By Mark McClain, SailPoint Technologies

Today’s economy is creating an environment where accelerated mergers and acquisitions, and subsequent layoffs, are becoming the norm rather than the exception. The resulting corporate churn creates significant IT risk, particularly regarding access to critical corporate information. There are, unfortunately, too many examples of disgruntled former employees stealing data. For instance, Fidelity National Information Services had 2.3 million customer records at its Certegy unit stolen by a former employee. Lending Tree, Wachovia Securities, Bank of America, Washington Mutual and Fannie Mae have all had to deal with security breaches perpetrated by users who, at one point, were granted access to their systems.

Corporate changes force companies to modify employee access to sensitive corporate data on very short notice, grant access privileges to new employees, adjust access privileges for reassigned employees, and terminate access for former employees and contractors. Organizations must manage that transition in a manner that minimizes business disruptions while also protecting the company from insider theft and ensuring compliance with government regulations. Your organization may not anticipate a major change in the near future, but if it does occur, it’s not a good time to be caught unprepared.

Gain Control of Your Identity Data
Given the uncertain state of the economy, now is the time to take formal steps to manage your identity risk before an event takes place. It is never too early to establish a baseline understanding of the overall risk posed by users and their access to critical systems—including any gaps that may exist in the organization’s controls and any common violations of corporate access policy.

First and foremost, you should perform an identity inventory on assets that could potentially be affected by a restructuring action. User and access information should be collected from various systems into a single repository, using correlation rules to resolve inconsistencies between resources to obtain a unified view. The net result will be an authoritative record of “who has access to what?” While this step may seem simple, a recent SailPoint survey found that the majority of companies can’t accurately report which workers have access to their most critical applications and data.

Be Prepared by Being Proactive
Laying the proper organizational, procedural and technical groundwork before a merger, acquisition or downsizing can better position your organization to move quickly and smoothly through the change. It can help you make decisions and take the actions necessary for a successful restructuring. And, given the damage a breach can cause, risk should always be top of mind.

Next, it is critical to put policy and controls in place to help minimize your risk posture. Centrally define the policies required to meet corporate and regulatory requirements across all key resources. Identity policies that should be defined include:
separation-of-duty (SoD) rules to prevent users from holding “toxic combinations” of entitlements that could make it possible to commit fraud or misuse data; and any specialized rules required to manage the corporate restructuring (e.g., rules that determine how newly acquired workers are allowed access based on a department code, location, etc.).

Implement automated, repeatable processes for identity governance into your organization, including access certifications to continually monitor “who has access to what,” and policy enforcement to enforce the SoD rules you defined. Ensure that your managers and the IT organization are prepared to disable all access to user accounts upon delivery of termination notices.

Remember that corporate restructuring imposes a significant increase in your organization’s workload. As much as possible, you should know in advance how you will staff and fund your restructuring efforts, and what reprioritizing of IT projects will need to occur.

Minimize IT Risk by Revisiting the Basics
Keep in mind that once you’ve navigated a restructuring event, your organization still faces increased IT risk—employee morale may be low and IT resources will likely be constrained. If you’ve successfully implemented the preceding identity governance strategies, build on that foundation with automated controls to make sure you don’t reintroduce policy violations that could place the enterprise at risk.

Schedule a special-purpose access certification to reevaluate your risk posture. Refresh your correlated identity data and confirm that all accounts have been removed as required. Pay special attention to any changes detected, such as new users, new policy violations, or new entitlements, and make sure the privileges align with your corporate policy.

You should also validate your company’s security posture by implementing a higher-than-usual level of activity monitoring. Make sure logging is turned on for systems that may be subject to sabotage or theft, and closely monitor high-risk or privileged users or any workers with access privileges that do not conform to policy (e.g. allowed exceptions).

Rapid change to a company’s access structure requires planning, efficiency and strong identity governance to speed operations and ensure accuracy. Structured, preparatory steps that put into place reliable, automated processes for identity governance can put an organization on a solid footing for managing the changes that accompany a merger, acquisition or downsizing. The organization that plans ahead—even when there is no event looming on the horizon—is less likely to be caught off guard, and less likely to suffer a significant breach, when change does occur.

Mark McClain is CEO & founder of SailPoint Technologies (Austin, Texas), a company that specializes in identity governance solutions.