Ident Access Mgmt

7/31/2019 Ident Access Mgmt

1/32

Identity and AccessManagement


2/32

What is GTAG?

Prepared by The Institute of Internal Auditors (The IIA), each Global Technology Audit Guide(GTAG) is written in straightforward business language to address a timely issue related to informationtechnology (IT) management, control, and security. The GTAG series serves as a ready resource forchief audit executives on different technology-associated risks and recommended practices.

Guide 1: Information Technology Controls

Guide 2: Change and Patch Management Controls: Critical for Organizational Success

Guide 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment

Guide 4: Management of IT Auditing

Guide 5: Managing and Auditing Privacy Risks

Guide 6: Managing and Auditing IT Vulnerabilities

Guide 7: Information Technology Outsourcing

Guide 8: Auditing Application Controls

Visit The IIAs Web site at www.theiia.org/technology to download the entire series.


3/32

Pje Leae

Sajay Rai, Ernst & Young LLP

As

Frank Bresz, Ernst & Young LLP

Tim Renshaw, Ernst & Young LLP

Jeffrey Rozek, Ernst & Young LLP

Torpey White, Goldenberg Rosenthal LLP

Identity and Access

Management

November 2007

Copyright 2007 by The Institute of Internal Auditors, 247 Maitland Ave., Altamonte Springs, FL

32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may be

reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical,

photocopying, recording, or otherwise without prior written permission from the publisher.

The IIA publishes this document for informational and educational purposes. This document is intended

to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such

advice and makes no warranty as to any legal or accounting results through its publication of this document.

When legal or accounting issues arise, professional assistance should be sought and retained.


4/32

GTAG Table of Contents

Table of Contents

1. ExEcutivE SummAry ............................................................................................................................................ 1

2. introduction......................................................................................................................................................... 22.1 Business Drivers .........................................................................................................................................................22.2 Identity and Access Management Concepts ............................................................................................................. 32.3 Adoption Risks ..........................................................................................................................................................4

3. dEfinition of KEy concEPtS...........................................................................................................................53.1 Identity Management vs. Entitlement Management ................................................................................................63.2 Identity and Access Management Components .......................................................................................................63.3 Access Rights and Entitlements ................................................................................................................................ 63.4 Provisioning Process .................................................................................................................................................. 73.5 Administration of Identities and Access Rights Process ...........................................................................................93.6 Enforcement Process ................................................................................................................................................10

3.7 Use of Technology in IAM......................................................................................................................................10

4. thE roLE of intErnAL AuditorS...............................................................................................................124.1 Current IAM Processes ............................................................................................................................................ 124.2 Auditing IAM ..........................................................................................................................................................14

APPEndix A: iAm rEviEw chEcKLiSt ...................................................................................................................... 17

APPEndix B: AdditionAL informAtion..............................................................................................................22

GLoSSAry............................................................................................................................................................................... 23

ABout thE AuthorS...................................................................................................................................................... 24


5/321

GTAG Executive Summary

Executive Summary1.

Identity and access management (IAM) is the process ofmanaging who has access to what information over time. Thiscross-functional activity involves the creation of distinct iden-tities for individuals and systems, as well as the association ofsystem and application-level accounts to these identities.

IAM processes are used to initiate, capture, record, andmanage the user identities and related access permissions tothe organizations proprietary information. These users mayextend beyond corporate employees. For instance, users couldinclude vendors, customers, floor machines, generic admin-istrator accounts, and electronic physical access badges. Themeans used by the organization to facilitate the adminis-tration of user accounts and to implement proper controlsaround data security form the foundation of IAM.

Although many executives view IAM as an informationtechnology (IT) function, this process affects every businessunit throughout the organization. For instance, executivesneed to feel comfortable that a process exists for managingaccess to company resources and that the risks inherent inthe process have been addressed. Business units need to knowwhat IAM is and how to manage it effectively. IT depart-ments need to understand how IAM can support businessprocesses and then provide sound solutions that meet corpo-rate objectives without exposing the company to undue risks.Addressing all of these needs requires a solid understandingof fundamental IAM concepts.

In addition, information must be obtained from business

and IT management to understand the current state of compa-nywide IAM processes. A strategy, then, can be developedthat is based on how closely existing processes align with theorganizations business objectives, risk appetite, and needs.

Matters to be considered when developing an IAM strategyinclude:

The risks associated with IAM and how they areaddressed.The needs of the organization.How to start looking at IAM within the organizationand what an effective IAM process looks like.The process for identifying users and the number ofusers present within the organization.

The process for authenticating users.The access permissions that are granted to users.Whether users are inappropriately accessing ITresources.The process for tracking and recording user activity.

As an organization changes, so too should its use of IAMprocesses. Therefore, as changes take place, managementshould be cautious that the IAM process does not becometoo unwieldy and unmanageable or expose the organizationto undue risk due to the improper use of IT assets.

The Role of Internal AuditorsBecause IAM touches every part of the organization from accessing a facilitys front door to retrieving corporatebanking and financial information chief audit executives(CAEs) may wonder how organizations can control accessmore effectively to gain a better understanding of the magni-tude of IAM. For instance, to effectively control access,managers must first know the physical and logical entrypoints through which access can be obtained. Poor or looselycontrolled IAM processes may lead to organizational regula-tory noncompliance and an inability to determine whethercompany data is being misused.

As a result, the CAE should be involved in develop-ment of the organizations IAM strategy. The CAE brings aunique perspective on how IAM processes can increase theeffectiveness of access controls, while also providing greater

visibility for auditors into the operation of these controls.The purpose of this GTAG is to provide insight into whatIAM means to an organization and to suggest internal auditareas for investigation. In addition to involvement in strategydevelopment, the CAE has a responsibility to ask businessand IT management what IAM processes are currently inplace and how they are being administered. While this docu-ment is not to be used as the definitive resource for IAM,it can assist CAEs and other internal auditors in under-standing, analyzing, and monitoring their organizationsIAM processes.


6/322

GTAG Introduction

With this surge, it is important to examine the many reasonswhy organizations embark on IAM projects. These include:

Improved regulatory compliance.Reduced information security risk.Reduced IT operating and development costs.Improved operating efficiencies and transparency.Improved user satisfaction.Increased effectiveness of key business initiatives.

Improved Regulatory Compliance2.1.1Without overstating the effects of the regulations mentioned inthe previous paragraph, it is important to note that Sarbanes-Oxley, HIPAA, GLBA, Basel II, and other regulations havesignificantly impacted organizations worldwide. However,while IAM initiatives have helped fill the gaps related tosystem access controls, they may not have gone far enough.

Many companywide IAM initiatives are merely stopgaps toregulatory compliance. Although this approach to dealingwith IAM may pass an audit, it may hinder the organization inthe future as the IAM program becomes overly complex, inop-erable, and costly. Organizations also must be aware that IAMprograms frequently collect personal information about systemusers. Therefore, these programs need to be aligned carefullywith privacy and data protection laws, such as the EuropeanUnions Directive on Data Protection of 1995.

Reduced Information Security Risk2.1.2A key driver to successful IAM implementation is theimproved risk posture that comes from the implementa-

tion of better identity and access controls. By knowing whohas access to what, and how access is directly relevant to aparticular job or function, IAM improves the strength of theorganizations overall control environment.

In many organizations, the removal of user access rightsor access rights for a digital identity can take up to three tofour months. This may present an unacceptable risk to theorganization, especially if an individual is able to continueaccessing company systems and resources during the accessremoval period. For example, anecdotal evidence indicatesthat some users, such as contractors, continue to have accessrights for years, which results in the continued unauthorizedaccess to systems and exposure of the organizations infra-

structure to avoidable hacking attempts.

Reduced IT Operating and2.1.3Development Costs

Ironically, the proliferation of automated systems can nega-tively impact worker efficiency due to the different sign-onmechanisms used. As a result, workers must remember orcarry a variety of credentials that change frequently. Forexample, a typical employee may have a username and pass-word for their desktop, a different username and passwordto gain access to other systems, several more usernames andpasswords for different desktop and browser applications, and

Introduction2.

