Identity and Access Management Framework Book

In my family, we’re huge fans of the Discovery Channel, the History Channel, TLC (can’t wait for that new show where Sarah Palin shoots more stuff from a helicopter), and National Geographic (on which they specifically BAN people from shooting stuff from a helicopter). Between shows on the American Revolution, the Black Plague, the Crusades, the Ice Age, and guys blowing stuff up, they seem to run a lot of spots these days on the year 2012, which is when the Mayan calendar or the Druids or somebody else is predicting the world will end.

I find these shows fascinating, but perplexing. Does this mean I should stop paying my mortgage? And does it also mean that I should be in a hurry to return my library books, or just not bother at all?

We must remember that the End of the World is relative. For some, it’s already come. For example, if you’re in the role mining business, the deal sizes are small, and there’s nobody left to buy you out. Ouch. If you’re like me, then every time you see your wife’s relatives coming up the driveway, you’re pretty much PRAYING for Armageddeon, or maybe you just fake a seizure, which has worked for me on occasion.

But if you’re a CFO or CSO, the End of the World could be simply the End of the Quarter, if you’re not prepared for your next security audit. A bad audit can do damage to both your company and your personal well-being. If it’s a Sarbanes-Oxley audit, well, you have your lawyer talk to the auditors and you kinda get away with it. If it’s HIPAA violations, you write a letter, promise not to do it again, and you kinda get away with it. If it’s NERC, they come to your house and hit you in the knee with a big stick.

Depending on your industry, the fines can be icky. Usually the bad press is reserved for people whose shortcomings have actually resulted in exploits or leakage. But failure to remediate following that audit may result in that leakage.

Audits may not kill you. But I’ve seen some customers get really raked over the coals after one, and I’ve seen customer contacts get bad reviews because of them. Specifically, a customer told me after they got dinked, “You’d think, from listening to management, that it was the end of the world.” And there’s the worst case scenario. You may not think it’s that bad, but if your BOSS thinks it is, then it might as well be.

Pass that security audit. Secure the infrastructure, make it tell you what is going on, how many users you have, what access they have, and enforce your policies. You do have policies, don’t you?