Turnkey Consulting's recent governance, risk and compliance (GRC) benchmark research report found that 68 per cent of organisations defined and documented their IT security authorisation procedures based on processes agreed with the business function.
Despite this, only just over a third of IT security experts believed that the business understands security - and this highlights a potentially serious issue.
IT supports business processes
All organisations depend on a wide variety of IT systems to enable and support their business processes. This ranges from email and instant messenger for communication, to document management systems for collaboration, to ERP systems for performing integrated business processes.
In order to enable users to complete their jobs effectively these systems must be able to allow access to the functions employees need to perform their jobs. However, it is equally important that, where access is inappropriate in a particular situation, the system is able to deny it.
Users must be restricted within corporate IT systems for a variety of reasons. It is important to ensure that communication systems are used primarily for business use. Collaboration systems must support their primary purpose of enabling collective working practices whilst respecting the sensitivity of certain data available within the company (e.g. personally sensitive HR data.)
In an ERP system the situation becomes even more complex with the need to protect personal and financially sensitive data and also to respect segregation of incompatible duties - e.g. ensuring that a user who raises an invoice cannot also approve and pay this invoice.
This requirement is realised by software vendors in the form of permissions or authorisation concepts that allow granular access to functions and data. It is often the case that these permissions and authorisations are seen as the sole responsibility of the IT department 'techies'.
The 'business' only gets involved, or even becomes aware that there is an issue, if users find they can’t do something. On the occasions that this happens, it is usually because the user shouldn’t be carrying out the activity in question (but have historically been given access to do so), or their responsibilities are changing and they are now required to perform additional tasks.
Involving business users in the design of authorisations and permissions
Authorisations and permissions are the gateway to data and functionality in IT systems. But treating security as something that is only carried out by the IT department is counter-productive.
Whilst the business may not be responsible for building the structures that provide permissions to users, it is important that business representatives are involved in the design process, in order that they understand the design and can therefore make appropriate and informed approvals for access requests. That is to say, the 'non-techie' business needs to understand enough about security that they can take ownership of security approval processes after the initial project.
Ultimately it is the business that bears the consequences of a poorly secured system. It is difficult to say that a case of internal fraud or financial misstatement is a purely IT issue. However, such incidents are preventable through well defined permission structures allocated to the appropriate business users. Since the business bears the risk it is logical that they should be fully engaged in the design of the solutions to prevent the occurrence of such risks.
Without adequate understanding and design of the permissions structures, users are not able to use the functions that they require in order to run the business processes. If incorrectly designed, the same permissions structures will allow users access data and functions that they should not be using. Examples include system administration functions, access to sensitive personal data or commercially sensitive data such as sales figures.
Ensuring appropriate control of user activity
Business ownership of security is vital to ensure that there is adequate control placed over who can do what in business critical systems. Only the business can define if a payments clerk can pay vendor invoices or employee expense claims. Only the business can understand the implications for letting someone perform that activity.
For example, the person responsible for carrying out the payment run, or amending vendor bank details, could potentially be changing these to their own bank details, which allows them to make fraudulent payments to themselves.
On the other side of the coin, over-restrictive controls result in time being wasted while individuals gain the authorisation required to do their job. It is essential therefore that it is well-understood which members of staff are allowed access to that function and that this is constantly controlled.
This is outside the jurisdiction of the IT and security department, whose key responsibility is to build the technical structures and ensure that the correct permissions are working and allocated in line with the business’ approvals. It is the business that has the actual ownership of roles / authorisations / permissions for the applications that support their process.
Clear communication and a culture of security awareness
The translation of business requirements into security configuration that grant the required access needs to be a two-way communication process. The business must define and articulate its IT security needs and the commercial risks that drive them.
In return the techies have to be able to respond in a way that is clear and understood by business users. In this way the business will begin to develop an understanding of the security design - thereby tackling the root of many security problems encountered by today's organisation.
IT systems are the lynchpin that support business critical functions and treating IT security as something that is done by the IT department therefore misses the point. Rather, a culture of security awareness should be instilled throughout the organisation if lapses in IT security are to be prevented.
It is the failure to do this that has caused many of the high-profile security breaches of recent years which compromise customers, damage brand and have long term financial implications.
IT security is good business practice
There is no excuse for security not to be well-understood, but both the business and technical departments must take responsibility for collaborating to address this issue. As IT budgets remain under threat, there are some technology projects that cannot be ignored, and making IT security a priority should simply be regarded as good business practice.