For years, organizations have faced the complex problemof managing identities and credentials for their technologyresources. What used to be a simple issue that was confinedwithin the walls of the data center has become a growingand exponentially complex problem facing organizations ofall sizes.

For instance, many large organizations are unable to effec-tively manage the identities and access permissions grantedto users, especially in distributed IT environments. Over thelast several years, IT departments have built system admin-istration (SA) groups to manage the multitude of servers,databases, and desktops the organization uses. However,even with the creation of SA groups, managing access to theorganizations resources remains a challenge.

Even with this expansion, human resources and manualprocesses are sometimes unable to handle the complex tasksand excessive administrative overhead needed to manage useridentities within the organization. Whats more, in recentyears regulatory requirements have added complexity andincreased external scrutiny of access management processes.These regulatory requirements and prudent business practiceshave led organizations to grant individuals access at the mostgranular feasible level, forcing managers to determine whatspecific rights are needed, rather than granting users access toresources they do not actually need to do their jobs.

Although what is commonly referred to as IAM has becomean industry-accepted term, there are many definitions in use,

depending on the industry, product vendor, or professionalconsultant. However, the core premise remains the same.This publication does not claim to have the correct authori-tative definition. Rather, it blends many of the definitionsthat have been presented in the IT industry.

Business Drivers2.1According to a recent International Data Group (IDG)Forecast Report1, spending on IAM and related systems isexpected to grow rapidly. Within the United States, thisincrease is being driven primarily by the U.S. Sarbanes-Oxley Act of 2002, the Health Insurance Portability and

Accountability Act (HIPAA) of 1996, the Gramm-Leach-Bliley Act (GLBA) of 1999, the Basel II Accord, and otherindustry-specific regulations. For instance, the financialservices industry is subject to guidance specifying the use ofmultiple sets of credentials (i.e., multifactor authentication).This forecast report predicts that the IAM global marketplacewill increase by at least 10 percent per year to US $5 billionby 2010. Thus, many organizations will make IAM a primaryIT project in the future.

1 IDG Report #204639: Worldwide Identity and Access Management 2006-2010 Forecast

Update With Submarket Segments, December 2006.


7/323

GTAG Introduction

the access they need, submit the request to the appropriateapprover, and quickly gain access to work information. This,in turn, helps to reduce user frustration, which is particu-larly important as new employees are hired (e.g., when newteam members are provided timely access to perform theirjob functions, they are productive sooner).

Increased Effectiveness of2.1.6Key Business Initiatives

Often, certain business initiatives require access rights to bechanged. These typically include joint ventures, outsourcingpartnerships, divestitures, mergers, and acquisitions. Forcompanies that are involved in these activities, the abilityto quickly provide access to the appropriate levels of infor-mation can enhance the activitys success significantly.Conversely, without a well-defined process it may be difficult

to determine whether the correct level of access was grantedor removed. For example, during a joint venture or merger,timely access to appropriate information and timely termina-tion of access to certain company resources are critical.

Identity and Access2.2Management Concepts

IAM is a complex process consisting of various policies,procedures, activities, and technologies that require the coordi-nation of many companywide groups such as human resourcesand IT. This guide will help CAEs understand the differentcomponents of IAM, enabling the subject to be more easily

understood. For a more thorough definition of these compo-nents, please refer to the glossary at the end of this guide.

Fundamentally, IAM attempts to address three importantquestions:

w as aess a a?1. A robustidentity and access management system will help acompany not only to manage digital identities, butto manage the access to resources, applications, andinformation these identities require as well.is e aess apppae e jb beg pee?2.

This element takes on two facets. First, is this accesscorrect and defined appropriately to support a specificjob function? Second, does access to a particular

resource conflict with other access rights, thus posinga potential segregation of duties problem?is e aess a a e, lgge, a3.epe apppael? In addition to benefiting theuser through efficiency gains, IAM processes shouldbe designed in a manner that supports regulatorycompliance. One of the larger regulatory realitiesunder Sarbanes-Oxley and other regulations is thataccess rights must be defined, documented, moni-tored, logged, and reported appropriately.

a personal identification number (i.e., PIN) with a one-timeuse password for remote access.

Considering the sheer number of these credentials, multi-plied by their frequently expiring passwords, credentialmaintenance can become overly complex and unreasonablychallenging for users. This often results in users dissatisfac-tion with the process and forgotten passwords. This scenariodegrades employee efficiency and significantly impactssupport functions such as the help desk, which administerthese credentials and handle forgotten password calls.

The proliferation of automated systems can also addsignificant operating costs by reproducing user identity direc-tories and databases, thus resulting in poor performance andincreased costs, most of which are hidden. For example, manyorganizations are faced with the following circumstances:

A lack of defined and automated approval workflows,

resulting in a best guess by an administrative assis-tant when initiating the provisioning process andhandling access requests.An increased number of help desk calls, many ofwhich are related to identity and access support, suchas password-reset requests.Having new employees wait a week or longer toobtain baseline access to IT systems, such as e-mailand network resources.

Not documenting access requirements by role, sousers have to make several follow-up calls to get theaccess they need.

Improved Operating Efficiencies2.1.4and Transparency

Having a well-defined process for managing access toinformation can greatly enhance a companys operating effi-ciency. Many times, organizations struggle with getting usersthe access they require to perform their job functions. Forinstance, requests are forwarded to various members of theIT or administration team who may not know what accessor information a user is requesting or has a business need toobtain. Additionally, without a defined process, requests maygo unfulfilled or be performed incorrectly, resulting in addi-tional work on the part of the IT or administration team.

Therefore, implementing a defined IAM process can greatly

enhance the process efficiency. In large organizations, theappropriate use of enabling IAM technologies can ensure arequest is routed to the correct person for approval or to theappropriate system configuration or automated provisioningsystem. In addition, access requests that take weeks to becompleted can be reduced to days, while compliance reportingfor these approvals is enhanced through the use of definedapproval workflows within the established IAM process.

Improved User Satisfaction2.1.5Besides the operating efficiencies mentioned earlier, imple-menting an effective IAM process can enable users to identify


8/324

GTAG Introduction

Adoption Risks2.3The creation of an IAM process poses the potential forchanges in personnel and current business activities and theneed for capital investment. Introduction of IAM processesinto an organization can expose it to new risks while miti-gating existing ones. These risks need to be examined andunderstood by the organization as it implements new ormodified IAM processes. Specifically, the following shouldbe considered:

ogaza plae. Many organizations arehappy to continue performing certain processes thesame way they always have, even if the status quo isinefficient or inadequate from a control perspective.Papa. Any major project requires additionaltime and the commitment of various resources toensure the projects success. If the organization does

not dedicate sufficient time, project activities are atrisk of inadequate completion.Plag. Successful projects require well laid-outplans, milestones for delivery, and processes forscoping change management to set expectationsregarding resource commitments and timelines.ca. IAM project objectives, plannedactivities, and resource requirements must beexpressed to the appropriate stakeholders. Withoutthis communication, the individuals who need to beinvolved in the project will not be able to provide theappropriate input.ipa all sses e pess. IAM

projects are complex and tend to take a substantialamount of time to complete. Trying to bring manycomputer systems into the IAM framework at oncecan be overbearing and unsuccessful. Prioritizing keybusiness risk areas and the system resources affectedby the process are good targets for initial scope.Pess ple. In line with the complacencyrisk, making a revised process too complex will affectits success. For instance, users may try to circumventthe process or create their own.makg e pess eak. If the IAM process isweakly defined, nebulous, or open to user interpreta-tion, it will encourage others to create sub-variant

practices that do not effectively use the IAM process.Lak eee. As part of the IAM processimplementation, governance, and use, properenforcement activities enable it to operate asdesigned. If users are allowed to employ variedprocesses or circumvent established ones, the proj-ects overall success can be jeopardized.

