Security Slideshow: Managing Identity Risk During Mergers or DownsizingBy CIOinsight | Posted 09-02-2009
Managing Identity Risk During Mergers or Downsizing
As companies merge or downsize to survive, they must change employee access to sensitive corporate data on very short notice, grant access privileges to new employees, adjust access privileges for re-assigned employees, and terminate access for former employees and contractors. CIOs of these organizations must manage that transition in a manner that minimizes business disruptions while also protecting the company from insider theft and ensuring compliance to government regulations. SailPoint's Founder and CEO, Mark McClain, provides advice to help CIOs to help prepare their business and IT organization for these scenarios.
Managing Identity Risk During Mergers or Downsizing - Page 2
1. Leverage your seat at the table during any executive-level discussions of corporate restructuring.
- Ensure your security and IT operations teams have the skills and resources required to manage any transitions
- Ensure the transition is handled securely and in compliance with corporate and regulatory guidelines
Managing Identity Risk During Mergers or Downsizing - Page 3
2. Don't let technology and staff integration issues overshadow the importance of due diligence during corporate M&A events.
- An acquired company's non-compliance may impact your own compliance
- Identify any material weaknesses in your acquisition target's internal controls as early as possible
- Remember that non-compliance can be a deal breaker or can influence deal price
Managing Identity Risk During Mergers or Downsizing - Page 4
3. Proactively manage the risk inherent in the restructuring event
- Corporate churn can expose sensitive applications to "insider threats" because of changes to user populations and their access to corporate resources
- Put in place the right controls to prevent acts of theft, fraud, misuse, or unauthorized access
Managing Identity Risk During Mergers or Downsizing - Page 5
4. Focus on IT and security challenges, specifically on identity management issues, during corporate restructuring. Critical questions that should be addressed are:
- Who has access to critical IT assets, either existing assets or those soon to be acquired?
- What users have access to those assets, and is their level of access appropriate?
- Do I have adequate controls in place to detect and prevent misuse or unauthorized access?
Managing Identity Risk During Mergers or Downsizing - Page 6
5. Pave the way for your teams to work with groups outside the IT organization, including HR, legal, audit/compliance, and business units.
- The decisions made by other groups can significantly impact IT's workload, so it is important that IT has a voice in even the most tactical decisions
- Use project teams and steering committees to help align all stakeholders and to balance organizational and process issues with security and risk management issues
Managing Identity Risk During Mergers or Downsizing - Page 7
6. Prepare in advance by building automated, repeatable processes for identity governance into your organization:
- Access certifications - periodic review and approval of "who has access to what"
- Policy enforcement - definition and enforcement of access rules, such as separation-of-duty policies
- Risk analysis - the ability to identify high-risk users (e.g. privileged users) and systems
Managing Identity Risk During Mergers or Downsizing - Page 8
7. Before a merger or acquisition occurs, use your organization's identity governance process to speed and automate due diligence performed on the target company:
- Inventory users and their access privileges
- Use certifications and policy enforcement to identify inappropriate access and policy violations
- Assess effectiveness of controls and overall risk posture
Managing Identity Risk During Mergers or Downsizing - Page 9
8. Before a layoff occurs, use these same methodologies to ensure prompt and accurate terminations:
- Certify your identity data in advance so that you have current, accurate information about all users and their access to all corporate assets
- Ensure managers and the IT organization are prepared to disable all access to user accounts upon delivery of termination notices
Managing Identity Risk During Mergers or Downsizing - Page 10
9. Following any transition, institute an immediate audit, then establish ongoing audit and monitoring programs to mitigate risk.
- Confirm that all accounts have been removed for terminated users
- Monitor high-risk users or any users accessing highly sensitive assets
- Pay special attention to any changes detected (new users, new policy violations, or new entitlements)
Managing Identity Risk During Mergers or Downsizing - Page 11
10. Remember that corporate restructuring imposes a significant increase in your organization's workload.
- There will be tradeoffs: either funding needs to be provided for the additional work or your portfolio of IT projects must be re-prioritized
- Know in advance how you will staff and fund your restructuring efforts.
- Learn from the Boy Scouts: BE PREPARED.