RSA SECURITY AND ACCENTURE
RSA Security has over 20 years of experience in information
security and is renowned for leading industry initiatives in
standards and research. Our technology can provide a solid
technical infrastructure that covers a broad range of the
requirements yet offers the flexibility and scalability to
meet an organization’s needs as their environment
changes. As such, organizations worldwide are turning to
RSA Security to help them with their compliance efforts.
As a global management consulting company, Accenture
has deep industry and business process expertise, broad
global resources and a proven track record for helping
organizations to comply with regulations. Accenture’s
approach is consistent with the expectations of the
regulations which call for not only technical measures for
protecting information but also administrative measures
such as policy, procedures and training of personnel. The
I&AM framework that Accenture has developed involves
the implementation of key technologies, the
transformation of processes and alignment with the people
in the organization.
RSA Security and Accenture share a common philosophy
in helping organizations achieve regulatory compliance by
seeing it as an opportunity to improve operations; maintain
the trust of customers and partners; and become more
competitive.
I . THE COMPLIANCE CHALLENGE
Over the last several years, nations throughout the world
have enacted regulations which have major implications
for information technology (IT) and security professionals.
Information security has moved from being good practice
to being the law.
Many regulations were put in place to establish standards
for protecting data while promoting automation and ecommerce.
Regulations such as Gramm-Leach-Bliley (GLB)
and the Health Insurance Portability and Accountability Act
(HIPAA) in the United States, or the European and Japanese
Data Protection Directives were enacted as a result of
increasing concerns over privacy and identity theft. 21 CFR
Part 11 in the U.S. and Annex 11 in Europe are meant to
protect patient safety by ensuring the quality of data used
in developing and producing drugs. Sarbanes-Oxley (SOX)
in the U.S. was in response to specific problems with the
financial reporting system and several high profile fraud
cases. The intent of Basel II is to better align bank’s capital
requirements with underlying risk.
1
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
All of these regulations carry penalties and some even carry
prison terms for violations. Moreover, non-compliance could
destroy a company’s brand reputation and even set the
stage for civil litigation.
Organizations globally are finding that complying with
these regulations is a formidable challenge. Mandates
are couched in ambiguous legal language, making
interpretation difficult. What’s more, most companies are
subject to several regulations. For example, a U.S.
investment bank with operations in Europe could be subject
to GLB, SOX and the European Data Protection Directive. A
global pharmaceutical company headquartered in the
Europe but with international sales could be affected by 21
CFR Part 11, Annex 11, HIPAA and Europe’s privacy laws.
And the list of regulations continues to grow. In the
wake of highly publicized security failures, privacy abuses
and corporate scandals, there is intense pressure on
governments in the U.S. and internationally to pass yet
more laws and regulations. For example, India is writing
privacy and security legislation in response to the needs of
outsourcing customers in highly regulated countries and
industries.
As well, organizations must implement a compliance
strategy in the context of their other business objectives—
such as reducing costs, improving customer service and
increasing revenue. Most will need to ensure compliance
in an environment that is constantly changing, as more
users and applications are added. Adding to the challenge
is that fact that applications and processes are increasingly
outsourced and information is increasingly exchanged with
external partners.
I I . COMMON THREADS ACROSS REGULATIONS
The many regulations that mandate the protection of
information were enacted for various reasons, are industryspecific
in some cases and apply to a geographic region in
other cases, however there are common threads that run
across all of these regulations.
For example, they all require that organizations implement
controls to allow only authorized users to gain access to
information, control what users do, monitor and track their
activities and make them accountable for their actions.
In other words, some of the central requirements are
authentication, access controls and audit controls—the
essence of I&AM.
Other common threads include requiring organizations to
conduct a risk analysis and develop and enforce a security
policy. Many of the regulations share similar language,
often referring to the need for “reasonable and appropriate”
controls which is commonly interpreted to mean
best practices. Organizations can turn to several sources for
information on best practices such as peers, standards
bodies, industry associations, or security experts and
consultants. Some examples of best practices are presented
in the box below.
A summary of information on the regulations and their
requirements is provided in a table on page 5. For more
extensive information on each of the regulations, see the
appendix on page 6.
I I I . SOLVING THE COMPLIANCE
CHALLENGE WITH IAM
I&AM helps to solve the challenges of compliance because it
provides an effective way to address some of the central
requirements of many of the regulations. It helps organizations
to build a unified, comprehensive strategy for
compliance based on best practices in information security.
I&AM can be defined as, “the people, processes and
technologies dedicated to creating, managing and revoking
digital identities, as well as developing and enforcing
policies governing authentication and access to information
systems both inside and outside the enterprise.”
2
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
BEST PRACTICES IN INFORMATION SECURITY
Regulations generally expect organizations to
conduct a risk analysis and implement information
security measures based on best practices. The
following are some examples of best practices in
information security using I&AM and related
technology to support regulatory requirements:
Strong authentication is a best practice that
reduces the risk of unauthorized access to systems
and networks by requiring users to present strong
proof of identity, specifically by using multiple
factors. For example, two-factor authentication
combines something the user knows (such as a PIN)
with something the user has (such as a token).
Strong authentication is considered necessary
especially for remote access environments where
there are no physical access controls to ensure the
validity of the user. Inside corporate networks,
strong authentication may also be recommended
to protect highly sensitive data or to safeguard
single sign-on access, where one logon provides
the user with access to multiple applications.
Centralized access control is a best practice for
consistently assigning user privileges and enforcing
security policies across multiple applications. Some
regulations require organizations to implement
appropriate controls over user access to sensitive
data, such as a consumer’s health or financial
information. Centralized access control can be used
to enforce access rights based on diverse criteria,
such as job role, security clearance and business
rules. For example, centralized access control can
help ensure that a terminated employee’s
privileges are revoked for all applications in a
timely way.
Encryption makes sensitive information unreadable
except by authorized users who have the means to
decrypt the data. Encryption is a best practice for
shielding data from “eavesdropping” as it is
transmitted across a network or the Internet.
Increasingly, it is also used to protect databases
containing confidential information, thus making
them less vulnerable to network attacks.
Digital signatures can help to ensure the integrity
of data, online communications and transactions
by providing assurance that data has not been
altered from the original, especially during
transmission. Digital signatures also support nonrepudiation
with the ability to prove the identity
of the signer.
Audit controls are an essential element of virtually
all regulatory requirements. Diverse laws and
regulations demand that the enterprise establish
accountability for each user’s online activities.
Centralized logging is considered a best practice
for tracking and monitoring user activity across
multiple applications, to ensure effective
implementations of audit controls.
3
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
More than a simple product implementation, I&AM is an
approach to managing users and protected resources in a
way that maximizes business opportunity. The optimum
approach involves the people, process and the technology
for creating usable identities and enforcing the policies
behind the use of identities.
Regulations largely outline the required services that can be
provided as identity management-ensuring the user is who
they claim to be-and access management-determining which
applications, information or resources a user can access.
An I&AM solution is based on developing centralized
capabilities for establishing and managing digital identities,
which consist of attributes such as name, phone number,
job code, etc. It is also based on developing centralized
capabilities for access control, which takes business rules
and security profiles into consideration to establish and
enforce policy around which users are granted the privilege
to access which resources.
With a single I&AM framework, organizations can address
the requirements for complying with multiple regulations.
For example, an investment bank with operations in U.S.
and Europe can implement a single methodology and set of
technologies for information security that enables
compliance with U.S. and European Union privacy laws.
Diverse global regulations will require a centralized, policy
driven model with local flexibility.
It is important to note however, I&AM is just part of an
overall solution for regulatory compliance. At the same
time, organizations will need to meet other security-related
requirements such as ensuring data integrity and
confidentiality.
An I&AM solution provides the foundation for helping
organizations to not only comply with regulations, but also
to manage their businesses with a degree of flexibility,
responsiveness, security and economy that is unattainable
with today’s fragmented approaches to managing user
identities.
Primary Components of an I&AM Solution
An I&AM solution enables organizations to manage on-line
identities and control access to resources. A complete
identity and access management strategy encompasses six
tactical areas: provisioning of user identities and
permissions; comprehensive user management capabilities;
authentication; access management; federated identity
management; and secured, centralized data stores to
maintain the required policies and profiles. All these
components should work together as an efficient,
intelligent system.
Provisioning provides automated capabilities for activating
user accounts and establishing access privileges for those
accounts across the entire enterprise. So, for example, if
one company has acquired another, provisioning makes it
possible to automate the process of “turning on” the
acquired employees’ access to all of the parent
organization’s relevant accounts—e.g., e-mail, HR, desktop
applications and the ERP system. Provisioning also helps
ensure timely and complete deactivation of accounts, such
as when an employee has left the organization.
User management provides automated tools for updating
user profile information in specific applications. Key
capabilities include delegated administration, approval
workflow, user self-service and synchronization with the
user data store.
Strong authentication enhances trust in network, intranet,
extranet and portal environments by requiring users to
present conclusive proof of identity before being granted
access to sensitive data and processes. This high level of
protection is especially important for remote and web
access—where there are no physical controls present; and in
single sign-on environments—where a user’s identity
unlocks multiple resources.
Access management capabilities allow an organization to
assign and enforce user access rights to diverse resources
across intranets, extranets, portals and exchanges. User
privileges can be defined at a very granular level, based on
a combination of user roles and attributes, and business
rules and security policies. Fine-grained authorization
protects not only access to applications but can also control
what users see and do once they have access to
applications. Administrators can grant or deny access to
specific transactions, limiting not only the resources
available to users but also the functions they are able to
perform within a given application.
Federated identity management overcomes the challenges
of a collaborative business environment. It enables
organizations to share trusted identities across the
boundaries of the corporate network—with outsourced
service providers, supply chain partners, autonomous
business units, etc. Users get secure single sign-on across
multiple systems for streamlined information access.
Federated identity management increases an organization’s
control over users’ identity information and facilitates
enforcement of security policy across multiple partners.
The user data store (directory or database) is an enterprise’s
authoritative source of user data. It typically draws pieces
of data from multiple applications and pushes updated
data back to those sources—including other identity
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
management solution components—ensuring the timeliness
and consistency of user data across the enterprise.
Success Factors for Implementing I&AM
Although technology is an essential part of an I&AM
solution, companies need to understand the
transformational nature of the processes that protect
information and align the solution with the people in the
organization to ensure success.
For example, where possible, existing manual business
processes that support the management of identities
should be automated and IT processes should be simplified
or distributed to the business owners. To align people with
the I&AM solution, certain measures should be put in place
such as enforcing a permissions model for accessing
resources. As well, procedures should support responsibility
changes and organizational changes within the entity so
the organization can evolve security privileges dynamically.
A successful I&AM implementation to meet regulatory
compliance requires a strategic vision coupled with strong
knowledge of the business and application environments.
Companies must understand the principles defined by the
relevant regulations and consider the strategic nature of
I&AM and its impact on the organization. This requires the
ability to focus on processes and people as well as
technology so the enterprise can define explicit security
policies that drive the definitions of rules and work flows.
Organizations should invest in defining a comprehensive
and workable role and entitlements model.
Other key factors for success are attaining strong upper
management support and buy-in by all those impacted by
the process re-engineering. Developers should get on board
early on for integration with consolidated authentication,
authorization and identity services. A comprehensive
change management and communication plan should be
put in place. And organizations should follow a phased
approach for the integration of target systems and to
support different types of users.
The ability to integrate I&AM with an organization’s
heterogeneous systems and applications is crucial, and
companies also require the regulatory expertise and
professional services that can help them integrate manual
and automated processes for protecting identities
enterprise-wide and documenting compliance with
relevant regulations.
I&AM SOLUTION PRINCIPLES
The following are some of the high-level
principles that companies should consider when
implementing an I&AM solution to support
compliance requirements.
Deploy an enterprise-wide unified identity
management solution supporting all user types,
all IT domains and all modes of administration
(centralized, delegated and self-help) through a
phased delivery plan.
Automate the administration of the maximum
number of tasks
Incrementally integrate the target systems and
applications into the solution, thus minimizing
the need for separate administrations
Link with master sources of identity information
and propagate changes automatically
Provide all user- and administrator-facing
identity management services over a web
interface for access ubiquity
Support centralized control of access policies
and extensive central auditing and reporting of
all administrative events
Support workflows for managing the approval
of access rights
Deliver the solution via market-proven software
packages, minimizing in-house development.
5
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
Sarbanes-Oxley (SOX) U.S. Securities and Exchange
Commission (SEC)
CobiT framework—
Authentication, access controls,
user account management,
credential life cycle
management, non-repudiation
and audit controls
Companies publicly
traded on U.S.
exchanges
November 2004
Gramm-Leach-Bliley (GLB) U.S. Office of the Comptroller of
the Currency (OCC)
Authentication, access controls,
encryption, data integrity
controls and audit controls
All financial
institutions regulated
by the OCC
July 2001
HIPAA1 Security U.S. Department of Health and
Human Services (DHHS)
Authentication, access controls,
transmission security, audit
controls and data integrity
Healthcare
organizations
in the U.S.
April 2005
21 CFR Part 11 U.S. Food and Drug
Administration (FDA)
Authentication, access controls,
data integrity controls, audit
controls, encryption and digital
signatures
Companies regulated
by FDA (i.e.
pharmaceuticals)
Final Guidance
August 2003
(original
deadline was
1997)
Annex 11 Computerized Systems European Union (E.U.) Access control; credential life
cycle management; logging
unauthorized attempts;
recording identity of operators;
and audit trails
All organizations
producing medicinal
products in the E.U.
Varies by
country
European Data Protection
Directive
European Union (E.U.) Measures to protect personal
data against accidental or
unlawful destruction or
accidental loss, alteration,
unauthorized disclosure or access
Companies
conducting business
in E.U. member
nations
1997-2002
(varies by
country)
Basel II Basel Committee on Banking
Supervision
FFIEC framework—Access rights
administration, authentication,
network access, operating
system access, application access,
remote access, logging and data
collection
Global financial
service organizations
including
internationally active
banks
2006
Japanese Data Protection
Directive
Japanese Government Safe-keep personal data against
loss, system failure and leakage,
i.e. unauthorized disclosures
Japanese private
businesses
May 2005
REGULATION MANDATING
ORGANIZATION
SECURITY
REQUIREMENTS
AFFECTED
COMPANIES
DEADLINE
REGULATIONS AT A GLANCE
1Healthcare Insurance Portability and Accountability Act
6
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
The IT framework that is considered most closely aligned
with COSO was developed by the IT Governance Institute
and is known as CobIT (Control Objectives for Information
and Related Technology). CobIT is a comprehensive
approach to IT governance. Controls related to information
security are found in several sections and include:
authentication, access control, user account management,
credential life cycle management, non-repudiation, audit
controls, data integrity and encryption.
Gramm-Leach-Bliley (GLB)
The United States Financial Modernization Act of 1999, also
known as “Gramm-Leach-Bliley” or GLB includes provisions
to protect personal financial information held by financial
institutions such as banks, securities firms, insurance
companies and other companies selling financial products
and services to consumers.
GLB applies to all financial institutions operating in the
United States that are regulated by the Office of the
Comptroller of the Currency (OCC) and it mandates the
protection of consumer financial information. It demands
privacy protections that include disclosure of policies and
practices regarding the treatment of financial information
and also places restrictions on the sharing of information.
Regulated entities must ensure the security and
confidentiality of consumer financial information against
“reasonably foreseeable” internal or external threats. From
an IT security perspective, you must implement a process
that assesses and monitors the threat environment, as well
as tools and policies to counter threats. GLB requires the
establishment of administrative, physical and technical
safeguards to protect the security, confidentiality and
integrity of consumer financial information. Specific
technical safeguards include access control, authentication,
encryption, audit controls and data integrity controls.
It requires that regulated companies develop and enforce
an information security program which includes a risk
assessment. Like most regulations, GLB is technologyneutral.
The Health Insurance Portability and Accountability Act
The U.S. Health Insurance Portability and Accountability Act
(HIPAA) was originally enacted to allow portability of
health insurance between jobs but greatly expanded to
include the Administrative Simplification Section. HIPAA
applies to all health care providers, payers and
clearinghouses. Within HIPAA, there are two rules in
particular that affect information security: the HIPAA
Privacy Rule and the HIPAA Security Rule.
Sarbanes-Oxley (SOX)
The Public Company Accounting Reform and Investor
Protection Act-most commonly referred to as Sarbanes-
Oxley (SOX)-was enacted in the United States in 2002 as
comprehensive legislation intended to reform the
accounting practices, financial disclosures and corporate
governance of public companies.
Designed to reduce fraud and conflicts of interest, SOX has
far-reaching impact within today’s American business
environment. It calls for stringent accountability in the
corporate decision-making process and increased financial
transparency to improve public confidence in the financial
reporting systems of corporations. SOX applies to all
companies that are publicly traded in the United States and
regulated by the Securities and Exchange Commission (SEC).
It mandates that these organizations ensure the accuracy of
financial information and the reliability of systems that
generate it. An important part of ensuring the accuracy
and reliability of financial reporting is having a rigorous
information security program.
SOX is an extensive regulation covering many aspects of
accounting, financial reporting and corporate governance.
The sections most relevant to information security include
sections 302 and 404, which address the accuracy of
financial statements and internal controls. Under section
302, the CEO and CFO must personally certify that financial
statements are accurate and that all material information
has been appropriately disclosed. Under section 404,
management must perform an assessment of internal
controls over financial reporting and obtain attestation
from external auditors annually.
In other words, section 404 requires that companies not
only establish and maintain an adequate internal control
structure but also assess its effectiveness on a yearly basis.
To comply with section 404, publicly traded companies are
expected to use an accepted framework to establish
appropriate internal controls, and the SEC specifically cites
that of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). The COSO framework makes
general references to IT controls but is not a specific IT
framework.
APPENDIX: OVERVIEW OF EACH REGULATION
7
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
The HIPAA Privacy Rule covers privacy rights, including uses
and disclosures of Protected Health Information (PHI). It
includes minimum necessary provisions which require
organizations to provide workers with access to only the
minimum necessary information needed to perform their
jobs. The HIPAA Security Rule requires that covered entities
ensure the confidentiality, integrity and availability of all
electronic PHI and requires them to protect information
against any reasonably anticipated threats, hazards, uses or
disclosures.
Under HIPAA Security, covered entities must perform a risk
analysis and implement “reasonable and appropriate”
measures; that is they must implement best practices for
information security. HIPAA is technology-neutral and
outlines specific administrative, physical and technical
safeguards to protect the security, confidentiality and
integrity of patient information. Technical safeguards
include authentication, access control, transmission security,
audit controls and data integrity.
21 CFR Part 11
Title 21 of the United States Code of Federal Regulations
Part 11 (21 CFR Part 11) applies to all organizations
regulated by the Food and Drug Administration (FDA),
which includes pharmaceutical, biotech, medical device,
food and cosmetic companies. It outlines the FDA’s
requirements for electronic records and electronic
signatures and is designed to prevent fraud while
permitting the widest possible use of electronic technology
to reduce costs incurred from paper processes.
For “closed systems” such as a LAN, organizations are
required to implement controls designed to ensure the
authenticity, integrity-and when appropriate-the
confidentiality of electronic records, and they must ensure
that the signer cannot readily repudiate the signed record as
not genuine. This requires the ability to limit system access to
authorized individuals and to document an audit trail. For
“open systems” such as the Internet, regulated organizations
are required to use all of the controls for closed systems plus
implement additional measures such as encryption and
digital signatures. In other words, the requirements include
authentication, access controls, data integrity controls, audit
controls, encryption and digital signatures.
While the original compliance deadline was set for 1997,
the FDA released their Final Guidance for Industry in August
2003 which re-examined Part 11 and narrowed the scope,
providing enforcement discretion for some provisions. 21
CFR Part 11 outlines a risk-based approach for analyzing
processes, identifying the records that need to be secured
and implementing the controls to mitigate risks.
Annex 11 Computerized Systems
Annex 11 of the European Union Directives for Good
Manufacturing Practices (GMP) guidelines applies to all
pharmaceutical manufacturers in the E.U. which use
computerized systems in manufacturing, storage,
distribution and quality control of medicinal products.
The Directives for GMP were adopted in 1991 and Annex 11
was added in 1998 based on the general principle that no
resultant decrease in data quality would be acceptable as
computerized systems replaced manual systems. Annex 11
includes requirements for training, validation and
documentation, as well as built-in checks for the correct
entry and processing of data; specifying that data can be
entered or amended only by authorized persons, there
must be access controls and credential life cycle
management.
The central consideration is that “records are accurately
made and protected against loss or damage or
unauthorized alteration so that there is a clear and
accurate audit trail throughout the manufacturing process
the licensing authority for the appropriate time.” This
includes the ability to log unauthorized attempts to access
information, record the identity of all computer operators
and document a complete audit trail of all access to
privileged information.
European Union Data Protection Directive
In 1995, the Council of the European Union enacted the
95/46/EU Data Protection Directive to allow the free flow of
personal data between member states by harmonizing the
level of adequate protection of information. The scope of
the directive is limited to the processing of personal data,
including automatically processed data and manual data in
a filing system.
It covers conditions for processing of personal data
including the confidentiality and security of processing and
provisions for transfer to third country. For confidentiality
and security of processing, an organization must implement
appropriate technical and organizational measures to
protect personal data against accidental or unlawful
APPENDIX: OVERVIEW OF EACH REGULATION
8
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing
involves the transmission of data over a network, and
against all other unlawful forms of processing. Transfer of
personal data to third countries may take place only if the
third country in question ensures an adequate level of
protection. The U.S. Safe Harbor Arrangement is a
streamlined means for U.S. companies to comply with the
Directive and was developed by the U.S. Department of
Commerce in consultation with E.U.