While some of these risks can be mitigated or eliminated,they must be identified, understood, and prioritized before,during, and after the IAM process is defined.


9/325

GTAG Definition of Key Concepts

access they have can be detrimental to an organizationsoverall control framework.

For identities to become part of an organizations DNAand access management system, they need to pass throughseveral stages. These stages are:

Psg. Provisioning refers to an identityscreation, change, termination, validation, approval,propagation, and communication. This process variesin breadth and length of time to complete based onthe specific needs of the organization. In addition,this process should be governed by a company-specific and universally applied policy statement thatis written and maintained by the IT department withinput from other business units.ie aagee. Identity management shouldbe a part of ongoing companywide activities. It

includes the establishment of an IAM strategy;administration of IAM policy statement changes;establishment of identity and password parameters;management of manual or automated IAM systemsand processes; and periodic monitoring, auditing,reconciliation, and reporting of IAM systems.Eee. Enforcement includes the authentica-tion, authorization, and logging of identities as theyare used within the organizations IT systems. Theenforcement of access rights primarily occurs throughautomated processes or mechanisms.

Definition of Key Concepts3.

The concepts below will be addressed in the followingsections:

ie the element or combination of elementsused to uniquely describe a person or machine. It canbe what you know, such as a password or a personalidentification (ID) number; what you have, such asan ID card, security token, or software token; whoyou are, such as a fingerprint or retinal pattern; or anycombination of these elements.Aess the information representing the rightsthat the identity was granted. These informationaccess rights can be granted to allow users to performtransactional functions at various levels. Some exam-ples of transactional functions are copy, transfer,

add, change, delete, review, approve, read-only, andcancel.Elees the collection of access rights toperform transactional functions. Note: The termentitlements is used occasionally and synonymouslywith access rights.

When the concept of identities is discussed, many execu-tives typically think of human users. However, it is importantto remember that there are also service accounts, machineidentities, and other non-human identities that must bemanaged. Failure to control any of these identities and the

fge 1. Relationships between IAM components and key concepts


10/326


Machine accounts (e.g., IT hardware devices thatperform functions within and across IT environmentsor applications, such as a floor machine).Functional or batch accounts (e.g., those used toexecute batch processes, such as overnight reportgenerating batches).

When auditing the identities present in the organization,auditors should determine whether specific and universallyapplied identifiers are associated with each identity type.This allows different rules to apply to the management andreview procedures associated with different types of accounts.For instance, a batch account may be subject to differentpolicies and may require a different type of review than auser account.

Onboarding3.2.2Once the need for an identity has been determined, the iden-tity has to be created in the IT environment. The manualor automated process used to create this identity is calledonboarding, which involves the creation of an identitysprofile and the necessary information required to describethe identity.

Offboarding3.2.3Offboarding is the opposite of onboarding. During thisprocess, identities that no longer require access rights tothe IT environment are identified, disabled or deactivated,reviewed to ensure they are inactive, and deleted from the IT

environment after a predetermined period of time.

Access Rights and Entitlements3.3

Identity Access or Entitlement Changes3.3.1

Provisioning and Access Right Changes

When a user is granted an identity through the provisioningprocess, an evaluation of the access rights being granted orchanged should be part of the business owners approvaland the IT departments review of the access request. Whilethe IT department should not be held responsible for the

approval of user identities, they should be involved in theprocess because they have a better understanding of how theaccess rights granted on various IT systems interact with oneanother.

Non-person Account Access Rights

Many applications, databases, and tools require the use offunctional accounts. These accounts are not generally usedfor authentication by a specific user but rather for commu-nication between two different system components. Forinstance, most database management systems (DBMSs)require the systems on which they are hosted to have specific

Identity Management vs.3.1Entitlement Management

Identity and Access Management Process3.1.1An IAM process should be designed to initiate, modify, track,record, and terminate the specific identifiers associated witheach account, whether human or nonhuman, by making useof the organizations IT resources. The organization, then,should use its IAM process to manage these identifiers andtheir respective association with user accounts. As a result,the IAM process should be designed to incorporate theapplications a user account needs to access and how identi-fiers if different between applications are associatedwith the user. Figure 1 demonstrates how identity and accessmanagement components relate to one another.

Entitlement Management3.1.2As part of the IAM process, entitlement management shouldbe designed to initiate, modify, track, record, and termi-nate the entitlements or access permissions assigned to useraccounts. Regardless of the methodology the organizationemploys to group user accounts into similar functions (e.g.,work groups, roles, or profiles), entitlements for each userneed to be managed properly. Therefore, the organizationshould conduct periodic reviews of access rights to detectsituations where users accumulate entitlements as they movewithin the organization or where users are assigned improperentitlements. To accomplish reviews of access rights, businessunits need to request reports of access rights and communi-

cate needed changes through the proper IAM mechanismsto the IT department.

One component of a properly designed entitlementmanagement process is a segregation of duties analysis. Thiscan prevent assignment of entitlement combinations thatprovide an individual with inappropriate access across a busi-ness process or detect conflicts that currently exist.

Identity and Access3.2Management Components

Identity Types3.2.1

Identities take many forms within an organization, andall types of identities should be considered in an identitymanagement process.

Identity types include, but are not limited to, any or all ofthe following:

Employees who use IT resources.Vendors (e.g., subcontractors).IT devices (e.g., hardware devices that performfunctions similar to a user, such as fixed and mobileapplications).Application service accounts (e.g., pre-definedaccounts provided by the software vendor).


11/327


should be conducted primarily by the organization withapprovals received from each responsible business owner.In addition, privileged and IT account identities should bereviewed by an appropriate manager or system owner.

Provisioning Process3.4A logical workflow progression that addresses the provi-sioning process is presented in Figure 2.

Access Request3.4.1The process for requesting the creation, deletion, or changesto an identity should be defined in a procedure that details:

How requests are to be made for the different typesof identities (e.g., manual, electronic, or calls to thehelp desk).

Where the requests need to be routed.

Specific timeframes for making requests.Fulfillment expectations.

Approval3.4.2An identity request should be subject to a multistep approvalprocess. The initial request approval should be granted bythe authorized individual directly responsible for supervisingthe requestors activities. Also, the approval should occurprior to when the request is submitted to the IT department.Once the first level of approval is granted, a second levelof approval may be necessary and should be granted fromthe application owner. After the appropriate approvals have

been secured, the request should be routed to the IT depart-ment or appropriate system for fulfillment.

Propagation and Identity Creation3.4.3Once creation of the identity is approved in a manner that isin compliance with the organizations policies, the identitywill be created by an individual in the IT department or by anautomated application controlled within the IT department.The following items should be taken into considerationwhen creating the identity:

The requestors function within the organization.How the identity will be used.Whether access granted to the identity owner will be

based on roles, rules, or user-specific needs.Whether the identity can be replicated from anexisting role or a new role will need to be created tomeet the users needs.

The creation of the identity requires an understanding ofhow it will be used, the software applications it will use, andany schedule restrictions the identity may be subject to orneed relief from. The identity also should be created witha corresponding password containing restrictions that arespecific to the application and in compliance with the orga-nizations policy statement.

accounts created and active for the DBMS to operate.Therefore, the organization needs to have a proper way torequest the generation of these accounts, limit their accessto appropriate entitlements only, monitor who has access toaccount authentication credentials, and revoke the accountswhen they are no longer needed.

Granting Access Rights to3.3.2Privileged Accounts

Granting Privileged Account Access to an Identity

Privileged accounts are normally assigned to the personwithin the IT department responsible for administering ITsystems, including network devices and applications, and theoverall IT infrastructure. Typically, these users are entrustedby the organization with a level of access that permits them

to make high-level and sometimes undocumented changesto the IT environment. To prevent unnecessary or inap-propriate access to these accounts, the organization shouldinclude a section in its IAM policy statement that addressestheir proper provisioning, administration, and enforcement.

