To Audit Your IAM Program

Transcription

1 Top Five Reasons To Audit Your IAM Program Best-in-class organizations are auditing their IAM programs - are you? focal-point.com

2 Introduction Stolen credentials are the bread and butter of today s hacker. In fact, 63% of confirmed data breaches last year resulted from weak, stolen, or default passwords - often obtained through simple phishing attacks. 1 The best way to mitigate this risk is through a robust, effective Identity Governance and Access Management (IAM) program, which can reduce the likelihood of breaches and can limit the damage should a hacker compromise a user account. A strong IAM program brings tangible value to an enterprise in many other ways as well from centralizing user provisioning and de-provisioning, to providing a more agile way to integrate acquired businesses, to enabling stronger and more fluid user-authentication mechanisms, and delivering a more streamlined approach to adding new applications. But these benefits, for many organizations, are never fully realized. Implementing an IAM platform is a complex undertaking, and because of this, many businesses fail to successfully build their program to maturity, never seeing its full benefits and failing to maximize their ROI. An audit of your IAM program can help your organization locate the pain points, highlight strategic areas for improvement, and chart a course toward better security and process efficiency. With these points in mind, we have detailed the top five reasons to conduct an independent IAM audit: Set a Baseline with an Independent Review of Your Current State Your IT department may be too close to your IAM program to provide an objective assessment, and those IT generalists likely lack the combination of audit and specific IAM architecture knowledge necessary to gauge the true effectiveness and maturity of your current program. In addition, their lack of independence can result in a biased assessment that may fail to recognize critical weaknesses. An independent auditor with extensive IAM architecture experience will be able to provide a more objective evaluation of the current state of your Identity and Access Management processes, controls, and supporting technologies. This evaluation can serve as a useful baseline from which you can build a long-term IAM strategy. 1 63% of confirmed data breaches last year resulted from weak, stolen, or default passwords Data Breach Investigations Report, Verizon. 2

3 Align your IAM Program to a Trusted Security Framework Take the frameworks you rely on in other parts of your business COBIT 5.0, ISO 27001/27002, and the NIST standards, for example and use them to assess your IAM program and its processes and controls. These frameworks ground the assessment in trusted security principles, and ensure that all findings are reliable and relatable across the organization. When combined with insight from proven IAM experts, an assessment against these standards can be the key to simplifying future compliance efforts. Grounded by the frameworks you trust, an IAM audit can ensure that your program is meeting the regulatory requirements specific to your industry, as well as the expectations of your business leaders. 2 Maturity Model: Based on ISO Level 0 = Incomplete Level 1 = Performed Level 2 = Managed Level 3 = Established Level 4 = Predictable Level 5 = Optimizing Example IAM Audit Maturity Scorecard 3

4 Save Money Through Efficiency and Reductions in Insurance Premiums The beauty of auditing your IAM program is that the cost savings realized as a result of the audit will often cancel out, and sometimes surpass, the cost of the audit. This is due to the fact that a robust IAM program will grant employees streamlined and hassle-free access to the data and information they need to perform their jobs fluidly and without interruption, increasing the productivity of your business operations and freeing your IT help desk from the burden of continuous employee access requests. In addition, you can save up to 20% off your annual premium for Cyber Liability and D&O Insurance by performing annual IAM audits that evaluate cyber security-related processes and controls. Check with your risk management professional to determine how much you can save. Justify IAM Investments and Strategy to Executive Management Getting buy-in from a non-technical C-suite to build on your IAM program can be difficult, but an audit and executive summary can synthesize your program in a way that executives can easily understand. The audit may validate your existing program, providing executives with assurance that your IAM program is well-designed and effective, saving the business money, securing access into critical systems, and providing continued return on investment going forward. If the audit reveals your program to be relying on manual processes, utilizing decentralized processes, containing disparate systems, inconsistent compliance to access policies resulting in inefficiencies or prone to security vulnerabilities, executive management will be provided with a prioritized list of improvements and investments to elevate the program and start reaping the benefits of maturity. This evaluation and roadmap can provide Security and IT departments with the ammunition they need to secure funding for their strategic IAM activities. 3 4 The beauty of auditing your IAM program is that the cost savings as a result of the audit will often cancel out, and sometimes surpass, the cost of the audit. 4

5 Find Potential Security Vulnerabilities 5 Your Identity Governance and Access Management system should be a critical defense mechanism in your data protection efforts. But an IAM program that is not fully utilized or properly maintained can introduce weaknesses that could lead to compromise of your most sensitive data assets. An IAM maturity audit will provide a high-level overview of these weaknesses and give recommendations for closing any gaps that may exist in your IAM systems. In addition, a full IAM audit will assess the system-tosystem authentication methods in place to ensure that your systems are securely integrated and that vulnerabilities are understood. STRONG IAM DISRUPTS DATA BREACHES Phishing attachment link Role-based permissions restrict user access to only necessary data. This makes it much more difficult for thieves to navigate within your systems. User desktop Malware installation Proper credential management will require multi-factor authentication for sensitive data, stopping thieves in their tracks. Steal credentials IAM Use of stolen credentials Direct install malware Backdoor, C2, Ram scraper, Export data 5

6 About Focal Point Focal Point Data Risk is a new type of risk management firm, one that delivers a unified approach to addressing data risk through a unique combination of service offerings. Focal Point has brought together industry-leading expertise in cyber security, identity governance and access management, data privacy and analytics, internal audit, and hands-on training services, giving companies everything they need to plan and develop effective risk and security programs. By integrating these services, we provide our clients with the flexible support they need to protect and leverage data across any part of their organization. Simply put, Focal Point is the next generation of risk management. focal-point.com // // info@focal-point.com Focal Point Data Risk is a registered trademark of Focal Point Data Risk, LLC.