Basel II
The new Basel Capital Accord (Basel II) is an effort by
international banking supervisors to update the original
international bank capital accord (Basel I), which has been
in effect since 1988. The Basel Committee on Banking
Supervision, on which the United States serves as a
participating member, developed the current proposals.
They aim to improve the consistency of capital regulations
internationally, make regulatory capital more risk sensitive,
and promote enhanced risk-management practices among
large, internationally active banking organizations. Basel II
intends to better align bank capital requirements with
underlying risk. Banks will be required to monitor, mitigate
and disclose risk and the lower the operational risk, the
lower the capital requirements.
Basel II applies to global financial services organizations,
specifically internationally active banks which have assets
greater than $250 billion or foreign exposures greater than
$10 billion. It calls for the implementation of a framework
for risk management. In the U.S., agencies responsible for
Basel II include the Federal Reserve Board, the Office of the
Comptroller (OCC), the Federal Deposit Insurance
Corporation (FDIC) and the Office of Thrift Supervision
(OTS), which make up the Federal Financial Institutions
Examination Council (FFIEC). An applicable framework for
information security in order to meet Basel II in U.S. is the
“FFIEC Information Security Booklet (2003)”. Requirements
that can be addressed by security technologies include
(from the security controls implementation section of
FFIEC): access rights administration, authentication,
network access, operating system access, application access,
remote access, logging and data collection.
Japanese Data Protection Directive
The Data Protection Directive applies to private companies
in Japan that handle personal information, although it
excludes media and writers. It requires companies to specify
the purposes for which data will be used and notify
individuals that data has been acquired.
This directive is expected to be followed by specific
legislation for healthcare, finance and telecom industries.
Requirements include the ability to safeguard personal
data and protect it against loss, failure and leakage.
APPENDIX: OVERVIEW OF EACH REGULATION
9
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
Authentication RSA SecurID® two-factor authentication verifies the identity of users with a high degree of assurance.
It is an industry-standard solution for implementing a high-level of secure access. RSA Keon® digital
certificate management system can provide authentication for remote or enterprise access.
RSA ClearTrust® software is designed to centralize the management of authentication services,
support resource-based authentication and support multiple methods of authentication.
Access Control, User
Account Management
RSA ClearTrust web access management system can be used to centralize access control and
enforce access control policy across multiple applications. It also streamlines administration,
providing a secure and efficient means to manage user identities and access privileges. Users
experience the convenience of single sign-on to multiple applications. RSA® Federated Identity
Manager software allows organizations to share and manage trusted identities across business
boundaries and users to access multiple domains. It also facilitates the enforcement of security
policies across multiple partners.
Credential Life Cycle
Management
RSA ClearTrust software and RSA Security authentication systems can be used to create, modify
and revoke digital identities throughout their entire life cycle. The provisioning component
automates the process of managing accounts across a user’s life cycle. More specifically,
provisioning allows centralized departments to quickly activate, modify or de-activate defined
user accounts across multiple applications and identities.
Non-repudiation RSA Keon digital certificate management system can generate digital signatures, which can be
used to provide proof of transactions. RSA SecurID® and RSA ClearTrust systems can help ensure
non-repudiation for transactions by providing audit trails.
Audit Controls RSA SecurID, RSA Keon and RSA ClearTrust systems provide extensive logging and reporting of
authentication and/or authorization events for audit controls. RSA ClearTrust web access
management can track the users’ access to information as well as the users’ actions such as
reading, writing, creating and modifying files.
Data Integrity RSA Keon digital certificate management provides for digital signatures, which are used in
ensuring data integrity.
Encryption RSA BSAFE® software is used to implement encryption into databases as well as applications and
devices that transmit data over the Internet. RSA Keon digital certificate management system
provides for encryption of e-mail messages and for secure web sessions.
REGULATORY
REQUIREMENT COMPONENTS OF RSA SECURITY’S I&AM SOLUTION
RSA SECURITY’S I&AM SOLUTION AND REGULATORY COMPLIANCE
10
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
ClearTrust, Keon, BSAFE, RSA, RSA Security, the RSA logo, RSA Secured, SecurID and Confidence
Inspired are registered trademarks or trademarks of RSA Security Inc. in the United States and /or
other countries. All other products or services mentioned are trademarks of their respective owners.
©2004 RSA Security Inc. All rights reserved.
ACCIAM WP 0704
About Accenture
Accenture is a global management consulting, technology
services and outsourcing company. Committed to delivering
innovation, Accenture collaborates with its clients to help
them become high-performance businesses and
governments. Accenture offers both the technology and
regulatory expertise that helps companies worldwide
implement I&AM solutions that not only ensure compliance
with regulatory requirements, but better protect critical
information and enable the profitable growth of e-business
activities. With deep industry and business process
expertise, broad global resources and a proven track record,
Accenture can mobilize the right people, skills and
technologies to help clients improve their performance.
With approximately 95,000 people in 48 countries, the
company generated net revenues of U.S.$11.8 billion for
the fiscal year ended Aug. 31, 2003. Its home page is
www.accenture.com.
About RSA Security
RSA Security Inc. helps organizations protect private
information and manage the identities of people and
applications accessing and exchanging that information.
RSA Security’s portfolio of solutions-including identity and
access management, secure mobile and remote access,
secure enterprise access and secure transactions-are all
designed to provide the most seamless e-security
experience in the market. Our strong reputation is built on
our history of ingenuity, leadership, proven technologies
and our more than 15,000 customers around the globe.
Together with more than 1,000 technology and integration
partners, RSA Security inspires confidence in everyone to
experience the power and promise of the Internet. For
more information, please visit www.rsasecurity.com.
-Richard
RSA whitepaper (partnered with Accenture) on "Identity and Access Management"
http://www.itbusinessedge.com/offer.aspx?o=00560001KR
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
Companies today face a growing number of regulations that have broad
implications for information security. Governments worldwide are mandating
the protection of information, whether it’s to safeguard consumer privacy for
health and financial records, ensure data quality in the production of drugs
or re-establish trust in financial reporting systems.
What these laws have in common are requirements for ensuring that only
authorized users gain access to information and the ability to control and
examine user activity. Implementing an Identity and Access Management
(I&AM) solution is an effective way to address the requirements of these
regulations and build a unified compliance strategy.
This white paper has been developed by RSA Security in conjunction with our
strategic partner, Accenture, as a resource for organizations to help them
understand the requirements of a wide spectrum of the regulations and
implement an I&AM solution that will address many of the key provisions.
Although each of the regulations has specific deadlines, it is well understood
that compliance is an on-going effort since the implementation of controls to
protect information is not a one-time project, but rather a continual,
dynamic process as an organization’s operations and environment changes
and technologies advance. This white paper is intended to help organizations
implement an I&AM solution that will not only meet the on-going demands
of complying with these regulations but also key business objectives.