Monitoring Privileged Accounts

Privileged accounts exist in every organization. In manycompanies, these accounts are placed in the hands of trustedindividuals due to the risk they represent. Despite the level oftrust placed in these individuals, appropriate IT managementshould periodically perform some of the following steps:

Review the list of users with privileged access.

Review, whenever possible, the activities of privi-leged accounts.Review online activity of these privileged accountsfor inappropriate transmission of outbound sensitivedata and for inappropriate introduction of unap-proved applications.

Segregation of duties3.3.3

Conflicts

During the provisioning process, the approvers of accessrequests should evaluate whether the request will cause asegregation of duty conflict. Additionally, when establishing

or changing a users identity, the IT department may notea potential segregation of duty conflict. In this case, the ITdepartment should notify the business owner or approver ofthe problem. Performing a segregation of duty analysis beforegranting additional access to an account can be automatedand used as a preventive control.

Periodic Monitoring of Access Rights

As part of its IAM monitoring process, the organizationshould establish a methodology to periodically review theaccess rights granted to all identities residing in its IT envi-ronment. This review, while facilitated by the IT department,


12/328


electronic or paper means, staff must be cognizant of anydata classification restrictions and requirements for identityconfiguration information. Communications that contain apassword, for instance, may need to be sent in sealed enve-lopes, encrypted e-mail messages, or other secure methods.The organization should also require users to change the pass-word after its first use to prevent misuse of the identity and tomitigate risks associated with its interception by an unauthor-ized party.

Logging3.4.5

An entitlement repository is a system that tracks the privi-leges granted to users over time and records access requests,approvals, start and end dates, and the details related to thespecific access being granted. This data can be used whenauditing access, performing user entitlement reviews, anddetermining whether access activities were approved.

The logging-generated data should be maintained for adefined period and then destroyed. The retention periodshould be based on the nature of the access being logged, anyregulatory and audit requirements, corporate policies, anddata storage constraints.

When granting an identity to a person, many IT depart-ments assign a temporary password that the user must changeduring the initial login attempt.

During this part of the IAM process, the entitlements oraccess rights assigned to the identity should be evaluated inconjunction with the identitys functional role in the orga-nization to determine whether conflict of interest issuesregarding segregation of duties arise.

Communication3.4.4As part of its policy statement, the organization should

define how to communicate the creation, deletion, andchange of user identities. The organization also should estab-lish a centralized location or department, separate from IT,to initiate identity communications to IT.

In addition, the IT department should use a mechanismto receive and send communications related to the creationand deletion of, or changes to, an identity. The means ofcommunication can take the form of an automated message,verbal message, or paper documentation.

Any communication regarding the identity should conformto the organizations data classification policy. When commu-nicating about an identitys creation or changes through

fge 2. Diagram of an automated provisioning process logical flow

.


13/329


Entitlement Reviews

Mature IAM processes can facilitate the access review activi-ties of managers and application owners. Managers can reviewthe access granted to their direct reports, while applicationowners can review the access granted to all individuals whouse the application to identify and revoke potentially inap-propriate access. This review process should be performed atleast annually or more frequently for critical applications orhigh-risk individuals.

Policy Statement Administration3.5.2The organization should have a means to periodically reviewand revise the IAM policy statement to ensure it reflectsrelevant current processes and activities.

IAM Strategy3.5.3

Either the IT department or a strategy group within theorganization should establish a comprehensive plan for initi-ating, changing, and sustaining IAM policies, components,processes, and activities. The plan should address how theorganization will proceed with the IAM process, as well aspresent and future IAM risks; whether IAM processes andrelated activities will consist of manual or electronic solu-tions; and whether all areas of the organization will beincorporated in the IAM process.

IAM System Administration3.5.4Once IAM processes have been established within the orga-nization, they need to be maintained through some means

manually, electronically, or a combination of both. Themaintenance of the IAM process primarily involves infra-structure-related administration. This encompasses itemssuch as determining:

Where IAM processes are centralized.Whether technology will be used to administer IAMprocesses and, if so, where this technology will behoused.Who will be the IT and line of business owners ofIAM.How changes will be documented and logged.

End-user Password Administration3.5.5

After an identity is created, an initial password is usuallyassigned. This initial password may be generated manuallyor electronically and is communicated to the user by the ITdepartment. Therefore, although IAM refers to the identi-ties and access rights of users, issuing and maintaining userpasswords must be considered as well. Password parameters,structures, and proper use should be detailed in the organiza-tions security policy.

Maintaining user passwords is a vital component of aneffective IAM process. Password maintenance includesconducting the following tasks:

Issuing initial passwords.

Administration of Identities3.5and Access Rights Process

Periodic Audit and Reconciliation3.5.1of Identities and Entitlements

Periodic Audits

To evaluate the design and effectiveness of an organizationsIAM system, periodic auditing of the process is necessary. Auditfrequency should be determined as part of the annual auditplanning process, which stems from internal audits annual riskassessment. The audits themselves should consist of:

An identification of highest to lowest risk identityconcentration.A re-examination of the IAM process design.An examination of the IAM process operating

effectiveness.A review of the provisioning process, which encom-passes the evaluation of a sample of identitiesrepresenting a cross-section of those that were activefor any portion of the audit period.An examination of IAM enforcement activityeffectiveness.An examination of IAM administrative activityeffectiveness.

Segregation of Duties

IAM processes and methodologies should not be the onlycontrols used to prevent user identities from having inap-

propriate access. Consequently, the organization shouldincorporate some method for verifying or reconciling useridentities and their corresponding access rights with theactual access rights for which these identities were originallyapproved. This reconciliation process may reveal some of thefollowing:

User identities possess access rights that match therights they were approved to have.User identities did not have their access rightsreviewed and approved as frequently as expected.User identities possess access rights that do not matchthe rights they were approved to have.User identities associated with terminated or deacti-

vated users still reside in the IT environment.Users who need to be issued identities and grantedaccess rights did not have access requested orapproved.

If the verification and reconciliation process reveals iden-tities and access rights that are misaligned, the organizationshould have a way to report these problems, determine anycorrective actions, and acquire necessary approvals to correctthese deficiencies.


14/3210


provisioning process. Often, the authorization of a useridentity may not correlate with the access rights that wereintended to be granted to the user during the provisioningprocess. As a result, the monitoring and verification of accessrights are important parts of the IAM process.

Logging3.6.2

Logging user identities, their access rights, and the functionsthey perform in the application provides the organizationwith a means to examine several items:

Are user identities and their access rights in compli-ance with the access rights approved for the useridentity?Are user identities and their access rights misalignedwith the access rights necessary for the user identity toperform its functional responsibilities?Are user identities performing all of the functionsgranted to them through the provisioning process?Are user identities making password change requestson a frequent basis?

Are user identities accessing or attempting to accessapplications outside normal business hours?Are there unauthorized attempts to perform certainfunctions by registered or unregistered users?

Use of Technology in IAM3.7

What Types of Technology Exist?3.7.1When administering IAM activities, the majority of provi-sioning and enforcement processes can be automated throughthe use of IAM application software tools. These tools range

Communicating passwords to users.Resetting passwords for locked-out users.Reviewing password activities that comply with theorganizations policy guidelines.Reviewing for easy-to-guess passwords, which can leadto potential misuse of the organizations IT assets.

Storage and Handling Considerations3.5.6The IAM process also needs to address how the organizationwill store, report, protect, and manage identities and accessrights. When storing identities and access rights, the organi-zation needs to be cognizant of where they will reside; howthey will be viewed and reported (e.g., masked or in cleartext); how long they will be stored; and how deactivated,disabled, and deleted identities will be stored.

Reporting3.5.7Different types of reports need to be created and used withinthe provisioning process. Many of the reports that are typi-cally created are used for operational purposes, such as reportsof system performance activities, tasks and queue manage-ment functions, and reconciliation events.

Audit reports include those that describe:Lists of identities and their associated access.The person approving access for specific information.The management of group and supervisory accounts.The number of users accessing a particular applica-tion or information resource.

