What is your name? Where do you live? What is your phone number? Where were you born? What is your social security number? What is your passport number? Where was it issued? What evidence do you have that this is all true? Your identity is at stake and Operational Risk Management is on the line.
These questions and more are asked of us on a regular basis to establish our true identity. The entity asking these questions is considering you to be granted access, access to what?
It could be to establish an account at a banking institution, get a drivers license or become a member of a trusted community of people. Or it could be a country deciding whether to grant you a visa to visit or work for a period of time.
Whether you are in the UK, admitting people into your country or a Global 500 company allowing someone access to your corporate facilities, digital assets or place of business; you must have ways to effectively validate who people say they are, and who they really are.
Even if you asked all of the questions above in the early stages of the company hiring process, would you really have the entire picture? This changes over time and events in a persons life. Identity Management and the use of both "known to many" and "known to few" attributes about who you are and who you know, is a reality in today's blur of global commerce.
When a country has a breach of security admitting people, who are not who they purport to be, is it any different in the context of a Defense Industrial Base company headquartered in Chicago, IL or an Investment Banking firm in Geneva, Suisse? What are different are the motives and the outcomes from the fraudulent acts.
What are the current arguments and the leading reasons why our policies, methods and tools associated with Identity Management are in a state of chaos in the United States?
"What is interesting is that the same people who are coming to work every day with their TWIC or CAC cards are also victims of ID Theft as consumers."
The same individuals who walk into the SCIF or the bank vault may very well be people who have active investigations going on regarding their identity being used to perpetrate crimes or other fraudulent motivations. So what are some of the most important issues on the Identity Management horizon?
In all of the breaches, all of the incidents there is a root cause for the failure in the people, process, systems or external factor that opened up the vulnerability for the attacker to exploit and obtain their objective.
It's called Continuous Monitoring. This issue is found in all places in Appendix G of the US NIST sp800-37 that illustrates the reason why “Continuous Monitoring” is critical especially in information systems:
Private Sector companies have a duty to invest in resources, policy refinement and new methods or tools to keep continuous monitoring as vigilant as possible:
"Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence. A well designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation”
Much of what we know about our employees is found in their HR files, background reports (if ever done) and what co-workers say about their behaviors in the workplace.
Corporate Security, Risk Management, General Counsel, Information Technology, Public Relations and even the EAP (Employee Assistance Program) executive managers shall create, maintain and continuously operate a Corporate Intelligence Unit (CIU) and “Threat Assessment Team”.
Without it, the consequences of not knowing a persons true identity or current state of mind could cost you more than the loss of life.
It could cost you or the organizations global reputation…
