Resource Center Home | Features | News Briefs

Password and Identity Management Strategies Begin to Take Shape

As financial services firms come to grips with the vulnerability of their IT systems, best practices around password and identityt management becomes a paramount concern.
By Tim Clark
October 20, 2006

Earlier this year, former UBS PaineWebber systems administrator Roger Duronio was found guilty of infecting the company's network with malicious code that cost the firm millions of dollars. While his conviction does little to calm the nerves of the financial services community, recent research from RSA Security indicates, however, that a rising number of Wall Street firms are addressing the vulnerabilities of their IT systems by looking to create best practices around identity and password management procedures. Though UBS did have security measures in place at the time, experts say it is possible that a more-stringent password and ID management policy could have helped the firm avert the incident.

But employing effective security measures while continuing to provide systems access to employees, customers and partners remains a challenge. "Financial services companies have to struggle with doing business over the Internet while running under the assumption that their systems are compromised," says Johnathan Penn, principal analyst, identity and security, Forrester Research. "That's a tough thing to do. They are beginning to realize they need more than just password protection."

Understanding Access Rights

Since users need to access multiple areas both internally and externally, ID management becomes difficult to track. "Organizations need to understand who has access to what," says Penn. "Having a sense of identity is an important aspect to protecting customer and corporate data and audit requirements."

Service provisioning -- managing the process of user administration -- is gaining more attention as financial services firms reexamine access rights to sensitive data. A vast majority of users, especially in the financial services community, have access to data and accounts they simply do not need, asserts Penn. "On a quarterly basis, managers can sign off on the type of privileges that their direct reports have to determine if they still need all of those privileges," he suggests.

1 2 3 Next

Printer Friendly

Like this article? Sign up for Wall Street & Technology's daily e-mail newsletter to get more news and analysis delivered right to your in-box.

logon-to-comment

Quick View

Full View

N Comments

Resource Center Home | Features | News Briefs

This section requires Flash player 8 or higher.
If you wish to get the latest version of Flash player, please download it here.

Offshore Vendor Security[mp3]
Paul Dunay Director of Global Field Marketing speaks with Hitesh Anklesaria a Senior Manager in BearingPoint's Infrastructure solutions group as well as a CISSP, CISA.

Enterprise Governance[mp3]
Paul Dunay Director of Global Field Marketing speaks with Louis Anon a Senior Manager in BearingPoint's Financial Services group.

Basel II and Sarbanes Oxley: Convergence or Collision[mp3]
Paul Dunay, Director of Global Field Marketing speaks with Sandeep Vishnu a Director in the Enterprise Risk Management group.

Offshoring risk: Portfolio treatment and the role of operational risk
Offshoring offers financial services organizations attractive cost, efficiency and performance benefits, but it also introduces a wide array of risks. BearingPoint examines the importance of risk management in establishing and maintaining an effective offshoring operation.

Enterprise Risk Portfolio Management
Financial institutions have initiated a multitude of risk and compliance projects in recent years in response to Basel II, the Sarbanes-Oxley Act and other requirements.

Nine Pitfalls of Compliance Program Implementation
Financial institutions have invested heavily to comply with the numerous laws and regulations now governing the business world. Even the most sophisticated compliance systems and processes, however, can be rendered ineffective if your firm focuses on the wrong metrics, underestimates the extent of the requirements or fails to get the right people involved.

Basel II and Sarbanes-Oxley: Convergence or collision? Implementing an integrated approach
The Sarbanes-Oxley Act of 2002 has attracted the lion’s share of risk management effort and resources over the last three years for public companies operating in the United States. Yet it is by no means the only major regulatory change affecting financial institutions.

Integrating Sarbanes-Oxley Controls Into Your Corporate Governance Framework
Many companies have established separate governance procedures for Sarbanes-Oxley controls, believing that financial reporting risks are somehow different from other business risks. This lack of a direct connection between policies and procedures means that companies have no assurance that controls are working and that the risk is being effectively managed.

Scenario analysis for Basel II operational risk management
Financial institutions have always recognized the importance of safeguarding customer data. Several recent events in the market place have become significant due to never-before-seen levels of regulatory fines and litigation expenses...

Basel II Operational Risks - Avoiding the seven pitfalls in Basel II operational risk implementation
The Basel II Capital Accord is compelling large, internationally active banks to see operational risk in a new, brighter light. By formally introducing operational risk into risk management and capital calculation, Basel II is moving these institutions to explicitly identify, measure and report information related to operational risk. Many smaller banks and non-bank financial institutions are following suit.

A New Paradigm in Enterprise Governance
Passing Sarbanes-Oxley review signifies only that your firm has implemented internal controls for financial reporting. It does not mean that your organization’s governance model is adequate to the task of maintaining and modifying those controls as needed.