Additionally, the processes and supporting systems shouldbe able to provide reports that detail access approvals andreviews, because these are the areas of frequent weaknessthat are uncovered when auditing an organizations identityand access management process.

Enforcement Process3.6

Authentication and Authorization3.6.1The enforcement of identities with their correspondingaccess rights occurs during the users login to the application,as demonstrated in Figure 3. During login, the applica-

tion performs a check to validate the users identity. Thisprocess is called authentication and can take several forms.For instance, systems can require authentication by usinga specific user characteristic (e.g., fingerprint ID or voicerecognition), something the user has (e.g., smart card, badge,or key fob), or something the user knows (e.g., password orpassphrase).

Once the identity is recognized and validated, the appli-cation will authorize the user to perform functions in theapplication based on the access rights associated with theuser identity. Authorization of the user identity should bebased on the access rights granted to the user during the

fge 3. Enforcement of user access rights

Authenticate

Authorize

Log Activity


15/3211


IT resources from outside the organization. This type ofremote access and authentication can occur in many ways,some of which are more secure than others. Examples ofthese mechanisms are:

Virtual private networks, which are connections ofnetworked devices between the organizations officesand the remote identitys site.Web portals, which are connections through anInternet-based interface with the organizationsoffices.Dial-up modems, which are connections betweenthe identitys site and the organizations site that useordinary telephone lines similar to placing a voicetelephone call.

These remote connection types each have their own

inherent advantages and disadvantages. For instance, accessthrough a Web portal is the most universal in that it allowsusers to gain system access from nearly any system that hasInternet access, yet it also puts proprietary or confidentialinformation at risk of being compromised by the uncon-trolled system on which the Web browser is located. Dial-upmodems provide somewhat more secure, direct connectionsback to the internal network but with substantially slowerperformance than other connection options that use high-speed Internet connections. These are just two examplesof the many factors that need to be evaluated when deter-mining which users should be allowed to remotely connectto the IT environment and through what methods.

from applications that can be installed and used easily byorganizations with small IT departments (e.g., less than 10individuals) to applications that require customization foruse by organizations with large or global IT departments.

Pros and Cons of Technology Use3.7.2While the use of technology certainly facilitates IAM, thereare advantages and disadvantages to its use. Advantagesinclude:

Faster response times.Easily retrievable evidence of activities.Automated workflows for approvals andcommunication.Better management of large data volumes.Ability to centrally administer and monitor systems.

Disadvantages include:Lack of ownership.Lack of understanding of how to use the tools.Tools that may not be suited to the organizations sizeor complexity.

How Is the Technology Used?3.7.3The use of technology during the IAM process can be used toreplace manual activities or to bolster the lack of some IAMactivities. Business management needs to understand thetechnology being used and why it is used, while IT shouldinstall and maintain the tools to support business needs.

Tools can be used to perform any of the following

activities:Generate access request forms.Route access request forms to approvers.Perform a preliminary segregation of duties conflictreview.Communicate the creation, change, and terminationof identities.Perform authentication and authorization of identi-ties to applications.Generate logs of identities and their use.Generate passwords.

Additional Concepts3.7.4

Single Sign-on

There are many ways to perform authentication for an iden-tity within an IAM system. Single sign-on is one automatedmeans of authenticating an identity to all IT resources towhich the identity has been granted access rights, withoutrequiring the identity to provide more than one series ofauthenticating factors (i.e., a user ID and password).

Remote Sign-on

In many organizations, identities, particularly human ones,are granted access rights to authenticate themselves to the


16/3212

GTAG The Role of Internal Auditors

When answering these questions, it is important to iden-tify whether documentation already exists that addressesthese issues to some degree.

In addition, when assessing a companys IAM posture,internal auditors need to identify certain key elements.The figure below shows that these elements are not entirelycentered in technology but include:

Aligning business and management units.Understanding existing laws and regulations.Establishing budgets.Developing achievable implementation plans.Defining how technology can enable a more effectivecontrol environment.

Business Architecture4.1.1The IAM business architecture refers to the procedures and

workflow logic that are implemented in conjunction with anIAM software product. Defining and documenting this archi-tecture is a critical step toward managing current and futurebusiness risks. As shown in Figure 4, IAM is not strictly aboutthe use of technical tools that enforce rules. Rather, it is process-oriented and varies substantially from one organization to thenext. For instance, as with any business process, automatedand manual controls can be used simultaneously. As a result,it is important that the organization understands the controlsinvolved in the management of identity and access.

The Role of Internal Auditors4.Internal auditors play an important role in helping organiza-tions to develop effective IAM processes and monitor theirimplementation. Prior to conducting an IAM audit, auditorsneed to understand the organizations existing IAM struc-ture, such as the companys business architecture and IAMpolicies, as well as the laws, regulations, and mandates forwhich compliance is necessary. When conducting the audit,internal auditors need to document the organizations iden-tity and entitlement processes as well as the repositoriesand the life cycle components for each and evaluateexisting IAM activity controls.

Current IAM Processes4.1The first step in the IAM process is to determine whetherthe company has an IAM program. This can be determined

by asking the following questions:Are there policies in place for managing and admin-istering user identities and access activities?Is there a strategy in place for addressing the risksassociated with the IAM process?Is there a reference model the organization can useduring the administration process?

/business

, and mandates

fge 4. Process-oriented nature of IAM


17/3213


auditing the policy framework governing the organizationshandling of personal information, a review process must be inplace to determine if applicable laws are addressed properly.

Budget4.1.4Funding for IAM initiatives needs to address the implemen-tation of new procedures and any supporting technologies,as well as ongoing operations based on new IAM processes.Significant time and funding may be required to bring aboutorganizational change and implement any technology toolsthat support IAM. This funding can include hardware,software, and consultants or contractors to implementthe technology. Once the technology has been deployed,ongoing funding is necessary for any license fees and internalor external support staff. Depending on the organizationsbudget cycle, a business case for IAM may need to be devel-

oped and introduced into the annual budget process.

Timeline4.1.5If there is an IAM program in place or under way, thereshould be an evaluation of its implementation timeline andalignment with the organizations program managementreporting needs. If specific reporting requirements need tobe met, it is important for these dates to be communicatedand managed jointly by the IAM program and other programmanagement offices. Additionally, any complex program islikely to encounter timeline-related issues. Reviewing theseprograms and their ability to manage schedule changessuccessfully enables the audit team to determine the like-

lihood that the project will successfully meet future targetdates and milestones.

Business Requirements4.1.6Whether there is a formal IAM program in place, it is stillimportant that all systems have the ability to meet businessperformance requirements. If there is a program in place,a straightforward process of determining whether busi-ness stakeholder requirements were collected and reviewedneeds to be operating before beginning the programs imple-mentation. Depending on the programs current stage, theorganization should be able to review whether existingsystems provide the functionality required for the IAM

program to operate effectively. If a formal IAM program isnot in place, this may be more difficult. Business require-ments may not be well documented or well known to thepersonnel managing the IT environment.

With the advent of Sarbanes-Oxley and similar regula-tions around the world, many organizations have institutedtighter controls over access administration processes. As aresult, there should be guidance available within the orga-nization regarding what is required to meet any regulatoryrequirements. Ultimately, all requirements should includethe ability to answer these questions:

Who has logical access to information?

Additionally, it is critical that the organization understandsthe roles and responsibilities of the individuals responsiblefor managing the control environment and maintaining thecontrols. Because many controls are automated or perform ITfunctions, management often assumes they are the respon-sibility of the IT department. However, business managersand data owners should be held responsible for the approvalprocess.

Equally important is the commitment of senior manage-ment, in particular their understanding that IAM requiresbusiness leadership involvement to appropriately supportcompanywide processes. For instance, if IAM is not givenappropriate attention by senior management, the tone of theorganization may not support IAMs importance.

