Creating the Business Discipline
Data access management—the control and monitoring of access to data—is largely overlooked as a business side discipline. Typically, it exists as part of an IT-managed process using an access provisioning model where a user can request certain access privileges that can be approved or denied by IT based on predefined types of access rights associated with job role authority and governed by policies and rules related to system security, privacy, regulatory compliance, and Sarbanes-Oxley (SOX) requirements in the form of Segregation of Duties (SoD) rules.
Many companies today require employees to complete internal training related to information protection and business conduct. In these training courses there are usually various examples cited where fraud, theft, insider trading, information privacy issues, and other types of accidents or misconduct have occurred in relation to company data and proprietary information. Many of these cases involve employees in business roles who are knowingly or unknowingly participants in the incident. These cases are used in training courses to help illustrate what not to do and how damaging a lack of information protection can be.
Yet, other than with these types of generalized training courses and use of access provisioning criteria to govern whether an employee can be granted data access, there is usually little if any responsibility for ongoing access control and monitoring of behavior assigned to the business ...