Industry Regulatory Compliances that Require IAM Solutions
When I think of government enacted legislation, I remember the famous quote from one of the influential humanist philosophers, Marsilio Ficino, “Everything in nature is either a cause aimed at you or the consequence made by you”. With the history behind us on the Enron accounting scandal and the future pondering the significance and protection of big data & the growing threat of cyber breach attacks, it has become imperative for the corporations, educational institutions & government agencies to embrace legislation enacted regulatory compliances not just to be law abiding, but also to protect enterprise & stakeholder assets & bring ROI in the form of operational efficiency.
Regulatory compliances and Identity & Access Management (IAM) technology go hand-in-hand, because they both revolve around the same two entities; user & data. At a high level, that will include user’s actions around data, users’ accountability, user privacy & data protection. While IAM implementation is believed to be a high expense task for organizations, it is also pegged as an investment – a smart one! Because it is about controlling on impending threats, strategically creating IT security that does not hamper business efficiency and focus at continuous improvements in business functioning. The benefits that come from compliance are two fold – apart from meeting compliance requirements they also bring operational efficiency through automation of IT processes relating to user provisioning, authentication, SSO, attestations etc.
As many articles on IAM solutions emphasize the importance of its role in helping organizations meet compliance requirements, this one takes a little closer at each one of them and how they can be addressed at different levels:
Regulatory Compliance |
Critical Requirements |
Regulated Industries |
IAM Solutions |
SOX (Sarbanes Oxley) |
Focus – Internal controls on financial reporting
– Section 302: Companies must safeguard their data responsibly so as to ensure that financial reports are not based upon faulty, tampered or data that may be highly inaccurate. |
Finance, Banking, Insurance |
Access Management – Centralized authentication, Single Sign-On (SSO), Identity Management – Role based policies for account provisioning, de-provisioning & approval process Privilege Identity/Access Management (PAM/PIM) – Enforce tighter security rules and role based policies for privilege accounts IAM Auditing – Capture all user actions and system responses |
PCI DSS Credit Card Security |
Focus : E-Commerce Security PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. |
All industries that processes payment card transactions |
Access Management: Centralized authentication that ensures single id for each user, Password Management Identity Management: Provisioning and role polices to set access control |
GLB (Gramm-Leach-Bliley Act) |
Focus – Information Security The Gramm-Leach-Bliley Financial Modernization Act enacted in 1999 mandates all financial institutions to safeguard customer data from internal & external threats. |
All financial institutions |
Privilege Identity/Access Management (PAM/PIM) – Enforce tighter security rules and role based policies for privilege accounts |
HIPAA (Health Insurance Portability and Accountability Act) |
Focus – User Access Rights Health Insurance Portability and Accountability Act, HIPAA ensures-National standards to protect the privacy of personal health information. |
Healthcare, Lifesciences |
Access Management – Federation, Mobile Solutions, SSO, Password Self Service Identity Management – Role based policies for account provisioning and de-provisioning |
FERPA (Family Educational Rights and Privacy Act of 1974) |
Focus – Access Rights FERPA is a Federal law that – Governs access to educational records maintained by educational institution and ensures students’ rights to privacy |
Education |
Access Management: Identities for teachers, students, parents and other communities to securely login and maintain education records. Federation access for intercampus domains |
NERC (North-American Electric Reliability Corporation) |
Focus – Access Governance NERC mandates the core technical requirements for cyber security as outlined in NERC CIP Standards 002-009. It requires accountability through |
Energy/Utilities sector |
Access Management – Centralized authentication, Single Sign-On (SSO) Identity Management |
Some of the other compliances that will require IAM technology include FDA 21 CFR Part 11; The Health Information Technology for Economic and Clinical Health Act (HITECH) Act; ISO 27001; Federal Information Security Management Act (FISMA); Freedom of Information Act (FOIA); Federal Information Processing Standards (FIPS 200); National Institute of Standards Technology Special Publication (NIST SP 800-53).
Federal regulations and industry standards mandate businesses to enforce IT audit controls. Regulatory compliance are to defend enterprise systems for the protection of user accounts, shareholders, the public and most importantly a business brand. Therefore – regulations concerning privacy and separation-of-duty requirements are here to stay, and perhaps evolve for better!
How we can help? When it comes to Governance, Risk and Compliance, Avancer brings vendor agnostic, strategically customized implementation of IAM technology based on your needs. Our tools and services are designed to provide 360 degree controls of IT systems and aim for complete disclosure of all personally identifiable information, users and devices.
Should you be interested in a consultation session with IAM Governance, Risk and Compliance, drop us a request here