Policies4.1.2

Once the business architecture is documented or at leastunderstood within the organization, existing policies andprocedures that support this architecture and govern accessmanagement need to be reviewed. While these policies areoften of a high level and may describe an organizationscommitment to securely managing information, it is equallyimportant for standards, procedures, rules, and guidelinesto support each policy. This set of documentation is oftenreferred to as the corporate policy framework.

In addition, although the vernacular and type of docu-mentation will be unique for each company, it is importantthat the policy framework provides sufficient informationto all employees about how user identities and access rights

are to be managed, reviewed, and approved. Furthermore,the policy framework needs to explain how new businessprocesses, applications, systems, and data repositories can beconfigured to align with the policy framework, as well as toensure the new policies do not expose the organization toexcessive risk.

Laws, Regulations, and Mandates4.1.3It is important for the organization to maintain operationalefficiency and to make sure appropriate processes are imple-mented that enable the business to comply with differentnational and local laws, regulations, and mandates. Simplyunderstanding these laws and regulations is not enough

organizations need to determine how they apply to IAMprocesses as well.

In many cases, the types of data that can be collectedand transferred across country borders are tightly defined.For instance, countries with data protection laws that mustcomply with the Directive on Data Protection may limit thekinds of employee information that can be transmitted tosystems and administrators outside the users home country.However, because this personal information may be needed toperform entitlement reviews that grant users access to systemshosted in other countries, legal procedures must be in placeto respond to this and similar situations. As a result, when


18/3214


with human resources to help establish the persons iden-tity in the system. This process typically includes collectingvarious pieces of personal information, determining whetherthe person has previously worked for the company, and even-tually creating computer accounts for the person. Each step inthis process needs to be reviewed to determine that there areappropriate controls throughout the identity life cycle, sincethe creation of identities must be controlled to prevent theintroduction of unknown users into the environment.

Furthermore, the organization needs to properly deac-tivate or remove user identities that are no longer needed.Hence, policies need to clearly identify what needs to happenwhen people leave the organization. Reviews also need to beconducted to confirm that the appropriate action took place.

Determine Identity Repositories

To identify repositories, auditors need to determine whereinformation about the identities is stored. This will typicallyinclude areas such as human resources, contractor databaserepositories, outsourced service provider databases, andexternal sales force databases.

For nonperson accounts, including system accounts, theinformation about how they are created, who has accessto them, and what information about them is stored andmaintained may be more difficult to document. Regardless,there should be a methodology in place for documenting theaccount types that are in use.

Document Controls for Identity Repositories

Once identity repositories are identified, the controls usedto protect the data residing in the repositories need to beevaluated. This task will require several detailed reviewsencompassing multiple controls. However, the reviews canbe conducted like more traditional system, database, andapplication reviews. For instance:

Are the machines that are storing the informationsecured?By what standards are they secured?Does the organization maintain standards on how tomanage and operate these systems?Are the systems subject to the same standards asfinancial applications in general?

Is access to the IAM systems, tools, and data reposi-tories managed through the IAM system or throughother means?

Evaluating Entitlement Management4.2.2

Document Entitlements

Effective entitlement management processes necessitatedocumentation of entitlements that are granted to users ofplatforms, applications, and roles within applications, amongothers. As part of their role, auditors need to determine howentitlements are grouped together and what permissions

Is the level of access appropriate?Who approved the access?

Auditing IAM4.2Whether there is a defined program in place or not, internalauditors need to examine the identity and access manage-ment processes that exist within the organization.

Evaluation of IAM4.2.1Before developing an IAM audit approach or assisting withthe creation of IAM processes, any existing identity manage-ment policies and procedures should be reviewed. Oncecurrent processes are identified, internal auditors can assistmanagement by conducting a risk assessment that will enablethe organization to develop an effective identity manage-

ment process.In addition to conducting a risk assessment, internal audi-tors can assist management or the identity management teamin determining where new or additional team members shouldcome from within the organization. Internal auditors can bevaluable team members in this respect because they have visi-bility into all levels of the organization and understand whatareas need to have a better identity management focus.

Document Identities

As part of the process, auditors need to clearly identify thedifferent user identities that exist within the organization.(Refer to page 6 for a list of identity types.) Within each

category of users, and in particular across complex organi-zations, several of these groups may have subgroups. Thosemost likely to have multiple subgroups include vendors andbatch accounts.

Define Identity Life Cycle Components

Identity life cycle components include provisioning,administration, and enforcement. To define identity lifecycle components, auditors need to determine the process,controls, and documentation that relate to the provisioningprocess. For example, if processes are manual, what orienta-tion or training have administrators received? If processes areautomated, is feedback generated to identify whether each

process is working?

Determine Controls Within the Identity

Life Cycle Process

As with any process, it is critical to identify the controls thataffect it. Within the identity life cycle process, several keycontrol areas exist that need to be reviewed. Controls caninclude approval processes for creating identities, access revo-cation processes, entitlement reviews, and access logging.

Before an identity is created, someone in the organizationmust approve it. For instance, a manager is likely to approvethe hiring of a new employee. This hiring manager will work


19/3215


entitlement repository accurately reflects the entitlementsthat are already in place. Frequently, there will be discrepan-cies between what is and what should be. Thus, determiningwhere the weaknesses occurred can be challenging.

As with the identity repository information, all standardsystems, databases, and application security standards needto be reviewed. Reviews of machine configurations should beconducted like any other configuration review, just as in thereview of controls for identity repositories.

Identify How Reconciliation and Oversight

Are Performed

The primary function of reconciliation is to verify that actualaccess aligns with approved access, as previously described.Many organizations have implemented specific processes foraccess review and reconciliation. The following three ques-

tions address several key elements within the process thatshould be reviewed:

1) des epeaable a elable ela ?

Auditors should review performance of reconciliationprocesses to determine if they are sustainable and repeat-able. In addition, auditors should review these processes todetermine their reliability that is, is the process actuallygenerating measurable improvement in the state of logicalaccess control?

Simply reviewing the logical access and stating that it isappropriate is not enough. Many large organizations haveencountered the rubber stamp review, in which the person

responsible for performing the review stamps an approval onthe entitlement report as a result of the persons inabilityto deal with the amount of users he or she is responsible forreviewing.

Because the review process could be thought of as a formof identification validation, the person performing the reviewshould have some knowledge of the person for whom theyare vouching (i.e., to state that an individual needs to haveaccess to an application). If the process is such that the indi-viduals validating access cannot possibly know all the users,the process needs to be made more effective. One possibilityin this situation is to have lower-level managers conduct thereviews of their direct reports, rather than having a more senior

individual review those with whom he or she rarely interacts.

2) h e elas ?Many organizations perform reconciliation reviews twicea year. However, once automation is involved, the processcould be performed almost daily with any exceptions beingautomatically repaired or reported to the individuals respon-sible for managing access.

3) h ae elas ale?To answer this question, auditors could ask the following:

users, IT devices, service accounts, machine accounts, andbatch accounts have.

Document Entitlement Life Cycle

Auditors need to determine and document any differencesbetween the entitlement life cycle and the identity life cycle.Typically, the following major steps need to be identified insome form: entitlement creation, entitlement assignment,and entitlement removal.

In addition, auditors should keep in mind that large IAMprograms may have processes established for creating newentitlements, grouping them together, and assigning them toeither people or roles within the organization, while smallerorganizations may use paper forms or spreadsheets to requestand track access. Regardless of the method used, someone inthe organization needs to approve access and make sure that

access is granted on the system or application.

Determine Entitlement Life Cycle Controls

Access approval is one of the key controls within the enti-tlement management life cycle. This process needs to beconsidered carefully based on the nature of the organization.For instance, in smaller companies, granting access rightsis frequently a straightforward decision. In larger organiza-tions, however, it can be difficult to determine what access aperson really needs to do his or her job. Furthermore, due tothe complex reporting and management structure of manyorganizations, it may be hard for the designated approver toknow the kind of access a person requires to perform a partic-

ular job function. Finally, controls need to be in place toensure that systems are configured only after an appropriateapproval is received.

