:: Home : Products : Identity Management : SAGE : Audit Compliance

Eurekify

Overview

Sage Audit is the ultimate tool for ongoing management of role definitions, periodical auditing of privileges, and enforcement of policies and regulations. Sage Audit uses Sage's patented pattern recognition technology to analyze existing privileges data and identify exceptions and deviations from common and typical patterns. In addition, Sage Audit reports various statistical exceptions and outliers. Sage Compliance allows specification of policies and regulations using simple rules, which can then be checked against the current privileges and role definitions. Sage is a non-destructive off-line analysis tool that is applied to privileges data that is imported from one or more relevant platforms and applications. Sage Audit allows tracking all exceptions and deviations, as well as immediate remediation of all alerts. All changes made in Sage in response to such alerts can then be applied directly to the target platform, reported for manual administration, or stored in an independent repository. Sage runs on a Windows-based personal station.

Where and When to Use

• Identity Management Projects. To avoid a situation where a new provisioning system is automating the bad habits of yesterday, one must first clean up and streamline privileges on the source platforms. Sage Audit helps in this cleanup and preparation, as well as in reviewing role definitions and provisioning policies (whether existing, or defined using Sage Discovery).
• Role-based auditing and cleanup shall be applied to each single-platform and to cross-platform privileges data before they are loaded to the new IdM platform
• Role-based auditing shall also be applied to role definitions created during the role engineering project, as a means of quality assurance and additional cleanup and compliance
• Role-based auditing and compliance shall be applied to the entire IdM platform periodically
  
  Review some of the benefits of Sage in an Identity Management Project.
• Role-based management of privileges on a mainframe, enterprise directory, ERP, or any other application. Role-based auditing is important to maintain the quality of role/group definitions. It is also important to check that privileges and role definitions comply with organizational policies and external regulations.
• Role-based auditing shall be applied on a periodical basis, and more frequently in periods of significant changes such as mergers, restructuring, etc.
• Compliance checking shall be performed periodically, depending on the policy being checked, especially as part of internal/external IT auditing effort, and possibly as part of special efforts to document compliance.
  
  Review some of the benefits of Sage for auditing privileges and checking for compliance on a single major platform.

Sage Audit Functions

• Identification of out-of-pattern individual privileges, often associated with erroneous and outdated privileges
• Identification of users suspected as "collectors"
• Identification of resources that are not allocated according to an orderly policy
• Identification of ad-hoc privileges that do not follow from a role/group policy
• Identification of privileges outliers, including dead accounts, unused resources and groups, privileges packers, etc.
• Review role/group definitions to identify out-of-pattern privileges and users
• Review role/group definitions to identify duplications, overlaps
• Review role/group definitions to identify potential extensions and optimizations
• Review role/group definitions and privileges assignment against one or more organizational policies, segregation of duty requirements, and common regulations.

Environments

• Identity Management of virtually all vendors
• Mainframe, e.g. RACF, TSS
• Enterprise Directory, e.g., Active Directory
• ERP systems, e.g. SAP

COMPLIANCE

UK regulations and standards include

• Data Protection Act 1998
• Freedom of Information Act 2000
• Electronic Communications Act 2000
• BS7799-2:2002 (BS 7799) Information Security Management System. Also global standard ISO17799 (ISO 17799)
• BS10181 (BS 10181) Authentication and Access Control. Also global standard ISO10181 (ISO 10181)
• Enterprise Act 2002

EU regulations and standards include

• The Privacy and Electronic Communications (EC Directive) Regulations 2003
• Basel II Capital Accord
• Human Rights Act 1998

US regulations and standards include

• HIPAA - Health Insurance Portability and Accountability Act 1996
• HL7 is a standard for the healthcare industry.
• Sarbanes-Oxley Act aka SOX Act. Officially titled the “Public Company Accounting Reform and Investor Protection Act of 2002”, signed into law on 30 July 2002
• PATRIOT Act aka USAPA is The official title is "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001."
• SEC & NASDAQ regulations - including SEC 17a-3, the requirement to make records, and SEC 17a-4, the requirement to keep records are most relevant. Specific rules surrounding retention, non-rewriteable storage, and ease of retrieval and viewing are highlighted by 17a-4. NASD 3010 and 3110 refer to and inherit the same requirements of 17a-3 and 17a-4 as applied to the NASD, demanding the creation of policies and retention of reviewable customer records and transaction data.
• Gramm-Leach-Bliley ACT aka GLB. Officially titled the “Financial Services Modernization Act of 1999” repealed the Glass-Steagall Act opening up competition among banks, securities companies and insurance companies.