ING Direct Australia overhauls access control

ING Direct Australia has completed a year-long overhaul of the identity management and access control system that governs user access to enterprise applications and systems.

Head of IT performance Tony Sestanovic told the Gartner Security and Risk Management Summit in Sydney yesterday that the new system had been applied to 30 Sarbanes-Oxley (SOX)-related applications with 1200 users in the first 90 days of operation.

A further 90 enterprise applications had since been added, he said.

Sestanovic said the firm undertook an internal risk assessment in late 2010 with the help of its IT security team.

The assessment identified employees with incorrect role-based permissions for access to internal systems and data.

The finding was subsequently tabled by ING’s audit firm and picked up and exposed by the Australian Prudential Regulatory Authority (APRA), which oversees regulations around access rights.

The firm started implementing SailPoint's IdentityIQ software in February 2011, about six months after the internal risk assessment. The rollout took over 12 months, finishing earlier this year.

The project became "an information exchange initiative across the entire organisation; from the guys using the facilities, to HR, through to all our business units," Sestanovic said.

"Even though IT kicked it off, this was not an IT-driven piece of work," he said.

Having “tackled the beast” for over a year, Sestanovic acknowledged it would have been easy for the company to “roll over” and walk away from the project.

“But we knew this wasn’t the right approach and would cause more issues and challenges in the future,” he said. 

Aside from addressing compliance and risk concerns, Sestanovic said the system made it easier to manage new requests for access to internal systems.

"For the first time for these key systems, people can see the access that their teams have got," he said.

"They know what's what and have the information at their fingertips."