Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Similar documents
To Audit Your IAM Program

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Cybersecurity in Higher Ed

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Virtual Machine Encryption Security & Compliance in the Cloud

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

locuz.com SOC Services

Certified Information Security Manager (CISM) Course Overview

CipherCloud CASB+ Connector for ServiceNow

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

SAML-Based SSO Solution

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

PROFESSIONAL SERVICES (Solution Brief)

SECURITY & PRIVACY DOCUMENTATION

Security Diagnostics for IAM

The Common Controls Framework BY ADOBE

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Introduction to AWS GoldBase

Automating the Top 20 CIS Critical Security Controls

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

01.0 Policy Responsibilities and Oversight

IAM Project Overview & Milestones

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

An Integrated Approach to Technology Risk Management and Compliance

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

OpenIAM Identity and Access Manager Technical Architecture Overview

Healthcare Security Success Story

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Security Awareness Compliance Requirements. Updated: 11 October, 2017

SAML-Based SSO Solution

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

MEETING ISO STANDARDS

FISMAand the Risk Management Framework

Agenda. Introduction. Key Concepts. The Role of Internal Auditors. Business Drivers Identity and Access Management Background

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Overview of Archiving. Cloud & IT Services for your Company. EagleMercury Archiving

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Complete document security

Top. Reasons Legal Teams Select kiteworks by Accellion

GDPR How we can help. Solvit Networks CA. ALL RIGHTS RESERVED.

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Go mobile. Stay in control.

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Will your application be secure enough when Robots produce code for you?

W H IT E P A P E R. Salesforce Security for the IT Executive

SQL Server Solutions GETTING STARTED WITH. SQL Secure

Cloud Customer Architecture for Securing Workloads on Cloud Services

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Effective Strategies for Managing Cybersecurity Risks

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Exploring Emerging Cyber Attest Requirements

1. Federation Participant Information DRAFT

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Leveraging the LincPass in USDA

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Run the business. Not the risks.

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Access to University Data Policy

Accelerate Your Enterprise Private Cloud Initiative

1 Hitachi ID Access Certifier. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Securing Digital Transformation

Sales Training for DataMotion Products. March, 2014

Streamlined FISMA Compliance For Hosted Information Systems

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Building a Resilient Security Posture for Effective Breach Prevention

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

IT Consulting and Implementation Services

Single Secure Credential to Access Facilities and IT Resources

Google Identity Services for work

Microsoft Azure Security, Privacy, & Compliance

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Security Architecture

InCommon Federation: Participant Operational Practices

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Managing Microsoft 365 Identity and Access

Transcription:

Top Reasons To Audit An IAM Program Bryan Cook Focal Point Data Risk

Focal Point Data Risk A New Type of Risk Management Firm THE FACTS Born from the merger of three leading security & risk management firms: Sunera, ANRC and APTEC A collaboration of industry-leading expertise in cyber security, identity governance and access management, data privacy and analytics, internal audit, and hands-on training services 17 offices in the US & Canada Over 400 FTEs with more than 30 different industry certifications Largest pure play risk management firm focused exclusively on helping organizations protect and leverage their data We are the next generation of risk

Identity and Access Management (IAM) Automates processes associated with granting employees and third parties access to critical systems. A set of processes and a supporting infrastructure for the creation, maintenance and use of digital identities. Involves people, process and technology Applicable for internal and external users Invokes the principle of least privilege Enables a manageable account life-cycle for every user Access to applications based on role and policy Meets regulatory requirements 3

IAM Overview Directory Services Components that store and manage user identity in a structured format and synchronize identity data and attributes between other systems. LDAP Directory services Virtual Directory services Network Operating System (Active Directory) Access Management Authentication and authorization to applications for users based on roles, rules and policies. Web Single Sign-On (Web SSO) Federated Authentication Role Based Access Control (RBAC) Provisioning Automation of processes to provide users with the necessary resources at the appropriate level of authorization to perform their role in the organization. Work-flow based provisioning and de-provisioning of accounts and entitlements Password Management and Self-Service Auditing and reporting 4

Business Objectives Simplify Administration Increased Security Regulatory Compliance Increased User Satisfaction and Productivity Cost Measurement / Management Infrastructure Responsive to New Business Requirements 5

Why is it Important? Security is crucial Fragmented implementation and operations increases risk Intellectual property is extremely valuable Institutions are popular targets for breaches and data losses Compliance is not optional SOX, HIPAA, FERPA, FISMA, and now GDPR are the law Cost containment is a reality Need to provide high levels of value while managing operations costs Positive user experience is necessary Seamless access to applications and resources across departments, divisions and locations Ease of credential management, move to one ID / one password Extending services means happier affiliates Improved speed of deployments promotes a more productive environment and enhances institutional reputation 6

The Risks 63% of 2,260 confirmed data breaches leveraged weak, default, or stolen passwords. Captured credentials remain the most efficient and undetected technique for compromising an enterprise Source: Verizon DBIR 2016, M-Trends 2016, Cisco 2016 Midyear Security Report 7

Cyber Criminals Compromise Weak Security 8

Top Reasons to Perform IAM Audit Evaluate the current state of your identity and access management (IAM) processes, controls, and supporting technologies Benchmark your current processes and controls against best practices and accepted frameworks Provides documentation and rationale for budget approval Provide Executive Management with assurance of current IAM program Baseline your current environment and track progress over time using repeatable and customizable audits 9

IAM Assurance Domains Risk Assessment IAM Policies & Procedures Exemptions from IAM Policies Technical Standards & Safeguards IAM Strategy Central Authentication System Authentication practices Identity Repository Unique Identity Access Policy User Provisioning User Termination and Transfer Single Sign-On (SSO) Federated IAM (If used) 10

Audit Methodology Audit Programs should be based on best practices and aligned to leading standards and frameworks in the governance and security space. 11

Control Example The organization has defined a trusted source for all identity verification, usually HR and the HR employee database. COBIT 5.0 NIST SP800-53r4 ISO/IEC 27001:2013 DSS05.04 (Manage User Identity and Logical Access) IA-2 (Identification and Authentication) A.9.2 (User Access Management) 12

Maturity Model Deliverable Note: Based on ISO/IEC 15504 process capability assessment model 13

Why a Phased Approach is Helpful Avoid Risk Minimize intrusiveness on end-users and admins Minimize scope creep Provide long testing and certification cycles 14 Early Results Be Pragmatic Contain Costs Deploy updated infrastructure early, stabilize and perform extensive validation testing Acclimate core team members to new / updated technologies asap Limited resources to apply to the initiative, resources are heavily loaded Fit within framework of other projects and existing organizational constraints Knowledge transfer to extended team members throughout the project Recommend extended team take ownership and perform tasks where possible

15 QUESTIONS?

Bryan Cook bcook@focal-point.com 214-226-8410 Contact Us

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback