To ensure compliance with regulations and industry standards like Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI DSS), you'll need tools that provide reports revealing who accesses your systems. All current users need to be accounted for. These standards and regulations require regular auditing to ensure inactive users are trimmed from the system. In addition, all removals must be documented.
A product that combines reporting and auditing is ideal. It allows you to audit systems for internal auditsr and provide reports that satisfy regulators. As a best practice, make it a routine to implement your auditor's recommendations. Provide controls for setting up user access to systems, maintain directories of users and groups, allow only unique user IDs and audit for stale accounts and ex-employees. Picky regulators may have their own particular requirements in addition to those mentioned. As a result, when shopping for any product, make sure it has additional features for regulatory compliance reporting.
Fortunately, many products on the market offer both features. Your product selection should be based on your needs -- whether for regulatory compliance or internal auditing -- how well the product meshes with your identity management system and cost considerations.
The following are four well-known products in the market:
BMC Software Inc. offers several identity management products that can be used for provisioning access as well as reporting. In addition, they're adaptable to different systems from mainframes to distributed systems. Secure Computing Corp.'s SecureWord SafeWire is an appliance that sits on your network and provides access control for both internal and remote access, including VPNs. The product has an internal management console and provides collective reporting tailored to your needs.
Beta Systems Software AG's SAM Identity Management Suite also combines provisioning with reporting. SAM Jupiter has a log-auditing facility that provides historical reports for compliance with SOX and Basel II, its European equivalent.
LogLogic Inc.'s LogLogic 4 is another interesting product, billing itself as an analytical tool for a number of different regulations. But lately, the product has been heavily marketed as a tool for PCI Data Security Standard compliance, which requires auditing of identity management and user accounts. This is just a sample of identity management software products available.
For more information:
This was first published in May 2007