Determine Entitlement Repositories

Entitlement repositories have a variety of enforcement mech-anisms that need to be configured appropriately. To this end,many applications are capable of independently managingentitlements. This activity frequently includes performanceof authentication and authorization functions. For example,applications may leverage a central authentication mechanism,such as a directory, or a central authorization mechanism, suchas a portal or Web access management technology.

Many business processes depend on multiple applica-tions and use multiple mechanisms for authentication andauthorization enforcement. Regardless of which entitle-ment mechanism is used, auditors need to identify where theentitlement information is stored and how the entitlementinformation is managed.

Document Controls for Entitlement Repositories

The most important aspect that must be reviewed whendocumenting controls for entitlement repositories is whetherthe audited system contains the appropriate entitlements.For instance, auditors need to determine whether the


20/3216


What happens when a reconciliation event occurs(i.e, what happens when what is does not match whatshould be)?Is the event simply logged for later review?Do the systems automatically reconfigure to alignwith what should be?What steps are taken to identify the root cause of theproblem?Is the event only a technology problem or did someonemake an unauthorized change to a system?


21/3217

GTAG Appendix A: IAM Review Checklist

17

Topic areas:Asa What is in place to develop andmaintain an appropriate IAM strategy, policies,procedures, and ongoing operations?Psg How is access granted, monitored,and removed within the environment?Eee Are appropriate measures in placeto deter, prevent, and detect attempts at evadingIAM processes?

Appendix A: IAM Review Checklist

When auditing identity and access management (IAM),breaking down the information into three topic areas administration, provisioning, and enforcement allows afull review of the environment while enabling certain keyquestions to be answered. The following checklist is a high-level overview and is not intended to be a comprehensiveaudit program or address all IAM-related risks.

Audit Question/Topic Status

1.1 is ee a iAm saeg plae?

A critical element for an effective IAM process is the presence of a consistent approachto manage the supporting information technology (IT) infrastructure. Having a cohe-sive strategy across the organization will enable all departments to manage people, theiridentities, and the access they need using similar processes, if not necessarily with thesame technology.

Inquire about current IAM strategies in the organization.If they exist, determine how and by whom they are managed.

1.2 Ae e sks assae e iAm pess ell es b aageea e elea als? Ae e sks aesse b e saeg?

Simply having a strategy does not ensure it covers all the risks that IAM may present.It is important that the strategy contains elements that identify all relevant risks.

Determine whether a risk assessment of esatablished IAM processeswas conducted.Determine how risks are identified and addressed.

1.3 is e gaza eag agg a iAm pess l sas eglaes?

It is critical that IAM processes are integrated with broader business issues and strate-gies. There are numerous benefits to having a robust IAM environment, such as havinga better internal control environment.

Determine the needs of the organization with respect to IAM.Determine whether the IAM processes extend into the organizaton or just meetan external third-party requirement.

1.4 Ae e eglas geg e gaza ell es?

New regulations are being created, and for large multinational organizations, it can bedifficult to identify all of the regulatory requirements with which the organization mustcomply.

How does the organization determine the regulatory requirements it must meet?How does the organization remain current with these regulations?How does the organization capture, store, and retrieve this information?


22/3218



1.5 Ae ee ee es apppael a sses elae segega es?

While many areas of the business have defined rules to manage issues with segregationof duties, these typically are not well documented or understood. The main question toask is whether or not managers and other personnel responsible for approving access arecapable of recognizing when a segregation of duties weakness occurs.

Are segregation of duty conflicts identified within IAM processes?How are these conflicts dealt with? Who deals with them?Are there mechanisms in place to capture or identify these conflicts before accessis granted?

1.6 is e iAm ee ealze sbe apppael ele e

se e gaza?

An ideal technical situation would be to have a single software solution with consis-tent processes clearly documented and managed through a single implementation tool.However, due to the challenges associated with legacy system integration and themodification of processes used to grant approvals, these technologies have not lived upto their potential.

If multiple IAM solutions exist, how are they managed to identify, prevent, ordetect unauthorized or unnecessary permissions granted to users?

1.7 h ae pass ples esablse, a ae e se e gaza?

Policies that govern IAM processes are critical components of any effective solution.Therefore, it is important to understand how the policies are established, how they arecommunicated, and how the technology elements of the environment support their

compliance.What password parameters have been established for companywide applications?Are they consistently applied?How are changes to these parameters controlled?


23/3219



2.1 des e gaza ae sse pesses aagg sse aess?

Several provisioning aspects elicit questions. These questions, which need to be askedand ultimately answered, relate to individuals knowledge of processes, any documenta-tion produced, and adherence to specified processes.

Determine whether IAM-related policies and procedures exist in the organization.Determine whether the policies and procedures have been communicated to theappropriate individuals in the organization.

2.2 ca as qel e e als ae gae aess egazas sses base e sg- eeals e ae assge?

A critical element within the provisioning process is the ability to successfully identifythe people for whom access is managed.

Are unique identifiers in place for users of IT resources?

How are these identifiers tracked and recorded?

2.3 is eplee p egae bease s l ga a aa

sse aess?

As noted, key drivers of IAM system adoption are the regulatory requirements that callfor better controls. There are clear benefits to implementing these types of systems.However, the manual processes that typically are employed to manage access are inca-pable of providing ready access to these systems.

How is the IAM process managed in the organization?Are there benefits to having part of the IAM process become self-sufficientfor users (e.g., password resets, use of a help desk application versus a call-innumber)?

2.4 w sl appe aess a se e ee?

This is an important question that must be answered. Another is whether there shouldbe multiple people involved in the approval granting process.

Determine the methods used to approve user access requests.Determine whether the approval rests with the business unit or IT department.Determine how segregation of duty conflicts are approved.

2.5 ca e gaza esae a l apppae peple ae aess a?

This is a critical question for an auditor to answer. However, demonstrating that the

organization has control of user access can be difficult.How often does the organization review the access granted to its users?If a review is performed, how is inappropriate access identified, logged, andaddressed?


24/3220



2.6 Ae ee apppae ls plae pee peple ag aess

sses a applas se e appe pess?

Having a process in place to manage identities and access to systems and applicationssounds like an ideal situation. However, how can organizations ensure that people arenot circumventing the process and adding their own accounts or the accounts of otherswithout proper authorization or adherence to defined processes?

Determine who in the organization has the ability to add, modify, or delete usersfrom the applications used in the environment.Determine whether there is a periodic review of users that traces their accesspermissions to access request forms.

2.7 we peple leae e gaza, es e a sse aess e ae

a eke a el ae?

One of the main findings in IAM audits is persistence of accounts that retain accesslong after the account owners leave the organization. The challenge relates to identi-fying all access associated with a specific user.

Does the organization have a process in place to deactivate or delete user accesspermissions when they are no longer needed?How does the organization ensure that all account names associated witha particular individual were deactivated or deleted?

2.8 wa es e gaza espe pes as?

Nonperson accounts are challenging for several reasons, not the least of whichis determining the controls associated with these types of accounts.

What functions does the account perform?

Does the account need to exist and be active?Who has access to the account?Is there a shared password for the account?How many people know the password?How do you maintain accountability for actions performed by the account?

2.9 wa es e gaza espe plege as?

Privileged accounts provide a unique set of challenges. These accounts are required tomanage the environment and to provide consistent, timely, and high-quality support.However, privileged accounts also have the capability to circumvent many of thecontrols that are put in place to manage access for typical accounts.

Determine the individuals in the organization who possess privileged access

permissions to the applications used in the organization.How are the privileged access permissions requested, approved, and granted tothese individuals?How often are granted access permissions reviewed?


25/3221



3.1 h sg ae e ls plae pee peple bpassg

aea aza ls?

One of the pressing challenges for applications is the enforcement of access and howthe individual applications manage authentication and authorization.

