Compliance to regulations and policies regarding access to IT resources is equally important for business organizations. However, IT compliance departments have much to learn compared to college recruiting compliance departments.
Compliance Policies and Practices of College Recruiting
College football is big business—a $3.2 billion business in fact. Much of that money is reinvested to keep the recruiting pipeline moving. Scouts and coaches convince athletes to play for their school in exchange for scholarships and a chance to be a part of a winning program.
To sweeten a school’s offer, “boosters” often tempt players with extra (and unapproved) incentives such as money or other gifts. But these incentives create an uneven playing field for recruiting. To combat these illicit practices, the National Collegiate Athletic Association (NCAA) enforces stringent restrictions on recruiting practices. However, the level of competition and amount of money at stake tempts some school officials to skirt these policies.
To enforce these restrictions, every school houses an internal compliance department, but these departments aren’t just dummy institutions keeping up appearances. The level of detailed instructions, training, monitoring, enforcement and institutional control that these compliance departments enact would put most IT compliance organizations to shame.
Compliance Policies and Practices of IT Compliance Organizations
The fact that colleges are always recruiting is part of the reason the NCAA (and competing schools) are vigilant about monitoring compliance. Colleges have no choice but to be constantly compliant, so they actively train their organizations and continuously monitor activity.
IT compliance practices, on the other hand, have a ways to go compared to the NCAA. An important control for compliance in the IT world is access certification as part of least privilege enforcement. But two major flaws make current access certification practices ineffective:
- Point-In-Time Access Certifications: Compliance in the business world is seen, for the most part, as a point-in-time practice. The same is true with access certifications. Instead of constantly evaluating user access, business managers only certify access once or twice a year. So if it takes months for a manager to realize a particular user has too much access, an attacker could have already compromised that access and gained entrance to critical systems.
- Ineffective Access Certification Practices: Not only are there large gaps of time between certifications, but the certification process itself is often ineffective. Business managers, who are already busy, are given massive spreadsheets filled with a seemingly endless amount of users and applications to certify. Because of this overwhelming and time-consuming process, business managers typically “rubber-stamp” approval for all access without thorough analysis.
To remedy these problems, compliance departments should exchange point-in-time practices for all-of-the-time practices. This can be accomplished by leveraging risk-scoring available in other identity and security tools that indicate when an ad-hoc certification should occur, and provides elevated visibility of those with abnormal access to prioritize the access certification process.
Additionally, privileged users should be scrutinized more thoroughly than standard users. After all, privileged users present the most risk to organizations. Many notable security breaches, such as the NSA, Anthem and Sony hacks, have occurred because organizations didn’t properly account for their privileged users. These large organizations aren’t exceptions either. Because of the complexity of today’s IT environments, many users are provisioned with administrative access—even when it may be unnecessary. As a result, your organization may have more privileged users than you think.
Like the NCAA compliance departments who are constantly monitoring and enforcing recruiting policies, IT compliance monitoring needs to become more intelligent and real time, accounting properly for privileged users. If your security department makes steps to beef up access certification, your organizations can avoid being sacked by attackers.