You can use IAM solutions to help demonstrating regulatory compliance such as SOX Section 404 and 302, HIPPA, GLB, Basel II Capital Accord, FDA 21-CFR-11, HSPD-12, EU Privacy Directive, PIPEDA, and LSF.
SOX: There are many SOX compliance tools and you may wonder why IAM is needed. SOX compliance tools are very good at roles and SoD (separation of duties) analysis, but are weak at workflow management, reverse synchronization, and integration with multiple target systems, etc. IAM solutions are strong in those area and can meet following SOX requirements:
- Controlling the accessibility of financial information
- Monitoring and auditing financial information accessibility in real time as well as periodically
- Making sure that users access permissions to financial data are added and removed in a timely manner
- Making sure that these controls are applied to all systems associated with financial or business transactions and not only to the traditional financial systems
HIPPA: Similarly, IAM provides very specific solutions to help healthcare organizations meet following HIPAA requirements and reduce overall organizational risk:
- Each user must be uniquely identified before being granted access to confidential information.
- Access to PHI must be restricted to only those persons who need access as part of their role, and the conditions of this access must be clear.
- PHI must be reasonably safeguarded against intentional or inadvertent disclosure.
- Access to protected resources must be tracked, so that complete access reports can be generated.
- Login attempts must be tracked so that suspicious login attempts can be analyzed and corrective action taken.
- Access to protected resources must be terminated quickly when an employee leaves the company.
- A user's session can be terminated after a specific period of inactivity.
- For large corporations, procedures must be implemented to protect private information of a healthcare entity from access by someone in the
- Procedures for creating and managing passwords must be implemented.
GLB: IAM solutions will help addressing following GLB requirements:
- Evaluate IT environments and understand the security risks
- Establish information security policies
- Conduct independent assessments
- Provide training and security awareness programs fro employees
- Scrutinize business relationships to ensure adequate security
- Upgrade security programs that are in place