• United States



by Paul Kerstein

Expert: Regulations Shouldn’t Drive ID Management

Sep 29, 20052 mins
CSO and CISOData and Information Security

Organizations should not look to identity management as a simplesolution to comply with laws such as the Sarbanes-Oxley Act of 2002, aU.S. law governing financial and internal reporting controls, said AndyWoodfield, director of the IT security team at PricewaterhouseCoopersLLP.

“A lot of media and telecom businesses have grown very quickly,acquired lots of businesses and focused on growing subscriber numbers… not necessarily on good business process controls,” Woodfield said.”So now things like Sarbanes-Oxley are asking to put the controls backin place.”

Woodfield, who advises organizations on identity management issues,spoke at a half-day seminar Thursday sponsored by Sun Microsystems Inc.called “SunLIVE Telco and Media 2005” in London.

Identity management can offer businesses advantages such as reducinghelp desk staff needed to reset passwords and increased security.Hardware can be reduced by consolidating ID directories and stores,saving money, Woodfield said.

But too many identity management projects at organizations fail becauseof poor management, a poor link of projects to the organization’sstrategic goals and a lack of vision, Woodfield said. Projects shouldbe led by business goals, not technology goals, he said.

“The technology is very much a second phase,” Woodfield said. “Build a good business plan.”

By Jeremy Kirk – IDG News Service (London Bureau)