Friday, January 29, 2010

Enhancing Security with Attestation – and Accountability

My colleague Bob Bobel recently had a question and answer session with James Powell over at the Enterprise Systems Journal. I’ve cut-and-pasted one question and answer below. The whole article is worth reading.

One of the things that wasn’t touched on in the article is how important executive sponsorship and oversight fits into attestation. Attestation is useless unless the metrics around it are tracked and clearly visible within the business. I might faithfully review my attestation reports ever quarter but it doesn’t really help if other business owners in the organization don’t. Attestation for attestations sake is bound to fail but attestation as a job, business or company performance indicator has a much greater chance for success.

A great example is Quest’s own corporate policies and how we are each required to attest to the fact that we have read the policies on an annual basis. If you don’t, your manager and our CEO know you haven’t and they let you know you haven’t. Attestation goes hand-in-hand with accountability.
Q: How does attestation help sustain compliance through access accountability?
A: Good attestation software will enable IT to answer an auditor's questions about why access decisions were made to the data owner who made the decisions. By allowing IT to refer the auditor to the accountable person the burden of compliance is placed on the data owner where it should be. Good attestation software will also provide a historical report showing where the data owner granted/revoked access as well as when they completed attestation reviews.

Over time, access will change and periodic attestation reviews are usually conducted. These reviews should be completed quarterly or yearly. This ensures the business treats security and compliance as ongoing requirements rather than one-time events resulting in better security and sustained compliance.

1 comment:

Richard Blackham said...

Jackson...you assume attestation is a function of security only. What about all the other business processes that need attesting to? The sponsor doesn't need to be a corporate sponsor...what about internal audit to make sure accountability is in place? This could be data related to attest to valid and immutable data sets grabbed form sales data in ERP systems via APIs.
Your security centric world is very narrow in the context of attestation. think about it in a wider perspective and you will find there is huge potential for you if you are willing to go there.