1 Executive Summary
The report provides selected Key Risk Indicators (KRI) for the area of Access Governance. These indicators are easy to measure and provide organizations with a quick overview of the relevant risks and how these are changing. The indicators can be combined into a risk scorecard which then can be used in both IT management and corporate management.
The concept of Key Performance Indicators is well established at the corporate level, using scorecards as a tool for providing a quick overview on the progress of organizations towards their goals. Key Risk Indicators add risk metrics to that view, showing how well these risks are being managed as well as highlighting changes in risk.
Access Governance concerns the processes and technologies for the management of access controls in IT systems. Its objectives are to ensure legitimate access to resources and data while managing the risks of illegitimate access. These risks include the theft of information, fraud through alteration of systems or data, and the subversion of IT systems (through ransomware for example). The large number of reported incidents over the last twelve months shows the need to address these issues.
Access Governance is increasingly important as a way to manage the cyber-risks related to organizational IT systems. These risks extend beyond misuse and mistakes by insiders with legitimate access, to external cyber-attacks that often use apparently legitimate access credentials to bypass the many layers of network defences are now generally implemented by organizations. Often, the first sign that a cyber-attack is in progress is abnormal activity by a legitimate user’s account.
In addition to managing cyber risks, Access Governance is also relevant to regulatory compliance. For many industries, there are regulations that define how certain kinds of data must be acquired, stored, used and protected. These regulations range from those relating to the financial reporting of publicly listed companies, through pharmaceuticals and healthcare to manufacturing and public utilities. On top of this, the increasing number of privacy laws worldwide require stringent controls over how Personally Identifiable Information (PII) is collected and used. This brings not only CRM systems within the scope of Access Governance but also potentially Customer Identity and Access Management (CIAM) used by the organizations customers. Access Governance not only ensures compliance but also provides the evidence needed to prove compliance.
Kuppinger Cole strongly recommends using KRI concepts as management tool within IT and specifically for IAM and Access Governance. Many KRIs are easy to use and their adoption can provide rapid results. Using these, risks can become a key control for IT and support for decisions around IT investments.