Was it lack of governance at Societe Generale that allowed rogue trader to do harm?

* How much Governance, Risk Management, Compliance did Societe Generale have?

The recent Societe Generale trading scandal is being portrayed by many as another example of the poor security that passwords provide (see, for example, "Forgotten IT chores may have led to bank meltdown"). But digging further into the tale of "rogue" trader Jerome Kerviel reveals another distinctly plausible cause of the problem.

It’s been reported that oversight and risk management were in short supply at the French banking concern, but - as a number of correspondents have pointed out to me - governance, the “G” in GRC (Governance, Risk Management, Compliance) was most likely the major cause Kerviel’s ability to by-pass what little security was in place (Compare Network Auditing and Compliance products).

In fact, he really didn’t “by-pass” any security as far as we know. He did use multiple passwords and accounts (which, evidently, were traded amongst the traders willy-nilly) but the real “secret” to the scandal was the amount of entitlements that Kerviel built-up as he moved from one position to another, and from one department to another.

Calum Macleod, Cyber-Ark European director said: “It seems our Mr. Kerviel had knowledge from six years in Societe Generale's back office. Apparently he had to ‘breach five levels of controls to get away with his trades’ according to a bank spokesman - [a] piece of cake for anyone with privileged access!”

As BHOLD director Maarten Stultjens pointed out: “Kerviel, over his years working at Societe Generale, had access to many different systems and gathered numerous authorizations without losing any. In the end, he was able to approve his own actions and that is the bank’s responsibility.”

Privilege control, entitlement management, context-based authorization (e.g., when and where were those trades made), separation of duties (so that traders had “back room” access removed) – they’re all part of the governance that wasn’t done at Societe Generale - but better be done in your organization. If you don’t have systems in place, if you don’t have projects rolling out, then you’d better get to work before you’re faced with the catastrophic losses that get your organization’s name in headlines all over the world as the latest scandal du jour.

IBM’s white paper “Effectively manage access to systems and information to help optimize integrity and facilitate compliance” might be useful to you (warning: registration required). Or check the other entitlement management resources list here and see what you may have been missing!

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in