Problem solve Get help with specific problems with your technologies, process and projects.

A must-have compliance primer

Understand how an effective enterprise provisioning solution can help companies comply with corporate governance regulations.

What you will learn from this tip: Understand how an effective enterprise provisioning solution can help companies comply with corporate governance regulations.

In the wake of the Enron and Worldcom accounting scandals, the regulations an enterprise implements to ensure its integrity are open to increasing scrutiny. This has given rise to a growing number of initiatives such as Basel II, the Sarbanes-Oxley Act and the new Companies Act, soon to be enacted in the UK, are all designed to ensure that high standards of corporate governance become part of day-to-day business culture.

Basel II

Basel II, the forthcoming protocol for the financial sector, is designed to replace the 1988 Capital Accord. It recognizes that managing and controlling financial risk and operational risk, such as IT, is an integral part of corporate governance and, as such, obligates companies to assess their vulnerability and make it public.

Basel II is based on three main areas that allow banks to effectively evaluate the risks financial institutions face: minimum capital requirements, supervisory review of an institution's capital adequacy, and internal assessment process and market discipline through effective disclosure to encourage safe and sound banking practices.

Financial organizations that do not provide appropriate details must set a side 20% of their revenue in order to cover loses or risk being prevented from trading. The first phase of Basel II will come into effect at the end of 2006, with the more advanced elements planned for implementation at the end of 2007.

Sarbanes-Oxley Act

The furthest reaching of these regulations is the Sarbanes-Oxley Act, which requires companies to comply with challenging new standards for the accuracy, completeness and timeliness of financial reporting, while increasing penalties for misleading investors. The Act, which applies to all companies (and their subsidiaries) on the US public markets, protects the interests of investors and serves the wider public interest by outlawing practices that have proved damaging, such as overly close relationships between auditors and managers. The law includes stiff penalties for executives of companies that are non-compliant including fines of $5 million dollars, and up to 20 years in prison per violation.

Companies Act

The forthcoming Companies (Audit, Investigations and Community Enterprise) Act is designed to help UK firms avoid the much-publicized accounting and auditing problems experienced by companies such as Enron, Worldcom and Parmalat. The bill will impose new measures to ensure that data relating to trades, transactions and accounting throughout an organization is fully auditable.


Basel II, the Sarbanes-Oxley Act and the Companies Bill all highlight the fact that board directors and executive management have a duty to protect the information resources of their organizations. As such, network security – preventing unauthorized access to information and data – is of the utmost importance, and the most effective way of achieving this is by deploying an effective provisioning solution that allows the enterprise to determine who has access to which applications and when.

However, implementing an identity and access management program that ensures the correct level of security and internal controls over key information and data can be a difficult task for many large organizations.

Often, systems and access policies in use today were developed many years ago when security was not necessarily the highest priority. Not only are these legacy systems now unsuitable for use, but, since being implemented, many of the policies associated with them have not been reviewed, and access is granted either manually or by way of 'home grown' development.

Furthermore, many of the systems were not developed to cater for temporary changes such as the provisioning and de-provisioning of contract workers or account for a member of staff on leave. Adding to the problem is the fact that, often, companies have myriad systems and access policies, which have merged with another organization's policies, systems and architectures.

These issues are now major problems that need to be addressed urgently. As well as the need to comply with corporate governance regulations, the situation has also given rise to an increased security threat; a fact highlighted by the Financial Services Authority's Financial Crime Sector Report: 'Countering Financial Crime Risks in Information Security'.

Secure Enterprise Provisioning

The latest enterprise provisioning technology allows organizations to alleviate these problems through centralized management of IT systems and applications, and the users who access them. Enterprise provisioning solutions, which automate the granting, managing and revoking of user-access rights and privileges, solve the problems created by complex user bases and IT infrastructures by enforcing policies that govern what users are allowed to access and then creating access for those users on the appropriate systems and applications.

The solution can execute provisioning transactions dynamically, based on the nature of the request and then initiate the appropriate approval workflows as defined by the appropriate policy. It will also provide robust reporting that enables the IT department to better manage user access rights from a global view. For example, systems administrators can view who has access to particular systems or the status of any individual access request (add, move, change, delete) in real time.

The best of the new breed of provisioning systems enforce organizational policies designed to ensure that financial enterprises comply with regulatory requirements by governing who can access particular systems and the information they contain. Reporting and auditing capabilities enable the organization to demonstrate compliance by listing who has access to protected systems and reporting on how the access was granted and that appropriate approvals were obtained, thus demonstrating that proper policies designed to comply with regulations are being followed. The software can also demonstrate that users who have left the organization have had access revoked from all the systems to which they were previously authorized.

These capabilities not only make regulatory compliance straightforward and easy to manage, but ensure increased productivity. Users can be connected to the resources they need to be productive in a fraction of the time, cost and effort previously required. Enterprises can compress the user set-up process from weeks to minutes and application integration from months to just days.

In addition, the IT department's own productivity will increase dramatically as resources are freed up from the time-consuming tasks of managing user access and building integrations to managed systems and applications.

By ensuring regulatory compliance and at the same time reducing IT costs, secure enterprise provisioning solutions are sure to evolve from the great opportunity they currently present to a critical element of the IT infrastructure of successful businesses.

About the author

Michael Burling is vice president of International Sales of Thor Technologies.

About Thor Technologies

Thor Technologies provides identity management solutions to meet the security and compliance needs of large organizations. Thor works with companies such as Lehman Brothers, MphasiS and Nextel Communications and counts Accenture, BearingPoint, BEA Systems and RSA Security among its strategic partners.

Dig Deeper on IT compliance and governance strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.