iam-AGA‎ > ‎

Governance Risk and Compliance

How can this solution assist my organisation in achieving governance, risk and compliance goals?
It is well understood that the management of identities in the corporate IT environment is essential to security. But what about managing the access assigned to these identities? Often auditors ask IT organisations the following questions:
  • Who works for you?
  • Who has access to your systems?
  • Should these people have access?
  • Do you have the processes to verify this access?
  • Do you know how they got their access and who approved it?
Not only is the ability to answer these questions important in your organisations ability to ensure good IT governance, but there is local and international legislation which may require you to control these risks.

The Sarbanes Oxley act of 2002 (SOX) applies to U.S. Public company boards, management and public accounting firms. The act sets new or enhanced standards which are a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International and Worldcom. Section 404 of the act is the largest driver of SOX compliance projects, and the most significant for IT. It requires that the process that is used to generate accounting statements be accurate and meets accepted industry standards. Because the processes are implemented principally in IT systems, section 404 audits involve a detailed assessment of these. After first year SOX audits, it immediately becomes apparent that management of systems access is essential. Achieving SOX section 404 compliance requires a firm grasp over the answers to the above questions.

Personal Information can be found being collected, stored and processed within almost all corporate business processes. The new draft South African legislation, Protection of Personal Information Bill (POPI), will mandate executives to ensure the right to privacy, and hence the security of this information, is protected. Ensuring that you know who has access to your customer’s personal information, and regular verification of this access, will be essential in meeting the requirements of the bill.

The King commission, in its revised recommendations to business on good governance (KING III report) have stressed the importance of IT in today’s business world, and therefore the importance of effective IT governance being in place. 

Understanding the answer to the five questions listed above are the cornerstone to ensuring that your IT organisation is secure and complies with the best practices to reduce risk.