...To Zero-Day Stop
When employees leave, their access rights must be removed from some or all systems. If the original rights were granted without sufficient documentation, revoking rights will take some time. It's possible to overlook some systems, leaving unused and unmanaged user IDs and passwords in applications, thereby opening security holes. An EUA solution automatically removes all issued user IDs and passwords across systems, following defined business processes. This occurs even for access granted outside the system, if the system was synchronized before the revocation process kicked off. This practice is often referred to as zero-day stop, because it almost instantaneously removes all resources and accounts used by an employee leaving the organization.
An EUA solution's auditing and reporting features document what access levels were granted to which systems at what time. These trails provide information for security-policy reviews and a better understanding of the access necessary for roles across systems. If administrators, for example, are given access to systems above and beyond the documented set of systems, the EUA solution's auditing and reporting tools will show this pattern and may suggest you adjust your security policy, saving time in the future. If employees are being granted access that violates security policies, the software will help determine why it is occurring or point out that someone needs a reminder of the corporate security policies.
Failure to give employees the access they need and no more can be financially painful. Those organizations and workers who must follow the HIPAA (Health Insurance Portability and Accountability Act; see Does HIPAA Affect Me?) or GLB regulations (Graham-Leach-Bliley Act)--aimed at financial services, banking, securities firms and insurance companies, as well as title companies and retailers that maintain credit operations--can get hit with penalties as high as $250,000 and 10 years in prison for failure to comply.
HIPAA, which regulates access to employees' health-related records, affects more than just pharmacies and health-care providers. Essentially, any company that pays for the health-care plans of more than 50 employees must follow these regulations. Among other things, HIPAA requires users to be uniquely identified by biometrics, a token or a user ID and password combination. The act also requires a company to record and audit activity related to access of patient medical information, online and offline as well as by electronic transfer.
