Agenda. Introduction. Key Concepts. The Role of Internal Auditors. Business Drivers Identity and Access Management Background

Similar documents
1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Compliance and Privileged Password Management

Access to University Data Policy

Oracle Buys Automated Applications Controls Leader LogicalApps

Regulatory Compliance Using Identity Management

1 Hitachi ID Access Certifier. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Virtual Machine Encryption Security & Compliance in the Cloud

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Oracle Database Vault

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

The Common Controls Framework BY ADOBE

with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

What is orbac? ability to group several authorizations in to profiles to easily add/remove a set of authorizations to an employee

Oracle Database Vault

IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

Rich Powell Director, CIP Compliance JEA

Oracle Data Cloud ( ODC ) Inbound Security Policies

IBM Security Identity Manager Version Administration Topics

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Internal Audit Report DATA CENTER LOGICAL SECURITY

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

CERTIFICATE POLICY CIGNA PKI Certificates

Oracle Risk Management Cloud

Introduction to Access Management. J. Tony Goulding CISSP, ITIL Security Solution Strategist, CA Inc. San Francisco Chapter

Cybersecurity in Higher Ed

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

The Four A s of Access A practical guide to auditing an access process.

Building a Case for Mainframe Security

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Identity Intelligence

SOFTWARE DEMONSTRATION

Next Generation Policy & Compliance

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

COBIT 5 With COSO 2013

Operational Network Security

EXHIBIT A. - HIPAA Security Assessment Template -

Complete document security

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Tracking and Reporting

Achieving effective risk management and continuous compliance with Deloitte and SAP

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

ISACA Cincinnati Chapter March Meeting

IBM Security Identity Manager Version Planning Topics IBM

IAM Project Overview & Milestones

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR SARBANES OXLEYANDCOBIT

Information Security Risk Strategies. By

01.0 Policy Responsibilities and Oversight

the SWIFT Customer Security

2017 Results. Revealing the New State of IBM i Security: The Good, the Bad, and the Downright Ugly

An Introduction to the ISO Security Standards

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

DirX Identity V8.7. Identity Management and Governance. User and access management aligned with business processes

Hyperion Application Access Control Governor Blueprint for Oracle GRC Applications

Virginia Commonwealth University School of Medicine Information Security Standard

CipherCloud CASB+ Connector for ServiceNow

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

Seven Requirements for Successfully Implementing Information Security Policies and Standards

SARBANES-OXLEY (SOX) ACT

SAS Metadata Security Journey prepare to be audited!

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Data Processing Agreement

Compliance in 5 Steps

Overview. Business value

BSE-SINGLE SIGN ON. For Brokers/ Banks/ Mutual Funds

Risk Management in Electronic Banking: Concepts and Best Practices

Sarbanes-Oxley Act (SOX)

Mobile Data Security Essentials for Your Changing, Growing Workforce

SECURITY & PRIVACY DOCUMENTATION

Privacy Breach Policy

white paper SMS Authentication: 10 Things to Know Before You Buy

General Information System Controls Review

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Introduction. When it comes to GDPR compliance, is OK for now enough? Minds made for protecting financial services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Centrally Managed SSH

COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

SDR Guide to Complete the SDR

Auditing IT General Controls

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Sarbanes-Oxley and Its Impact on IT Organizations

EVERYONE SHOULD HAVE AN IT COMPLIANCE OFFICER OR SUFFER THE CONSEQUENCES. About Ralph Villanueva. Objectives

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Identity Management: Setting Context

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Transcription:

Identity and Access Management IIA Detroit Chapter Dinner Meeting Vis Ta Tech Conference Center January 8, 2008 Stuart McCubbrey Director, Information Technology Audit General Motors Corporation Sajai Rai Partner, Advisory Solutions Practice Ernst & Young LLP

Agenda Introduction Business Drivers Identity and Access Management Background Key Concepts Identity Management vs Entitlement Management Identity Components Access Rights and Entitlements Provisioning Process Administration of Identities and Access Rights Process Enforcement Process Use of Technology The Role of Internal Auditors Identifying Key Risks and Controls 2

Business Drivers Identity and Access Management Touches entire business Mix of Technology and Process Key Drivers Reduced information security risks Reduced IT operating and development costs Improved operating efficiencies and transparency Improved user satisfaction Increased effectiveness of key business initiatives Improved regulatory compliance 3

Identity and Access Management Background Three Key Questions Define who has access to what information? Is access appropriate? Is access and activity logged and appropriately monitored? Adoption Risks Organization complacency Participation Planning Communication Incorporation of all systems into the process Process complexity Weak process Lack of enforcement 4

Key Concepts Identity Management vs. Entitlement Management Identity and Access Management Process Entitlement Management Identity and Access Management Identity Access Provision Request Validate Approve Propagate Communicate Administer Monitor Manage passwords Audit and reconcile Administer policies Strategize Manage systems Enforce Authenticate Authorize Log activity Information Systems and Data 5

Key Concepts Identity Components Identity Types Identity Onboarding Identity Offboarding Access Rights And Entitlements Entitlement Changes Privileged Account Management Segregation of Duties Individual User ` Machine Accounts 6

User Provisioning Process Request Approve Propagate 7 Approval Hierarchy Approval Hierarchy Communicate Log