Implementing Identity and Access
Management for Regulatory Compliance
WHITE PAPER
WHITE PAPER
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
TABLE OF CONTENTS
RSA SECURITY AND ACCENTURE
I. THE COMPLIANCE CHALLENGE
II. COMMON THREADS ACROSS
REGULATIONS
Best practices in Information
Security (sidebar)
III. SOLVING THE COMPLIANCE
CHALLENGE WITH IAM
Primary Components
of an I&AM Solution
Success Factors for
Implementing I&AM
I&AM Solution Principles (sidebar)
TABLE: REGULATIONS AT A GLANCE
APPENDIX: OVERVIEW OF EACH
REGULATION
Sarbanes Oxley (SOX)
Gramm-Leach-Bliley (GLB)
HIPAA
21 CFR Part 11
Annex 11 Computerized Systems
European Data Protection
Directive
Basel II
Japanese Data Protection Directive
TABLE: RSA SECURITY’S I&AM
SOLUTION AND REGULATORY
COMPLIANCE
ABOUT RSA SECURITY
ABOUT ACCENTURE
PAGE 1
PAGE 1
PAGE 1
PAGE 2
PAGE 3
PAGE 3
PAGE 4
PAGE 4
PAGE 5
PAGE 6
PAGE 6
PAGE 6
PAGE 6
PAGE 7
PAGE 7
PAGE 7
PAGE 8
PAGE 8
PAGE 9
PAGE 10
PAGE 10
RSA SECURITY AND ACCENTURE
RSA Security has over 20 years of experience in information
security and is renowned for leading industry initiatives in
standards and research. Our technology can provide a solid
technical infrastructure that covers a broad range of the
requirements yet offers the flexibility and scalability to
meet an organization’s needs as their environment
changes. As such, organizations worldwide are turning to
RSA Security to help them with their compliance efforts.
As a global management consulting company, Accenture
has deep industry and business process expertise, broad
global resources and a proven track record for helping
organizations to comply with regulations. Accenture’s
approach is consistent with the expectations of the
regulations which call for not only technical measures for
protecting information but also administrative measures
such as policy, procedures and training of personnel. The
I&AM framework that Accenture has developed involves
the implementation of key technologies, the
transformation of processes and alignment with the people
in the organization.
RSA Security and Accenture share a common philosophy
in helping organizations achieve regulatory compliance by
seeing it as an opportunity to improve operations; maintain
the trust of customers and partners; and become more
competitive.
I . THE COMPLIANCE CHALLENGE
Over the last several years, nations throughout the world
have enacted regulations which have major implications
for information technology (IT) and security professionals.
Information security has moved from being good practice
to being the law.
Many regulations were put in place to establish standards
for protecting data while promoting automation and ecommerce.
Regulations such as Gramm-Leach-Bliley (GLB)
and the Health Insurance Portability and Accountability Act
(HIPAA) in the United States, or the European and Japanese
Data Protection Directives were enacted as a result of
increasing concerns over privacy and identity theft. 21 CFR
Part 11 in the U.S. and Annex 11 in Europe are meant to
protect patient safety by ensuring the quality of data used
in developing and producing drugs. Sarbanes-Oxley (SOX)
in the U.S. was in response to specific problems with the
financial reporting system and several high profile fraud
cases. The intent of Basel II is to better align bank’s capital
requirements with underlying risk.
1
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
All of these regulations carry penalties and some even carry
prison terms for violations. Moreover, non-compliance could
destroy a company’s brand reputation and even set the
stage for civil litigation.
Organizations globally are finding that complying with
these regulations is a formidable challenge. Mandates
are couched in ambiguous legal language, making
interpretation difficult. What’s more, most companies are
subject to several regulations. For example, a U.S.
investment bank with operations in Europe could be subject
to GLB, SOX and the European Data Protection Directive. A
global pharmaceutical company headquartered in the
Europe but with international sales could be affected by 21
CFR Part 11, Annex 11, HIPAA and Europe’s privacy laws.
And the list of regulations continues to grow. In the
wake of highly publicized security failures, privacy abuses
and corporate scandals, there is intense pressure on
governments in the U.S. and internationally to pass yet
more laws and regulations. For example, India is writing
privacy and security legislation in response to the needs of
outsourcing customers in highly regulated countries and
industries.
As well, organizations must implement a compliance
strategy in the context of their other business objectives—
such as reducing costs, improving customer service and
increasing revenue. Most will need to ensure compliance
in an environment that is constantly changing, as more
users and applications are added. Adding to the challenge
is that fact that applications and processes are increasingly
outsourced and information is increasingly exchanged with
external partners.
I I . COMMON THREADS ACROSS REGULATIONS
The many regulations that mandate the protection of
information were enacted for various reasons, are industryspecific
in some cases and apply to a geographic region in
other cases, however there are common threads that run
across all of these regulations.
For example, they all require that organizations implement
controls to allow only authorized users to gain access to
information, control what users do, monitor and track their
activities and make them accountable for their actions.
In other words, some of the central requirements are
authentication, access controls and audit controls—the
essence of I&AM.
Other common threads include requiring organizations to
conduct a risk analysis and develop and enforce a security
policy. Many of the regulations share similar language,
often referring to the need for “reasonable and appropriate”
controls which is commonly interpreted to mean
best practices. Organizations can turn to several sources for
information on best practices such as peers, standards
bodies, industry associations, or security experts and
consultants. Some examples of best practices are presented
in the box below.
A summary of information on the regulations and their
requirements is provided in a table on page 5. For more
extensive information on each of the regulations, see the
appendix on page 6.
I I I . SOLVING THE COMPLIANCE
CHALLENGE WITH IAM
I&AM helps to solve the challenges of compliance because it
provides an effective way to address some of the central
requirements of many of the regulations. It helps organizations
to build a unified, comprehensive strategy for
compliance based on best practices in information security.
I&AM can be defined as, “the people, processes and
technologies dedicated to creating, managing and revoking
digital identities, as well as developing and enforcing
policies governing authentication and access to information
systems both inside and outside the enterprise.”
2
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
BEST PRACTICES IN INFORMATION SECURITY
Regulations generally expect organizations to
conduct a risk analysis and implement information
security measures based on best practices. The
following are some examples of best practices in
information security using I&AM and related
technology to support regulatory requirements:
Strong authentication is a best practice that
reduces the risk of unauthorized access to systems
and networks by requiring users to present strong
proof of identity, specifically by using multiple
factors. For example, two-factor authentication
combines something the user knows (such as a PIN)
with something the user has (such as a token).
Strong authentication is considered necessary
especially for remote access environments where
there are no physical access controls to ensure the
validity of the user. Inside corporate networks,
strong authentication may also be recommended
to protect highly sensitive data or to safeguard
single sign-on access, where one logon provides
the user with access to multiple applications.
Centralized access control is a best practice for
consistently assigning user privileges and enforcing
security policies across multiple applications. Some
regulations require organizations to implement
appropriate controls over user access to sensitive
data, such as a consumer’s health or financial
information. Centralized access control can be used
to enforce access rights based on diverse criteria,
such as job role, security clearance and business
rules. For example, centralized access control can
help ensure that a terminated employee’s
privileges are revoked for all applications in a
timely way.
Encryption makes sensitive information unreadable
except by authorized users who have the means to
decrypt the data. Encryption is a best practice for
shielding data from “eavesdropping” as it is
transmitted across a network or the Internet.
Increasingly, it is also used to protect databases
containing confidential information, thus making
them less vulnerable to network attacks.
Digital signatures can help to ensure the integrity
of data, online communications and transactions
by providing assurance that data has not been
altered from the original, especially during
transmission. Digital signatures also support nonrepudiation
with the ability to prove the identity
of the signer.
Audit controls are an essential element of virtually
all regulatory requirements. Diverse laws and
regulations demand that the enterprise establish
accountability for each user’s online activities.
Centralized logging is considered a best practice
for tracking and monitoring user activity across
multiple applications, to ensure effective
implementations of audit controls.
3
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
More than a simple product implementation, I&AM is an
approach to managing users and protected resources in a
way that maximizes business opportunity. The optimum
approach involves the people, process and the technology
for creating usable identities and enforcing the policies
behind the use of identities.
Regulations largely outline the required services that can be
provided as identity management-ensuring the user is who
they claim to be-and access management-determining which
applications, information or resources a user can access.
An I&AM solution is based on developing centralized
capabilities for establishing and managing digital identities,
which consist of attributes such as name, phone number,
job code, etc. It is also based on developing centralized
capabilities for access control, which takes business rules
and security profiles into consideration to establish and
enforce policy around which users are granted the privilege
to access which resources.
With a single I&AM framework, organizations can address
the requirements for complying with multiple regulations.
For example, an investment bank with operations in U.S.
and Europe can implement a single methodology and set of
technologies for information security that enables
compliance with U.S. and European Union privacy laws.
Diverse global regulations will require a centralized, policy
driven model with local flexibility.
It is important to note however, I&AM is just part of an
overall solution for regulatory compliance. At the same
time, organizations will need to meet other security-related
requirements such as ensuring data integrity and
confidentiality.
An I&AM solution provides the foundation for helping
organizations to not only comply with regulations, but also
to manage their businesses with a degree of flexibility,
responsiveness, security and economy that is unattainable
with today’s fragmented approaches to managing user
identities.
Primary Components of an I&AM Solution
An I&AM solution enables organizations to manage on-line
identities and control access to resources. A complete
identity and access management strategy encompasses six
tactical areas: provisioning of user identities and
permissions; comprehensive user management capabilities;
authentication; access management; federated identity
management; and secured, centralized data stores to
maintain the required policies and profiles. All these
components should work together as an efficient,
intelligent system.
Provisioning provides automated capabilities for activating
user accounts and establishing access privileges for those
accounts across the entire enterprise. So, for example, if
one company has acquired another, provisioning makes it
possible to automate the process of “turning on” the
acquired employees’ access to all of the parent
organization’s relevant accounts—e.g., e-mail, HR, desktop
applications and the ERP system. Provisioning also helps
ensure timely and complete deactivation of accounts, such
as when an employee has left the organization.
User management provides automated tools for updating
user profile information in specific applications. Key
capabilities include delegated administration, approval
workflow, user self-service and synchronization with the
user data store.
Strong authentication enhances trust in network, intranet,
extranet and portal environments by requiring users to
present conclusive proof of identity before being granted
access to sensitive data and processes. This high level of
protection is especially important for remote and web
access—where there are no physical controls present; and in
single sign-on environments—where a user’s identity
unlocks multiple resources.
Access management capabilities allow an organization to
assign and enforce user access rights to diverse resources
across intranets, extranets, portals and exchanges. User
privileges can be defined at a very granular level, based on
a combination of user roles and attributes, and business
rules and security policies. Fine-grained authorization
protects not only access to applications but can also control
what users see and do once they have access to
applications. Administrators can grant or deny access to
specific transactions, limiting not only the resources
available to users but also the functions they are able to
perform within a given application.
Federated identity management overcomes the challenges
of a collaborative business environment. It enables
organizations to share trusted identities across the
boundaries of the corporate network—with outsourced
service providers, supply chain partners, autonomous
business units, etc. Users get secure single sign-on across
multiple systems for streamlined information access.
Federated identity management increases an organization’s
control over users’ identity information and facilitates
enforcement of security policy across multiple partners.
The user data store (directory or database) is an enterprise’s
authoritative source of user data. It typically draws pieces
of data from multiple applications and pushes updated
data back to those sources—including other identity
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
management solution components—ensuring the timeliness
and consistency of user data across the enterprise.
Success Factors for Implementing I&AM
Although technology is an essential part of an I&AM
solution, companies need to understand the
transformational nature of the processes that protect
information and align the solution with the people in the
organization to ensure success.
For example, where possible, existing manual business
processes that support the management of identities
should be automated and IT processes should be simplified
or distributed to the business owners. To align people with
the I&AM solution, certain measures should be put in place
such as enforcing a permissions model for accessing
resources. As well, procedures should support responsibility
changes and organizational changes within the entity so
the organization can evolve security privileges dynamically.
A successful I&AM implementation to meet regulatory
compliance requires a strategic vision coupled with strong
knowledge of the business and application environments.
Companies must understand the principles defined by the
relevant regulations and consider the strategic nature of
I&AM and its impact on the organization. This requires the
ability to focus on processes and people as well as
technology so the enterprise can define explicit security
policies that drive the definitions of rules and work flows.
Organizations should invest in defining a comprehensive
and workable role and entitlements model.
Other key factors for success are attaining strong upper
management support and buy-in by all those impacted by
the process re-engineering. Developers should get on board
early on for integration with consolidated authentication,
authorization and identity services. A comprehensive
change management and communication plan should be
put in place. And organizations should follow a phased
approach for the integration of target systems and to
support different types of users.
The ability to integrate I&AM with an organization’s
heterogeneous systems and applications is crucial, and
companies also require the regulatory expertise and
professional services that can help them integrate manual
and automated processes for protecting identities
enterprise-wide and documenting compliance with
relevant regulations.
I&AM SOLUTION PRINCIPLES
The following are some of the high-level
principles that companies should consider when
implementing an I&AM solution to support
compliance requirements.
Deploy an enterprise-wide unified identity
management solution supporting all user types,
all IT domains and all modes of administration
(centralized, delegated and self-help) through a
phased delivery plan.
Automate the administration of the maximum
number of tasks
Incrementally integrate the target systems and
applications into the solution, thus minimizing
the need for separate administrations
Link with master sources of identity information
and propagate changes automatically
Provide all user- and administrator-facing
identity management services over a web
interface for access ubiquity
Support centralized control of access policies
and extensive central auditing and reporting of
all administrative events
Support workflows for managing the approval
of access rights
Deliver the solution via market-proven software
packages, minimizing in-house development.
5
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
Sarbanes-Oxley (SOX) U.S. Securities and Exchange
Commission (SEC)
CobiT framework—
Authentication, access controls,
user account management,
credential life cycle
management, non-repudiation
and audit controls
Companies publicly
traded on U.S.
exchanges
November 2004
Gramm-Leach-Bliley (GLB) U.S. Office of the Comptroller of
the Currency (OCC)
Authentication, access controls,
encryption, data integrity
controls and audit controls
All financial
institutions regulated
by the OCC
July 2001
HIPAA1 Security U.S. Department of Health and
Human Services (DHHS)
Authentication, access controls,
transmission security, audit
controls and data integrity
Healthcare
organizations
in the U.S.
April 2005
21 CFR Part 11 U.S. Food and Drug
Administration (FDA)
Authentication, access controls,
data integrity controls, audit
controls, encryption and digital
signatures
Companies regulated
by FDA (i.e.
pharmaceuticals)
Final Guidance
August 2003
(original
deadline was
1997)
Annex 11 Computerized Systems European Union (E.U.) Access control; credential life
cycle management; logging
unauthorized attempts;
recording identity of operators;
and audit trails
All organizations
producing medicinal
products in the E.U.
Varies by
country
European Data Protection
Directive
European Union (E.U.) Measures to protect personal
data against accidental or
unlawful destruction or
accidental loss, alteration,
unauthorized disclosure or access
Companies
conducting business
in E.U. member
nations
1997-2002
(varies by
country)
Basel II Basel Committee on Banking
Supervision
FFIEC framework—Access rights
administration, authentication,
network access, operating
system access, application access,
remote access, logging and data
collection
Global financial
service organizations
including
internationally active
banks
2006
Japanese Data Protection
Directive
Japanese Government Safe-keep personal data against
loss, system failure and leakage,
i.e. unauthorized disclosures
Japanese private
businesses
May 2005
REGULATION MANDATING
ORGANIZATION
SECURITY
REQUIREMENTS
AFFECTED
COMPANIES
DEADLINE
REGULATIONS AT A GLANCE
1Healthcare Insurance Portability and Accountability Act
6
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
The IT framework that is considered most closely aligned
with COSO was developed by the IT Governance Institute
and is known as CobIT (Control Objectives for Information
and Related Technology). CobIT is a comprehensive
approach to IT governance. Controls related to information
security are found in several sections and include:
authentication, access control, user account management,
credential life cycle management, non-repudiation, audit
controls, data integrity and encryption.
Gramm-Leach-Bliley (GLB)
The United States Financial Modernization Act of 1999, also
known as “Gramm-Leach-Bliley” or GLB includes provisions
to protect personal financial information held by financial
institutions such as banks, securities firms, insurance
companies and other companies selling financial products
and services to consumers.
GLB applies to all financial institutions operating in the
United States that are regulated by the Office of the
Comptroller of the Currency (OCC) and it mandates the
protection of consumer financial information. It demands
privacy protections that include disclosure of policies and
practices regarding the treatment of financial information
and also places restrictions on the sharing of information.
Regulated entities must ensure the security and
confidentiality of consumer financial information against
“reasonably foreseeable” internal or external threats. From
an IT security perspective, you must implement a process
that assesses and monitors the threat environment, as well
as tools and policies to counter threats. GLB requires the
establishment of administrative, physical and technical
safeguards to protect the security, confidentiality and
integrity of consumer financial information. Specific
technical safeguards include access control, authentication,
encryption, audit controls and data integrity controls.
It requires that regulated companies develop and enforce
an information security program which includes a risk
assessment. Like most regulations, GLB is technologyneutral.
The Health Insurance Portability and Accountability Act
The U.S. Health Insurance Portability and Accountability Act
(HIPAA) was originally enacted to allow portability of
health insurance between jobs but greatly expanded to
include the Administrative Simplification Section. HIPAA
applies to all health care providers, payers and
clearinghouses. Within HIPAA, there are two rules in
particular that affect information security: the HIPAA
Privacy Rule and the HIPAA Security Rule.
Sarbanes-Oxley (SOX)
The Public Company Accounting Reform and Investor
Protection Act-most commonly referred to as Sarbanes-
Oxley (SOX)-was enacted in the United States in 2002 as
comprehensive legislation intended to reform the
accounting practices, financial disclosures and corporate
governance of public companies.
Designed to reduce fraud and conflicts of interest, SOX has
far-reaching impact within today’s American business
environment. It calls for stringent accountability in the
corporate decision-making process and increased financial
transparency to improve public confidence in the financial
reporting systems of corporations. SOX applies to all
companies that are publicly traded in the United States and
regulated by the Securities and Exchange Commission (SEC).
It mandates that these organizations ensure the accuracy of
financial information and the reliability of systems that
generate it. An important part of ensuring the accuracy
and reliability of financial reporting is having a rigorous
information security program.
SOX is an extensive regulation covering many aspects of
accounting, financial reporting and corporate governance.
The sections most relevant to information security include
sections 302 and 404, which address the accuracy of
financial statements and internal controls. Under section
302, the CEO and CFO must personally certify that financial
statements are accurate and that all material information
has been appropriately disclosed. Under section 404,
management must perform an assessment of internal
controls over financial reporting and obtain attestation
from external auditors annually.
In other words, section 404 requires that companies not
only establish and maintain an adequate internal control
structure but also assess its effectiveness on a yearly basis.
To comply with section 404, publicly traded companies are
expected to use an accepted framework to establish
appropriate internal controls, and the SEC specifically cites
that of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO). The COSO framework makes
general references to IT controls but is not a specific IT
framework.
APPENDIX: OVERVIEW OF EACH REGULATION
7
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
The HIPAA Privacy Rule covers privacy rights, including uses
and disclosures of Protected Health Information (PHI). It
includes minimum necessary provisions which require
organizations to provide workers with access to only the
minimum necessary information needed to perform their
jobs. The HIPAA Security Rule requires that covered entities
ensure the confidentiality, integrity and availability of all
electronic PHI and requires them to protect information
against any reasonably anticipated threats, hazards, uses or
disclosures.
Under HIPAA Security, covered entities must perform a risk
analysis and implement “reasonable and appropriate”
measures; that is they must implement best practices for
information security. HIPAA is technology-neutral and
outlines specific administrative, physical and technical
safeguards to protect the security, confidentiality and
integrity of patient information. Technical safeguards
include authentication, access control, transmission security,
audit controls and data integrity.
21 CFR Part 11
Title 21 of the United States Code of Federal Regulations
Part 11 (21 CFR Part 11) applies to all organizations
regulated by the Food and Drug Administration (FDA),
which includes pharmaceutical, biotech, medical device,
food and cosmetic companies. It outlines the FDA’s
requirements for electronic records and electronic
signatures and is designed to prevent fraud while
permitting the widest possible use of electronic technology
to reduce costs incurred from paper processes.
For “closed systems” such as a LAN, organizations are
required to implement controls designed to ensure the
authenticity, integrity-and when appropriate-the
confidentiality of electronic records, and they must ensure
that the signer cannot readily repudiate the signed record as
not genuine. This requires the ability to limit system access to
authorized individuals and to document an audit trail. For
“open systems” such as the Internet, regulated organizations
are required to use all of the controls for closed systems plus
implement additional measures such as encryption and
digital signatures. In other words, the requirements include
authentication, access controls, data integrity controls, audit
controls, encryption and digital signatures.
While the original compliance deadline was set for 1997,
the FDA released their Final Guidance for Industry in August
2003 which re-examined Part 11 and narrowed the scope,
providing enforcement discretion for some provisions. 21
CFR Part 11 outlines a risk-based approach for analyzing
processes, identifying the records that need to be secured
and implementing the controls to mitigate risks.
Annex 11 Computerized Systems
Annex 11 of the European Union Directives for Good
Manufacturing Practices (GMP) guidelines applies to all
pharmaceutical manufacturers in the E.U. which use
computerized systems in manufacturing, storage,
distribution and quality control of medicinal products.
