Using Policy and Compliance Tools to Reduce Insider Threats

When Tokyo Electron U.S. Holdings, Inc. (TEL U.S.) started to prepare for Japan’s Financial Instruments and Exchange Law (informally known as J-SOX), the company decided that compliance wasn’t enough.

Like similar legislation in the United States, J-SOX mandates that companies establish effective internal controls over financial reporting. A global supplier of semiconductor production equipment, TEL U.S. is a subsidiary of Tokyo Electron of Japan. TEL U.S. had already been complying with SOX, so when J-SOX went into effect on April 1, 2008, TEL U.S. could have tweaked their controls slightly and hoped that their SOX compliance would cover J-SOX as well come audit time.

Instead TEL U.S. looked at it as an opportunity to address a bigger problem than compliance: insider risk. After all, IT dollars are tight. If you can lean on regulations to help fight security risks, everyone wins.

What TEL U.S. wanted to do was to figure out how user access, financial control and intellectual property protection all fit together. Too often, data breach stories in the press are covered as if they happen in a vacuum. The story is that information was breached and consumers were affected. Overlooked is how things like user access, and controls built around user access, contribute to those leaks.

User Access and Société Générale

Consider the Société Générale scandal in France. Trader Jérôme Kerviel, who was previously an IT employee, allegedly circumvented internal IT controls to make a series of unauthorized, fraudulent and speculative transactions that ended up costing the bank $7.2 billion. What is this story here if not a story about flawed access policies?

“Before we instituted an automatic sign-off process for user accounts, it would have been hard to tell whether or not some former employee or contractor still had rights,” said Russ Finney, VP of U.S. information systems operations for TEL U.S.

To address this problem, TEL U.S. established a confidential information management (CIM) program to identify and classify information properly. “Classifications can range from public to internal-only to highly classified,” Finney said.

Once information is classified, business processes are built around each type of classification. This is no small task. Many organizations hope to simply throw technology, such as data-leak prevention solutions, at the problem. However, if data isn’t classified and treated properly, no amount of technology will help.

“It’s a big job,” said Jon Oltsik, senior analyst, information security for the Enterprise Strategy Group. “You have to figure out what kinds of data are moving around the enterprise, how to classify them, and then you have to determine who can use which types and for what purposes.”

Classifying data doesn’t sound all that hard until you consider just what you have to look at—each and every application, including things like email, IM and Web 2.0 applications. There are plenty of reasons, though, to tackle this job. Avoiding the fate of TJX, Hannaford Brothers Grocery and the VA is reason enough.

Oltsik expects to see more companies following TEL U.S.’s lead, and one of the drivers is compliance. Compliance helped drive TEL U.S.’s CIM program. At the same time, the burdens compliance places on IT drove them to institute a related program: compliance automation.

“In the past, we had to rely on yearly audits to know whether we were compliant or not,” Finney said. “It’s really complicated, and it’s hard to see the big picture.”

TEL U.S. turned to SailPoint and their compliance management solution to help. SailPoint Compliance IQ gives organizations visibility into and control over user access, reducing compliance burdens by automating access control processes.