Identity risk metrics quantify a system's identity assets, potential threats, countermeasures, and vulnerabilities.
Identity theft is any use of another person's identity information in order to commit fraud. The simple example of identity theft is a stolen credit card used to purchase items. However, more sophisticated fraud includes such activities as hacking corporate networks to steal confidential enterprise data, using a fraudulent SSN, taking out loans and lines of equity on assets owned by someone else, and much more.
Organizations are at even more risk than individuals, because by necessity, they expose their employee's data to other employees and to their providers and partners, and they bear responsibility for the risk that this creates. The organization's HRIS management is responsible for this emerging liability, and must ensure that their companies are as safe and as prepared as possible.
The HRIS management must take into consideration the following security measures: ensuring up-to-date computer protection (including anti-virus, anti-spyware, wireless security, and other software solutions), creating information security policy (covering such issues as shredding of physical documents, tracking data in Social Security, medical, and financial databases, etc), performing credit monitoring (including alert services in the event of credit inquiries or changes), etc.
Identity provides the basis for access control decisions, and as such, the enterprise security architecture should reflect the quality of identity information on which it acts. Enterprise architects should report the rules, audit logs, filters, approvals, and delegations to which digital identities are subjected. These measures are chief informants to identity governance.
In order to develop an effective identity risk prevention strategy, an organization's HRIS department should use a set of standardized measurements (metrics). Identity risk metrics provide important analytical information which can be used by HRIS management in a number of different ways: from reporting historical data (historical analysis, dashboards, and forensics), to predictive modeling (forecasting, scenarios, planning support), to facilitating real-time decision making (fraud detection, alerts, and security events).
Identifying useful metrics requires collaboration among identity architects, directory architects, and identity management staff. To increase metrics efficiency, HRIS management should also involve development and operations staff.
Provisioning systems (which create, edit, and delete accounts), virtual directories (which broker queries for identity data across disparate repositories), and meta-directories (which consolidate policy and management across identity systems) are rich sources of metrics because they typically contain critical metadata about identity definition, locale, and status.
Typically, identity risk metrics include the following perspectives: Computer protection (system compliance, forensics data), The structure of identity information (identity repository size, secured objects), Process efficiency (authorization claims, sensitive claims, provisioning geodesics), Staff effectiveness (user account statistics, audit system usage, policy compliance), as well as Financial Perspective (return on security investment, collateral damage potential data, etc.).
Identity and security architects can use metric benchmarks to show the relative effectiveness of currently deployed security mechanisms and processes as well as to identify hot spots and areas for concern. Security decision makers often use metrics to drive prioritization, examine a deployment's feasibility, and support security architecture planning. Metrics also provide hard evidence of the existence, regular monitoring, and effectiveness of policy for either internal or external compliance audits.