Administration Periodic Audit Segregation of Duties Entitlement Review Policy Administration Creation of IAM Policy if non-existant Periodic update of IAM Policies IAM Strategy Components Process Activities IAM System Administration Manage processes & systems End-user Password Administration Creation and communication of initial passwords Resetting lost or stolen passwords Managing complexity of passwords Reporting Lists of identities and accesses for review Approval lists Lists of group and supervisory accounts 8

Enforcement Process Access Logging Authenticate Who are you? I am jsmith123. Yes, your credentials support that claim. Authorization 9

Use of Technology in Identity and Access Management Provisioning Process Request forms & Workflow capabilities Communication of changes Generate initial passwords Perform Segregation of Duties Analysis Enforcement Process Authentication Authorization Logging and Reporting Create logs of use Generate reports of users with access Single-Sign On Remote Access 10

The Role Of Internal Audit In Assessing IAM

Assessing Inherent Risk Four Foundational Questions Can all users accessing any system be uniquely identified? As a supervisor, do you know all systems your employees have access to? Are all roles that create segregation of duties conflicts identified and do you know who can use them? When Human Resources exits employees from the organization, is all system access terminated? Show of hands Who can confidently answer Yes to all four questions? Yes = Apply your Audit Resources elsewhere; No = There is risk to assess 12

Assessing Inherent Risk Why is IAM important? Central to Confidentiality & Integrity of Business Information Information Security is commonly defined as protecting the Confidentiality, Integrity & Availability of Business Information IAM directly covers the C and the I and even indirectly the A Applies to: The Information element itself Credentials to access the information System software that hosts the information Application transactions that can allow access Do you care who can view and change your business information? Of course you do Your Company s success depends on it 13

Assessing Inherent Risk Why is IAM important? Regulatory Compliance If IAM is linked to Information Security, then multiple laws and regulations apply: Sarbanes Oxley, HIPAA, Gramm-Leach- Bliley, various privacy laws etc., etc., etc. Companies have received SOX Significant Deficiencies for Access Control deficiencies (STATS??) 10 years ago A Big Collective Yawn from Management Today Public disclosure of control weaknesses 14

Assessing Inherent Risk Why is IAM so problematic? Proliferation of Identities Required # of applications (GM has over 2,500) # of different platforms hosting applications & devices: Mainframe, Windows, UNIX, Cisco, VPN etc. # of non-employee users: Suppliers, Dealers, Joint Ventures, Consumers, Outsourced Providers etc. Human beings & programs Varying levels of access required, from limited view access to full administrative control Bigger risk issue for larger, de-centralized companies In 1989, I had one ID & password to log onto the mainframe That changed with PC & Server platforms 15

Assessing Inherent Risk Why is IAM so problematic? (CHART LAYERS OF IT CIRCLE DIAGRAM) 16

Assessing Inherent Risk The Big Picture Assess IAM risk in terms of People, Process & Technology: People: Any process or technology is going to be executed by human beings Are people aware of policies & processes? Are those policies & processes clear and effectively communicated? Are there specific management control expectations? Are there consequences for non-compliance? Accountability without consequences is meaningless The problem is rarely access change requests not being processed, its more they were never submitted 17

Assessing Inherent Risk The Big Picture Assess IAM risk in terms of People, Process & Technology: Process: Is everybody on the same page? Is there a common understanding of how to add/change/delete Identities and Access levels? If not, execution will be all over the map Are the processes documented? Are the processes manual-intensive? If so, they are very people-dependent and prone to error and/or non-performance How global, common, standard are the processes? 18

Assessing Inherent Risk The Big Picture Assess IAM risk in terms of People, Process & Technology: Technology: Is it there? Are there multiple directories holding access data (identities, authentication credentials, authorization levels)? Are they at all linked? Is there any automated workflow in the various access add/change/delete processes? All manual? Are their usable reports for data owners to conduct periodic access reviews? You can t control what you don t know 19

Assessing Controls Key Control Themes Prevention vs. Detection Sure, you need periodic access reviews But they are after-the-fact, typically manually intensive and resisted by system owners Focus on controls at the front-end of the Add-Change-Delete access process: Are SOD conflicts and business need truly assessed before access is granted? Are their links between Human Resource processes and systems and down-stream systems to revoke access? A controlled process at the start should mean cleaner access reviews later on 20

Assessing Controls Key Control Themes Use layers to your advantage When users leave, ensure the front doors are shut off first: Network, e-mail, VPN Helps mitigate the risk of unauthorized external access, can work on internal application access revocation next With internal application access, the risk is narrowed to users with existing access using inactive accounts 21

Assessing Controls Key Control Themes Data Cleansing Is Management addressing dirty data? Identify and remediate duplicate IDs: How can you have accountability if you can t link access activity to a specific human being or program? Identify and remove application segregation of duties conflicts 22

Assessing Controls Key Control Themes Reduced Signon (let s not call it Single Signon just yet ) As you reduce the distinct numbers of identities required, you reduce potential points of control failure Have applications use central authentication sources (e.g., LDAP Directories, Active Directory) Synchronize passwords between applications Start to unwind the complexity 23

Assessing Controls Key Control Themes User Education & Awareness Usually the most cost-effective control Do employees know the true cost of uncontrolled access? Can you make them care? Do they want to do the right thing, but just don t know how? Does an existing Information Security Awareness Program exist and does it address access risks? 24

GTAG 9 Identity and Access Management 25

Questions and Answers

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback