There are many high risk organizations which need to develop and implement identity safeguard and audit procedures because they face huge security risks associated with managing millions of personal consumer data. Organizations in industries such as financial services, insurance, social networking, and healthcare manage millions of transactions every day involving customer personal information. In the absence of appropriate identity safeguard controls, there are not only potential risks associated with loss of customer, diminished corporate image, lower revenues and reduced profit margins, but also depending on the industry in which the organization operates, there might be violations of regulatory compliance leading to financial penalties and jail time.
An organization which handles a huge number of consumer information must do all that it can to address the growing risks of identity safeguard for the reasons described above. The major groups that must collectively address today’s growing identity management issues include information security, privacy, compliance, internal audit, and information technology. These groups must closely work with each other and business management to a) define what information needs protection and who should have access to that information, b) develop a set of policies and procedures for identity safeguard including monitoring and breach management, and c) properly configure the systems and train appropriate staff to enforce the prescribed policies.
Identity risk management starts with defining and managing the amount of personal information organizations collect to run their businesses. Some companies like most individuals are identity obese which means that they collect more customer information than they need to operate their businesses. I believe this is due to the lack of knowledge regarding the risks and the unintended consequences of identity mismanagement on the part of senior management.
Below are some of the general risks that need to be considered if your organization deals with customer personal information and must protect such information:
• Has management formally defined what customer information is absolutely necessary for running the business and must be collected as part of business transactions? As I mentioned, sometimes businesses collect more customer information than they need to run their business operations and business management must carefully assess the business needs for collecting and managing customer private information when attempting to reduce the identity risks for their organizations.
• Have business management and the legal group defined what data constitutes customer personal information that needs protection and privacy? Most often, identity components are misunderstood and overlooked, and sometimes there are disagreements regarding what is customer private information. Such disagreements must be resolved to identify and protect the information.
• Has customer information lifecycle been properly documented to identify and address the various points of security failure including systems hosting customer information, in transit information, or data maintained by vendors? An identity lifecycle charts out the customer information from the moment it enters the organization until the time it is properly destroyed. Customer information and its location must be fully known for ensuring maximum protection. Most often, an organization is incapable of readily locating sensitive information at a given time.
• Have management and the privacy group defined who should and can have access to customer information both within the organization and outside the company? Access management is critical when planning to protect customer information. This not only applies to data access within a system but also data in transit or process outside of a system.
• Have management and the privacy group defined what can or should be done with customer information in terms of sharing, duplicating, and retention?
• Is there a formal and approved customer data retention policy? The longer an organization retains such private information, the more it faces identity risks.
• Have technical and operational identity safeguard policies and procedures been developed, approved, and communicated to protect customer information residing both inside the information systems and within the operations?
• Are there developed, approved and tested data breach management plan, policies and procedures? Most often, a data breach requires the involvement of various groups. These groups must be identified and involved when developing the policies and procedures as well as during the testing.
• Have information systems been properly configured to comply with policies, only allow authorized users, monitor user activity, and detect unauthorized user behavior?
• Have minimum and necessary information security systems been implemented to protect all target systems from unauthorized access, printing, sharing, copying and download?
• Are regulatory requirements for identity safeguard within your industry being considered and addressed? Compliance with State and Federal information security requirements must be incorporated into the overall identity risk management process.
• Is the organization performing continuous risk assessment of operations and information systems?
• Are there committees comprised of key stakeholders at the senior management level to discuss, prioritize and address identified risks?
• Are regular internal audits being performed based on risks, established policies and procedures, as well as the documented identity lifecycle?
• Are employees properly trained regarding policies, procedures, threats, and expectations? Key employees who are well positioned to detect and prevent identity fraud within the organization must be paid special attention when implementing awareness, education and training programs.
To conclude, many groups within an organization must work together to effectively and efficiently manage identity risks. Such efforts must be well planned, communicated and coordinated. Most often, a leader must step up to the plate and bring these groups together as sometimes agreeing and acting on a common purpose requires initiation by a leader within the organization. You could be that leader!
Return to workplace security for additional identity safeguard controls.