Determine the means of authentication in use for existing applications.Determine whether the means of authentication present opportunities for usersto circumvent the authentication process (e.g., weak or saved passwords).

3.2 is ee a appa applas ee aess?

IT leadership must define how this issue will be managed and how systems will enforcethe decisions that are made.

Are passwords synchronized among the applications used in the organization?How are synchronization mechanisms managed, if they are used at all?

Without synchronization, what mechanisms are in place to prevent users from

accessing applications to which they are not granted access?

3.3 h s a lgge, llee, a eee?

It is important to understand what types of events are logged, where they are captured,and how frequently they are reviewed.

Determine whether the organization uses event logging with respect to IAM.If event logs are used, determine when and how they are reviewed.If logs are reviewed and discrepancies are discovered, how are these itemsresolved?


26/3222

GTAG Appendix B: Additional Information

Appendix B: Additional Information

Additional information can be obtained from the followingexternal resources:

Canaudit, www.canaudit.com.Chief Information Officer (CIO) magazine,www.cio.com.Chief Security Officer (CSO) magazine,www.csoonline.com.Control Objectives for Information and relatedTechnology (CobiT), www.isaca.org/cobit.Federal Financial Institutions ExaminationCouncil (FFIEC), www.ffiec.gov.IBM Corp., www.ibm.com/software/tivoli.ISACA, www.isaca.org.The Institute of Internal Auditors, www.theiia.org.

Microsoft Corp., www.microsoft.com/technet/

security/guidance/identitymanagement.Oracle, www.oracle.com/products/middleware/identity-management/identity-management.html.Public Company Accounting Oversight Board(PCAOB), www.pcaobus.org.SysAdmin, Audit, Network, Security (SANS)Institute, www.sans.org.


27/3223

GTAG Glossary

rese: An object in the IAM system that can berequested by a user, including an application, a componentof the technology infrastructure (e.g., system), or a specificaccess or entitlement (e.g., group or profile).

Se el: A security rule within an application thatconnects the lowest level of security (i.e., security setting) tothe highest level of security (i.e., security groups). Securitygroups are assigned to users.

Segega es: A control mechanism whereby aprocess is broken into its constituent components and theresponsibility for executing each component is dividedamong different individuals. Segregation of duties segmentsthe process so that no individual has an excessive abilityto execute transactions or unilaterally cover irregularities

without detection.

Sese elee: A resource or access identified topotentially present a level of security risk to the organizationif or when provisioned. Examples include special authorities,domain administrator groups, and access to the root account.

tase: A life cycle event whereby a user changes jobresponsibilities or functions.

use id: An identifier or login ID on a specific resourceused to manage access to that resource.

Glossary

Aess(es): The right or permission that is granted to anidentity. These informational access rights can be grantedto allow users to perform transactional functions at variouslevels.

Aea: A process for attempting to verify an iden-tity against values in an identity repository. It is a way tovalidate that users are who they claim to be.

Aza: A process for determining what types ofactivities are permitted. Ordinarily, once a user has beenauthenticated, he or she may be authorized to performdifferent types of activity or granted certain access rights.

Elee: Access to specific functionality in a system orapplication that is granted to a specific user. Most individ-uals in an organization have multiple entitlements grantedfor access to multiple systems.

ie: A unique sequence or set of characteristics thatuniquely identifies an individual.

ie a aess aagee (iAm) eps: A datastorage facility that houses all of the current and historicaldata for the IAM system.

iAm sse: A system consisting of one or more subsystems

and components that facilitates the establishment, manage-ment, and revocation of identities and accesses to resources.

Le le ee: An event that occurs during a users lifecycle, which may trigger an IAM system process (e.g., termi-nation or transfer).

obag: The process through which an individualleaves a role as an employee or contractor for the organiza-tion, returns any physical assets assigned to him or her, hasphysical access rights revoked, and has logical (i.e., applica-tion and system) access rights terminated.

obag: The process for identifying an individual tobring into an organization as an employee or contractor;providing the individual with the tools necessary to performhis or her job; and creating an identity, accounts, and accessappropriate for his or her duties.

Psg: The process used to create identity, associateidentities with access, and configure the systems appropriately.


28/3224

GTAG About the Authors

t resa, ciSSPTim Renshaw is a senior advisor in theErnst & Young financial services office.He has experience in program manage-ment and IT within the financial servicesand pharmaceutical industries. Renshawhas developed IAM implementationstrategies for several global financialservices institutions and has worked

with clients in the financial services industry to developrisk self-assessment programs and information security stra-tegic plans. In addition, he has established and operated ITprogram management offices, performed independent reviewsof enterprisewide technology implementation projects, andsupported business process re-engineering initiatives.

Renshaw received a bachelors degree in information

systems and in economics from Carnegie Mellon University.He is a certified information systems security professional.

Jee rzek, ciSSP

Jeffrey Rozek is a senior manager inErnst & Youngs global risk advisoryservices practice, where he specificallyfocuses on information security. He hasnearly 15 years of information systemsand security experience in the financialservices, telecommunications, manu-facturing, and utilities industries. Rozek

has led numerous security projects, including large, multi-

national, and multi-language implementations, and hasconcentrated on providing access control, authentication,and authorization solutions. He has worked with a numberof Fortune 100 companies in assessing and developing theiroverall security and risk frameworks and maturity models,and also has assisted clients in architecting, designing, anddeploying technical security architectures.

Rozek has a bachelors degree in accounting from JohnCarroll University and is a certified information systemssecurity professional.

About the Authors

fak Besz, ciSSPFrank Bresz is an executive director in theErnst & Young financial services office,where he is responsible for informationsystems security strategy and strategicprogram operations. Bresz has workedwith clients to develop their informa-tion security programs and has focusedon aligning the security programs vision

with existing and pending regulations.Bresz has more than 22 years of experience in information

security and data center operations and has a strong back-ground in developing large identity and access management(IAM) programs as part of broader information security

initiatives. Prior to working with Ernst & Young, he wasresponsible for information technology (IT) management for10 years and has worked extensively with Sybase in devel-oping Web-based applications.

Bresz received his bachelors degree in computer sciencefrom the University of Pittsburgh. He is a certified informa-tion systems security professional.

Saja ra, ciSSP, ciSm

Sajay Rai is a partner in Ernst & Youngsrisk advisory services practice. He hasmore than 30 years of experience in IT,specifically in the information security,

business continuity, and risk manage-ment disciplines. Rai previously workedwith IBM as a managing director of thenational business continuity and contin-

gency consulting practice. He was instrumental in startingthe companys information security consulting practice andmanaging its IT consulting practice in Latin America.

Rai co-authored a recently published book, Defending theDigital Frontier: A Security Agenda, which guides business andIT executives on how to develop an effective and efficientinformation security program. He has been named in theCrains Cleveland Business Whos Who in Technology.

Rai has a masters degree in information management from

Washington University and a bachelors degree in computerscience from Fontbonne College. He is a certified informa-tion systems security professional and a certified informationsecurity manager.


29/3225

GTAG About the Authors

Reviewers

The IIA thanks the following individuals and organizationswho provided valuable comments and added great value tothis guide:

Ken Askelson, JCPenney, USA.Lily Bi, The IIA.Lawrence P. Brown, The Options Clearing Corp.,USA.Tim Carless, Chrysler Financial, USA.Christopher Fox, ASA, eDelta, New York, USA.

Nelson Gibbs, Deloitte & Touch LLP, USA.Steve Hunt, Enterprise Controls Consulting LP, USA.Stuart McCubbrey, General Motors Corp., USA.Heriot Prentice, The IIA.

James M. Reinhard, Simon Property Group Inc.,USA.

Paula Stockwell, IBM Corp., USA.

Jay R. Taylor, General Motors Corp., USA.Hajime Yoshitake, Nihon Unisy

Date post:	04-Apr-2018
Category:	Documents
Upload:	sandeep-kumar
View:	223 times
Download:	0 times

Ident Access Mgmt

Documents