Today any organisation, regardless of size, location or business sector, must constantly comply with the standards and regulations set by the bodies responsible for regulating and inspecting its activities.
The General Data Protection Regulation (GDPR), the Network and Information Security (NIS) directive, the revised European Payment Services Directive (DSP2), the French general security policy for information systems in healthcare (PGSSI-S) … there are an increasing number of regulations aimed at codifying IS security, reflecting the fact that awareness is growing across the board: cybersecurity is a critical priority.
Taking control of your identity and access management strategy helps to make your company compliant with current regulations in your business sector. Non-compliance can lead to heavy legal and/or financial penalties for the company and its directors.
Take control of your users’ authorisations to comply with regulatory requirements
Regulation stresses the importance of visibility and checks on IS users’ access rights and authorisations. So it is essential that you know who has and should have access what on your IS, and track operations performed using this access. You must check regularly that your IS users’ authorisations are consistent with your security policy.
An authorisations review can prove complex and very laborious when done manually. To meet analysis needs almost immediately and reliably, it is best to industrialise this process by implementing IAM.
An appropriate IAM platform gives you a central overview of your IS users’ access rights and ensures traceability of the actions taken, both of which are basic building blocks of compliance. It makes it easy to check the rights granted to users and prove to auditors that they are legitimate, and to demonstrate the procedures and actions in place to reduce operational risk in the event of error. Control processes are therefore simple and smooth, and the associated workload is considerably reduced.
Audits by Official Auditors
As part of their assignments, official auditors carry out IT audits intended to confirm that an information system is functioning properly and contributing to the integrity of financial statements. The aim is to check how a company’s applications operate and their contribution to the quality of processes, to the implementation of relevant internal control, and to fraud risk management. An authorisations analysis is required in order to identify factors that increase or reduce an application’s need for protection, assess this need in the round, and check that the authorisations granted by the company are adequate.
Tightening up your IS access control to: a key element of compliance
Tightening up your users’ access to the IS is a key regulatory compliance factor in many business sectors where data is sensitive, such as health and finance, and where confidentiality is a non-negotiable condition. Organisations are obliged to demonstrate that they have put in place robust and consistent access control measures in order to protect data from any unauthorised access.
As a first line of defence, IAM is designed to ensure that only authorised users can access the IS. Using an IAM platform gives you an excellent level of finesse when writing your access control rules, both for 100% web processes and purely “workstation” or mobile processes.
Strong authentication in all its forms – such as ‘MFA’ (Multi-Factor Authentification), adaptive authentication and risk-based authentication – avoid scenarios where a single password is enough to gain unlimited access to sensitive systems.
These functionalities enable you to build in varying degrees of security according to your users’ profiles and roles, and the circumstances in which they log in. You can bolster or streamline the level of security for access to your IS and your applications based on how vulnerable the targeted data is.
Fulfilling regulatory or statutory requirements regarding data security and confidentiality inexorably entails data access control.
Some examples of regulations
In the event of an audit, if an organisation has a solid IAM strategy, it can prove that it has taken measures to reduce the risk of data being stolen or misused. IAM can also help comply with more specific criteria under the various regulations. These include:
DSP2 : The revised European Payment Services Directive
- Objective: to promote innovation, competition and efficiency within the market and more specifically to modernise payment services within Europe for the benefit of consumers and businesses.
- Effective date: 13 January 2018, with a transition period of 18 months after publication of the regulatory technical standards in the Official Journal of the EU, which postpones their application to September 2019.
- Obligation relating to data access: strong authentication is mandatory for online payments of over 30 euros and for setting up standing orders and direct debits. Account aggregation and payment service providers will also be required to use strong authentication when connecting to banks and retrieving users’ data.
RGPD : General Data Protection Regulation
- Objective: to standardise the European legal framework on protection of personal data.
- Effective date: 25 May 2018
- Obligation regarding access to data: going beyond the principle of consent for the collection and retention of data, this new regulation extends the responsibilities of organisations and their requirement to ensure the security of their customers’ information Companies must make every effort to effectively secure their information systems. Strengthening access security through the use of strong authentication is a first step towards attaining the security standard required by the GDPR.
NIS: Network and Information Security Directive
- Objective: to give each member state the means to better protect their organisations and essential public services against cyberattacks. An extension to the cybersecurity mechanism for operators of critical infrastructures introduced by the French Military Planning Act (LPM) in 2013, this Directive further strengthens the protection of various other bodies that are critical to the everyday lives of citizens.
- Effective date: 09 May 2018
- Obligation regarding access to data: the Directive sets objectives although does not impose any specific means, and the security measures that will be required of operators of essential services (OES) are yet to be stipulated. Nonetheless, a “control and audit” strand is envisaged and the requirements in terms of security of terminals and strong authentication will be more stringent.