Focus on Policy Alignment
2. Focus on policy alignment
Business managers understand the risks associated with sensitive applications based on asset value, privacy requirements or potential for fraud or misuse. Because of this, they are the ones best equipped to define the control objectives needed to mitigate business risk. At the same time, the IT organization is ultimately responsible for ensuring that access configurations (who can access programs, tables, documents, etc.) conform to those business policies.
Both sides must be involved in order to achieve policy alignment at the implementation level (that is, not just captured in binders that sit on a shelf). Business-friendly tools that allow business managers to understand how policy is implemented and that highlight when policy violations are detected can help ensure that IT controls properly reflect compliance policy.
3. Make transparency a priority
The final step to engaging business managers is perhaps the most important one. The organization must take steps to ensure the required level of transparency into the organization's identity data-in a way that is easily understood by business users. It's simply not practical to expect business managers to be able to interpret cryptic access privileges as they natively occur in directories, operating systems, applications and databases (and then make any meaningful decision about these privileges). To ensure good decisions and effective oversight, business managers require business-oriented user interfaces, glossaries and help facilities that turn IT data into business intelligence.