ING Direct tackles rogue user permissions

ING Direct is not a typical bank in that it has no branches, but it still has over 1200 employees — enough to make access control an issue, if it is not managed correctly.

Speaking at the Gartner Security and Risk Management Summit in Sydney this week, ING Direct head of IT performance Anthony Sestanovic outlined the bank's process in establishing its first access control framework.

Following an internal assessment by ING Direct's IT security and information risk management teams, the bank identified that certain members of staff had access to systems that they didn't need and, because it had no access control framework, the business had close to zero visibility over who had access to what. "For a company of about 1000 people, we had about 300 business roles and 900 [Active Directory] permissions. For 1000 people, [it's] absolutely crazy. How do you manage that?" Sestanovic said.