Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Sox compliance software for financial institution

Pirean : 07 July, 2009  (Application Story)
Pirean has implemented Compliance:One, a SOx compliance tool based on IBM Tivoli software into a large financial institution
Pirean has announced the successful implementation of its Compliance:One solution within a major financial institution helping to reduce operational risk, improve application access controls and meet stringent Sarbanes Oxley compliance regulations.

Pirean Compliance:One, built on IBM Tivoli Software, has dramatically reduced the client's SOx administration costs while allowing new applications to be quickly and securely added to the firm's logical access management policy with minimal complexity.

As Europe's only IBM AAA rated Tivoli partner for both IT Service and Security Management, Pirean has developed its Compliance:One solution in co-operation with their clients over the last 24 months. The successful implementation of the system makes it the first third party SOx compliance solution to have been deployed and extensively field-tested within a large financial institution.

Pirean Compliance:One provides a centralised repository, workflow and presentation layer to manage the access rights of over 100,000 staff to business critical applications with a full audit capability. The solution offers granular control across AS400, OS390, Windows, Solaris, OS2, Linux, web based applications and any network accessible resources. Access rights are managed using a hierarchy of privileges which map to the real world hierarchy of the organisation.

The client, who does not seek external publicity on this matter, has a large estate of IT applications that have grown organically over the last three decades. The process of manually securing the access rights across such a large and distributed workforce was complex, costly and extremely difficult to comprehensively audit.

Although the project began before the highly publicised incident at Societe Generale, the requirement to securely control and provide audited access to critical applications is of paramount importance within the organisation. The potential for reputation damage and financial loss due to rogue trading as well as huge potential fines for breaches of regulatory compliance are major concerns for any large financial institution.

When the project began in 2007, the firm had considered the route taken by several other organisations that had written in-house and highly bespoke systems to meet access control requirements. The IT department had looked at the feasibility of this approach and quickly dismissed the idea due to the sheer complexity of the challenge that their current systems posed. It was also felt that the longer-term commitment to maintain the system in line with new application deployment could become overwhelming and potentially add another layer of risk into its operations.

Instead, the firm went to market to seek out an alternative solution. As Stuart Wilson, MD of Pirean explains, "The central concept around Compliance:One is to distribute the process of authorising access and maintaining control to the managers who hold the knowledge, experience and authority to correctly assign access privileges to team members within the organisation."

"Each management level is supervised from the tier above and external compliance teams to ensure that every authorisation has several layers of accountability. The solution ensures that access rights are validated regularly and proactively - whenever a personnel or process change occurs anywhere within the organisation." Wilson explains.

Pirean Compliance:One is built around a core IBM Tivoli Identity Manager infrastructure. Each day, the system gathers information on staff, applications and lines of responsibility which it verifies against business rules to ensure every application can only be accessed by staff with a valid authorisation as defined by centrally managed policies. "The solution is modular and has out of the box support for 'common' applications such as SAP, Oracle, RACF and Microsoft Active Directory," explains Wilson.

In daily operation, Pirean Compliance:One is self-managing and generates alerts to both managers and compliance officers within the organisation if it detects any anomalies or if a personnel or process change creates a situation which potentially breaches SOx compliance.

Prior to Compliance:One, the process of assigning and managing rights was handled by centralised teams of analysts working on a per application basis, which was both costly and complex to manage. This also led to greater potential for human error. This manual approach made it extremely difficult to fully audit who had access rights across systems at a given point in time and crucially what those rights allowed the individual to do. A process that would require trawling through the individual logs generated from each application and then cross-referencing data with authorisation logs. With over 100,000 employees spread across almost every time zone using a mixture of local and centralised IT systems, the complexity was astounding.

The cost of compliance is millions of pounds each year for many organisations, initial estimates indicate Compliance:One will reduce compliance related costs by at least two thirds in some organisations. In addition, Compliance:One will also provide considerably improved risk control as the system has a better auditing facility and more comprehensive oversight as well as introducing a daily detection of potential breaches to policy, this in itself demonstrates a key strengthening of audit control.

Pirean, who won the prestigious IBM Business Partner Award for Innovation in 2008 and were the only European Tivoli specialist to reach the finals of the IBM Beacon awards in 2009, is already in discussions with several large multinational financial institutions interested in piloting the solution. Pirean Compliance:One is also undergoing deployment at a major County Council where it is helping to deliver secure, audited access for hundreds of applications to over 100,000 student and staff across the county's 85 schools.

"Pirean Compliance:One was built with Sarbanes Oxley in mind and we believe it is the only fully implemented and successfully validated third party solution within a top tier financial institution," comments Wilson, "The core principles behind SOx are very similar to other compliance and regulatory requirements, good audit processes and strong controls are at the heart of Pirean Compliance:One which allows our clients to demonstrate improvements against many measurements." he concludes.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo