On November 14 2006, Ernst&Young released their 2006 Global Information Security Survey: Achieving Success in a Globalized World. The following priorities and drivers were described this report.

Five global priorities for information security:

• Integrating Information Security with the Organization
• Extending the Impact of Compliance
• Managing the Risks of Third Party Relationships
• Focusing on Privacy and Personal Data Protection
• Designing and Building Information Security

Top Three drivers for information security:

1. Compliance
2. Privacy and personal data protection
3. Business objectives

An identity-based approach is essential to creating solutions that align with the priorities and drivers. Knowing and controlling who is accessing what information asset is at the core of any information security system. Identity-based systems deliver secure information systems through consistent, efficient, and auditable management of access to business assets and processes. Identity and Access Management are key solutions components that align information technology solutions and deliver results supporting these global infosec priorities and drivers.

Let’s look at some of items from this report in more detail.

Consistent and comprehensive identification and authentication is the first step to making business information systems and processes aware of who is accessing the businesses assets and performing business processes. Once people are securely identified, including association of roles, high-level access controls can secure access to applications, and application-level controls can secure specific assets and processes. Regulations and policies are implemented in the design of enterprise and application level roles and rules. The security of these generic controls is dependent on the security of the identities associated with a given operation (transaction). The business lives on the actions on real people. Digital identity is the integrating concept to connect abstract polices and rules to real people doing their job and interacting with a diverse set of information technology components making up an enterprise information system.

Regulatory compliance is implemented in the design of access roles and rules, and in comprehensive enforcement in the access of relevant information assets.