The Directives for GMP were adopted in 1991 and Annex 11
was added in 1998 based on the general principle that no
resultant decrease in data quality would be acceptable as
computerized systems replaced manual systems. Annex 11
includes requirements for training, validation and
documentation, as well as built-in checks for the correct
entry and processing of data; specifying that data can be
entered or amended only by authorized persons, there
must be access controls and credential life cycle
management.
The central consideration is that “records are accurately
made and protected against loss or damage or
unauthorized alteration so that there is a clear and
accurate audit trail throughout the manufacturing process
the licensing authority for the appropriate time.” This
includes the ability to log unauthorized attempts to access
information, record the identity of all computer operators
and document a complete audit trail of all access to
privileged information.
European Union Data Protection Directive
In 1995, the Council of the European Union enacted the
95/46/EU Data Protection Directive to allow the free flow of
personal data between member states by harmonizing the
level of adequate protection of information. The scope of
the directive is limited to the processing of personal data,
including automatically processed data and manual data in
a filing system.
It covers conditions for processing of personal data
including the confidentiality and security of processing and
provisions for transfer to third country. For confidentiality
and security of processing, an organization must implement
appropriate technical and organizational measures to
protect personal data against accidental or unlawful
APPENDIX: OVERVIEW OF EACH REGULATION
8
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
destruction or accidental loss, alteration, unauthorized
disclosure or access, in particular where the processing
involves the transmission of data over a network, and
against all other unlawful forms of processing. Transfer of
personal data to third countries may take place only if the
third country in question ensures an adequate level of
protection. The U.S. Safe Harbor Arrangement is a
streamlined means for U.S. companies to comply with the
Directive and was developed by the U.S. Department of
Commerce in consultation with E.U.
Basel II
The new Basel Capital Accord (Basel II) is an effort by
international banking supervisors to update the original
international bank capital accord (Basel I), which has been
in effect since 1988. The Basel Committee on Banking
Supervision, on which the United States serves as a
participating member, developed the current proposals.
They aim to improve the consistency of capital regulations
internationally, make regulatory capital more risk sensitive,
and promote enhanced risk-management practices among
large, internationally active banking organizations. Basel II
intends to better align bank capital requirements with
underlying risk. Banks will be required to monitor, mitigate
and disclose risk and the lower the operational risk, the
lower the capital requirements.
Basel II applies to global financial services organizations,
specifically internationally active banks which have assets
greater than $250 billion or foreign exposures greater than
$10 billion. It calls for the implementation of a framework
for risk management. In the U.S., agencies responsible for
Basel II include the Federal Reserve Board, the Office of the
Comptroller (OCC), the Federal Deposit Insurance
Corporation (FDIC) and the Office of Thrift Supervision
(OTS), which make up the Federal Financial Institutions
Examination Council (FFIEC). An applicable framework for
information security in order to meet Basel II in U.S. is the
“FFIEC Information Security Booklet (2003)”. Requirements
that can be addressed by security technologies include
(from the security controls implementation section of
FFIEC): access rights administration, authentication,
network access, operating system access, application access,
remote access, logging and data collection.
Japanese Data Protection Directive
The Data Protection Directive applies to private companies
in Japan that handle personal information, although it
excludes media and writers. It requires companies to specify
the purposes for which data will be used and notify
individuals that data has been acquired.
This directive is expected to be followed by specific
legislation for healthcare, finance and telecom industries.
Requirements include the ability to safeguard personal
data and protect it against loss, failure and leakage.
APPENDIX: OVERVIEW OF EACH REGULATION
9
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
RSA Security Inc.
Authentication RSA SecurID® two-factor authentication verifies the identity of users with a high degree of assurance.
It is an industry-standard solution for implementing a high-level of secure access. RSA Keon® digital
certificate management system can provide authentication for remote or enterprise access.
RSA ClearTrust® software is designed to centralize the management of authentication services,
support resource-based authentication and support multiple methods of authentication.
Access Control, User
Account Management
RSA ClearTrust web access management system can be used to centralize access control and
enforce access control policy across multiple applications. It also streamlines administration,
providing a secure and efficient means to manage user identities and access privileges. Users
experience the convenience of single sign-on to multiple applications. RSA® Federated Identity
Manager software allows organizations to share and manage trusted identities across business
boundaries and users to access multiple domains. It also facilitates the enforcement of security
policies across multiple partners.
Credential Life Cycle
Management
RSA ClearTrust software and RSA Security authentication systems can be used to create, modify
and revoke digital identities throughout their entire life cycle. The provisioning component
automates the process of managing accounts across a user’s life cycle. More specifically,
provisioning allows centralized departments to quickly activate, modify or de-activate defined
user accounts across multiple applications and identities.
Non-repudiation RSA Keon digital certificate management system can generate digital signatures, which can be
used to provide proof of transactions. RSA SecurID® and RSA ClearTrust systems can help ensure
non-repudiation for transactions by providing audit trails.
Audit Controls RSA SecurID, RSA Keon and RSA ClearTrust systems provide extensive logging and reporting of
authentication and/or authorization events for audit controls. RSA ClearTrust web access
management can track the users’ access to information as well as the users’ actions such as
reading, writing, creating and modifying files.
Data Integrity RSA Keon digital certificate management provides for digital signatures, which are used in
ensuring data integrity.
Encryption RSA BSAFE® software is used to implement encryption into databases as well as applications and
devices that transmit data over the Internet. RSA Keon digital certificate management system
provides for encryption of e-mail messages and for secure web sessions.
REGULATORY
REQUIREMENT COMPONENTS OF RSA SECURITY’S I&AM SOLUTION
RSA SECURITY’S I&AM SOLUTION AND REGULATORY COMPLIANCE
10
IMPLEMENTING IDENTITY AND ACCESS MANAGEMENT
FOR REGULATORY COMPLIANCE
ClearTrust, Keon, BSAFE, RSA, RSA Security, the RSA logo, RSA Secured, SecurID and Confidence
Inspired are registered trademarks or trademarks of RSA Security Inc. in the United States and /or
other countries. All other products or services mentioned are trademarks of their respective owners.
©2004 RSA Security Inc. All rights reserved.
ACCIAM WP 0704
About Accenture
Accenture is a global management consulting, technology
services and outsourcing company. Committed to delivering
innovation, Accenture collaborates with its clients to help
them become high-performance businesses and
governments. Accenture offers both the technology and
regulatory expertise that helps companies worldwide
implement I&AM solutions that not only ensure compliance
with regulatory requirements, but better protect critical
information and enable the profitable growth of e-business
activities. With deep industry and business process
expertise, broad global resources and a proven track record,
Accenture can mobilize the right people, skills and
technologies to help clients improve their performance.
With approximately 95,000 people in 48 countries, the
company generated net revenues of U.S.$11.8 billion for
the fiscal year ended Aug. 31, 2003. Its home page is
www.accenture.com.
About RSA Security
RSA Security Inc. helps organizations protect private
information and manage the identities of people and
applications accessing and exchanging that information.
RSA Security’s portfolio of solutions-including identity and
access management, secure mobile and remote access,
secure enterprise access and secure transactions-are all
designed to provide the most seamless e-security
experience in the market. Our strong reputation is built on
our history of ingenuity, leadership, proven technologies
and our more than 15,000 customers around the globe.
Together with more than 1,000 technology and integration
partners, RSA Security inspires confidence in everyone to
experience the power and promise of the Internet. For
more information, please visit www.rsasecurity.com.
Join the InvestorsHub Community
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
