1. Lynnette Richmann PartnerInformation Technology Advisory Services August 12, 2008 G O V E R N M E N TK P M G L L PInformation Security Governance: Managing Risk and Access to States' Critical Assets

2. Risk Management

New & Emerging Threats

Compliance Challenges

Foreign National Threats

US Federal Government Requirements

Integration with ERM Initiatives

Risk Management vs. Risk Elimination

Evaluation & Prioritization of Risks

GRC Solutions

Business Enablement

Changing and Dynamic Business Needs

Mergers, Globalization, Sourcing

Customer and Business Self-Service

Increased Data Portability & Exchange

Reliance on Third Parties

Integrity of Key Business Information

Operational Excellence

Improved Governance Models & Structures

Improved Budgeting

Team Structure and Sizing

Service Level Levels/Management

Executive Reporting & Metrics

Managed Security Services

How to provide more value with limited resources?

Technical Architecture

Changing view of perimeters

Identity and Access Platforms & Needs

Security Event Monitoring & Management

Data Centric Security Models & Leakage Protection

Service Oriented Architectures

Highly Available Infrastructures

Security Program Management

Information Security Agenda 3. The Goal A Balanced Approach Value Creation Value Preservation

Security as enabler to business

Alignment with business needs

Operational benefits

Solid risk management

The right control in the right place

Understanding regulations

Driving down cost of compliance

Information Protection Supports:

Better business decisions

Brand and reputation

Business Initiatives

Business Performance Risk Management 4. What is Information Protection?

Security Risk Assessment

Compliance and Risk Management

Legal and Discovery Efforts

Data Privacy and Identity Theft

Security Operations & Metrics

Business/Technology Resiliency

Third-Party Management

Security Breach Notification

Training and Awareness

Managing Internal/External Identities

DEFINITION: An implemented, understood and measured program of policies, procedures and controls thathelp to consistently achieve compliance, regulatory, legal and business mandates. 5.

Organizations are faced with new, updated, and changing regulatory landscape.Some the highlights include:

Privacy Notification Laws

• 39+ States have privacy notification laws (including GA, FL, LA, TN, NC); Others have security & Identity Theft laws

• Potential for Federal Privacy Standards

NERC Cyber Security & Reliability Standards (CIP002- CIP009)

• Increased scrutiny and formalization of penalties (risk & severity)

• NOPR released in July may have more stringent implications

HSPD - 12

• Security requirements for Federal Government Agencies

FISMA

• Security requirements for companies or organizations serving US Government

HIPAA

• Healthcare information security and privacy rules

PCI-DSS Standards for Credit Card Security

• Any business who accepts credit card payments are subject to PCI assessments

Sarbanes Oxley - Section 404

• Many non-public entities are choosing to adopt Sarbanes-Oxley internal control principles

A Cavalcade of Regulations 6.

Information Governance

Goals:

Establish responsibility, policy, procedures & controls

Trends:

Focus on Data Classification, Risk Assessments, Data Ownership

Data portability risks

Unstructured data is a problem

Increased focus on operational data (vs PII & financial)

Strong linkage to storage

Building Blocks Key Elements

Unified Approach to Security & Compliance

Goals:

Bring multiple compliance teams together, reduce effort, balance business objectives

Trends:

Focus on Risk Management, Critical Business Information and Business Processes

Consistent approach to governance, planning, testing

Leverage standards (CObIT, ISO27001, ITIL)

Prioritize key areas of compliance focus (Identity, Access, Change Mgmt, Logging/Monitoring, Governance)

Access Control and Identity Management

Goals:

Control and knowwhohas access towhatandwhy

Trends:

High priority in tools for provisioning and de-provisioning users

Focus on Role-Management and Segregation of Duties

Uniquely identifying privileged access users

Regular certification of user access

Improved logging and monitoring

Logging and Monitoring

Goals:

Formalized, proactive monitoring across applications, OS, Databases, Networks

Trends :

Prioritization to critical processes and transactions

Log standardization

Use of filters or analytical tools

Intelligent storing and rotation of logs

7. Typical Business Environment Today

How do you manage and control who has access to what in an efficient and effective way?

System administrators Outstanding audit issues Internal Controls BusinessManagers Short user life cycles Immediate access requirements Segregation of duties Employees Suppliers Citizens Third parties SAP PeopleSoft Windows Employee self service Consolidation Security administrators Mainframe SSO Provisioning Data protection acts FIPS 201 Privacy legislation Federal, State, Local Agencies HSPD-12 FISM Business Partners Web Portals Business Applications 1,000+ users 100+applications 100,000+possiblefunctions 8. IAM Lifecycle Compliance Relationship Begins Identity Lifecycle New project Change locations, roles, etc Forget password Provisioning Authorization Self Service Password Management De-Provisioning Authentication Relationship Ends 9. IAM Capability Stack IAM Maturity Decentralized Administration Centralized Administration Centralized Management Enterprise Administration Enterprise Management Integration of Controlled Systems Password Management Access & Authorization Management Provisioning Automation Advanced Auditing Distributed Administration Advanced Authorization Management(Role-Based Access) Capabilities/Complexity IAM Capabilities 10. Key Business and Enablement Drivers (i)

Five (5) Key Business and Enablement Drivers:

• Regulatory Compliance

• IT Risk Management

• Operational Efficiency

• Cost Containment

• Business Facilitation

11. Benefits of an IAM solution

Centralizes processesin a single trusted identity-aware system

Eases administrationof identities with automation & delegation

Automates & streamlines application provisioningwith workflows

Centralizes access controlwith policies and enforcement

Improves Authenticationwith Password Management

Supports Compliancewith stronger controls, auditing & reporting

Enhances user-experience & reduces lost productivitywith Single sign-on & User self-service

12. Q6. What are the top three most important business reasons your enterprise installed an IAM initiative? (Choose up to 3 items) Multiple Responses Allowed Among Those Who Have implemented An Automated IAM Process Key Drivers For Implementation 13.

Comprehensive vision, strategy, and roadmap and level of executive sponsorship most important factors related to IAM initiative

Key Findings What Worked? 67% Accuracy of initial project scope 67% Level of stakeholder expectations 67% The IAM technology tool 76% Level of executive sponsorship 73% Project Management % Rating4-5Success Factors 61% Accuracy of Initial project budget 76% Comprehensiveness of IAM vision, strategy, and roadmap 14. Appendix Additional Reference Slides 15.

Information Governance (or Information Management) is an increasing priority for most entities, including State and Local Government.The goal of most Information Governance programs focus on:

• Establishing governance (responsibility, policy, procedures) for organizational Information & Data

• Identifying and prioritizing critical Information Assets

• Developing and Implementing appropriate controls for the Information Assets

Some of the trends in Information Governance we have identified include:

• More focus on Data Classification and Risk Assessments

• • Data ownership is still a tug-of-war between Business and IT

• Increased data portability risks are increasing exponentially

• • Data Leakage tools and processes are starting to mature

• Unstructured data is still a problem for most organizations

• Increased focus on Operational Data rather than just privacy or financial driven information

• Strong linkage to Storage projects and planning

Information Governance 16.

Inconsistent standards and compliance approaches have created inefficiencies including:

• Multiple compliance teams working in silos across the organization

• Process Owners losing productivity due to multiple audit requirements

• More focus on compliance rather than business improvement

• Tactical response to audit findings rather than root cause

Some leading practices have emerged with demonstrable benefits to the compliance efforts:

• Strong focus on Risk Management and assessment of Critical Business Information and Business Processes

• Linking multiple compliance efforts into a more unified approach including consistent governance, planning, and testing

• Leverage well known standards (CObIT, ISO27001, ITIL) to drive organizational improvements rather than silo-ed compliance standards

• Prioritize focus on key areas of compliance focus (Identity Management & Access Control, Change Management, Logging & Monitoring, and Information Governance)

Unified Approach to Security & Compliance 17.

Focus on Access Control and Identity Management will continue to be a priority requirement, consistent across all regulations

• Who is accessing systems and applications?

• What data/information do they have access to?

• Is it appropriate for their job/position?

Some trends include:

• A priority remains the process and technology for provisioning and de-provisioning of users (employees, contractors, customers)

• • Slightly less than previous years

• Focus on Role-Management to identify inconsistencies across the enterprise

• Segregation of Duties analysis is growing concern

• Uniquely identifying privileged access users and system accounts

• Regular certification of user access

• Improved logging and monitoring of sensitive transactions or access

Access Control & Identity Management 18.

Logging and monitoring requirements are becoming for formalized, with a stronger focus on proactive monitoring of logs, looking for potential incidents or issues.This is complicated by:

• Multiple sets of logs (Application, OS, Database, Network)

• Volume of data

• Performance issues

Some trends regarding logging and monitoring include:

• Prioritization of logging and monitoring to critical processes and transactions

• Log standardization including format, configurations, and time synchronization

• Using filters or analytical tools to facilitate proactive monitoring

• More intelligent storing and rotation of logs

Logging & Monitoring 19. Key Business and Enablement Drivers

Centralized group/role based security infrastructure allows for quick integration of many users

User management functions standardized to meet specifications identified by corporate governance

Seamless and consistent integration of security and personalization for portal environments

User self-service for changes to personal and basic security information

Integration of large numbers of users

Poor customer on-boarding processes

Inconsistent customer experience

No standardization of basic provisioning and de-provisioning processes

User complaints of red tape when making changes to personal information

Business Facilitation

Reduce / prevent fraud

Increased segregation of duties (SOD)

Better enforcement of policy

Alignment of financial system access

Diverse security postures

Increased likelihood of fraud

Increased security risk

Reducing Risk

Streamlined application provisioning

Reduction in audit time

Reduced Costs, Resources

Reduced Licensing Fees

Quicker go-live for new applications

Administrative costs of employee and contractor user profiles

Infrastructure Upgrades

Applications Architecture Upgrades

Consolidation of IT

Cost Containment

Consistent security

Quicker re-branding of services

Quicker integration of new users

Reduced lost productivity

Improved workflow

Departmental consolidation

Diverse business mixes

Outsourcing / off-shoring

Business process improvement

Administrative process improvement

Operational Efficiency

Compliance automation

Improved monitoring

Flexibility to adapt to new regulations

Improved reporting

Increased reliance by external entities

Privacy Legislation

HSPD 12

FISM

FIPS 201

HIPAA

Improving Regulatory Compliance I&AM Value Proposition Pressures Driver 20. Identity & Access Management

Data Management

• Processes and technologies that enable the management of a user identities

Provisioning

• Propagation of identity and authorization data and policies to IT resources

User Management

• Activities for effectively governing and managing the lifecycle of identities

Authentication Management

• Governing and determining that an entity is who or what they claim to be

Authorization Management

• Governing and determining what resources an entity is permitted to access

Access Management

• Enforcing policies for access to information or resources

Governance

• Consistent policies, processes, organizational structures and decision rights

Identity

• The identifier and attributes for an entity (person, organization, device, resource, or service)

Monitoring and Audit

• Monitoring, auditing and reporting compliance of users access to resources based on the defined policies and requirements

Agility

• The ability to adapt to the changing user environment

Policies, processes and systems for effectively governing and managing who has access to what is within an organization. ProvisioningData ManagementIdentity Monitoring and Reporting Governance Agility Audit and Compliance Authentication Management Management User Access Management Authorization Management