As the author of this post points out, there has been a number of articles on WikiLeaks, but one point raised in the posting that I would like to focus on is how focusing on process as the sole means of compliance is usually not enough.
To add insult to injury, State Department personnel admitted that user management was out of control, particularly outside of the State Department. You see the State Department took a distributed security approach for the Net-Centric Diplomacy database and designated persons at other entities to manage their users.
Unfortunately, there appears that there was no oversight of these people nor was there a requirement for these people to justify why all of their users required access. This distributed data security approach is very common in the business world.
In large organizations, as the author points out, this approach is quite common. This starts when the organization’s IT or information governance function tells the business divisions to come up with their own process on granting user access to various applications/systems/etc. The divisions do this and obtain sign-off. The division inevitably encounter sticky situations and ask for guidance from the IT/Information Governance function. The divisions are told (1) it’s your responsibility to manage user access in accordance with your policy so you make the decision, or (2) create an exceptions process.
Either way, the message is sent that IT/Information Governance isn’t to be bothered. Over time, the process becomes useless and everyone is granted access resulting in a mess similar to an audit finding or a mess like WikiLeaks.
Oversight on an ongoing basis is necessary. The IT/Information Governance function needs to have their sleeves rolled up and hands in the business. Spouting requirements from the ivory tower and believing you can achieve compliance through process will not work.
Your IT/Information Governance function needs to be viewed as an active participant and this is best achieved by it being an active participant. It also must do regular assurance testing.