- 1. Lynnette Richmann PartnerInformation Technology Advisory
Services August 12, 2008 G O V E R N M E N TK P M G L L
PInformation Security Governance: Managing Risk and Access to
States' Critical Assets
2. Risk Management
- US Federal Government Requirements
- Integration with ERM Initiatives
- Risk Management vs. Risk Elimination
- Evaluation & Prioritization of Risks
Business Enablement
- Changing and Dynamic Business Needs
- Mergers, Globalization, Sourcing
- Customer and Business Self-Service
- Increased Data Portability & Exchange
- Reliance on Third Parties
- Integrity of Key Business Information
Operational Excellence
- Improved Governance Models & Structures
- Team Structure and Sizing
- Service Level Levels/Management
- Executive Reporting & Metrics
- Managed Security Services
- How to provide more value with limited resources?
Technical Architecture
- Changing view of perimeters
- Identity and Access Platforms & Needs
- Security Event Monitoring & Management
- Data Centric Security Models & Leakage Protection
- Service Oriented Architectures
- Highly Available Infrastructures
- Security Program Management
Information Security Agenda 3. The Goal A Balanced Approach
Value Creation Value Preservation
- Security as enabler to business
- Alignment with business needs
- The right control in the right place
- Understanding regulations
- Driving down cost of compliance
- Information Protection Supports:
- Better business decisions
Business Performance Risk Management 4. What is Information
Protection?
- Compliance and Risk Management
- Legal and Discovery Efforts
- Data Privacy and Identity Theft
- Security Operations & Metrics
- Business/Technology Resiliency
- Security Breach Notification
- Managing Internal/External Identities
DEFINITION: An implemented, understood and measured program of
policies, procedures and controls thathelp to consistently achieve
compliance, regulatory, legal and business mandates. 5.
- Organizations are faced with new, updated, and changing
regulatory landscape.Some the highlights include:
- Privacy Notification Laws
-
- 39+ States have privacy notification laws (including GA, FL,
LA, TN, NC); Others have security & Identity Theft laws
-
- Potential for Federal Privacy Standards
- NERC Cyber Security & Reliability Standards (CIP002-
CIP009)
-
- Increased scrutiny and formalization of penalties (risk &
severity)
-
- NOPR released in July may have more stringent implications
-
- Security requirements for Federal Government Agencies
-
- Security requirements for companies or organizations serving US
Government
-
- Healthcare information security and privacy rules
- PCI-DSS Standards for Credit Card Security
-
- Any business who accepts credit card payments are subject to
PCI assessments
- Sarbanes Oxley - Section 404
-
- Many non-public entities are choosing to adopt Sarbanes-Oxley
internal control principles
A Cavalcade of Regulations 6.
- Establish responsibility, policy, procedures &
controls
- Focus on Data Classification, Risk Assessments, Data
Ownership
- Unstructured data is a problem
- Increased focus on operational data (vs PII &
financial)
- Strong linkage to storage
Building Blocks Key Elements
- Unified Approach to Security & Compliance
- Bring multiple compliance teams together, reduce effort,
balance business objectives
- Focus on Risk Management, Critical Business Information and
Business Processes
- Consistent approach to governance, planning, testing
- Leverage standards (CObIT, ISO27001, ITIL)
- Prioritize key areas of compliance focus (Identity, Access,
Change Mgmt, Logging/Monitoring, Governance)
- Access Control and Identity Management
- Control and knowwhohas access towhatandwhy
- High priority in tools for provisioning and de-provisioning
users
- Focus on Role-Management and Segregation of Duties
- Uniquely identifying privileged access users
- Regular certification of user access
- Improved logging and monitoring
- Formalized, proactive monitoring across applications, OS,
Databases, Networks
- Prioritization to critical processes and transactions
- Use of filters or analytical tools
- Intelligent storing and rotation of logs
7. Typical Business Environment Today
- How do you manage and control who has access to what in an
efficient and effective way?
System administrators Outstanding audit issues Internal Controls
BusinessManagers Short user life cycles Immediate access
requirements Segregation of duties Employees Suppliers Citizens
Third parties SAP PeopleSoft Windows Employee self service
Consolidation Security administrators Mainframe SSO Provisioning
Data protection acts FIPS 201 Privacy legislation Federal, State,
Local Agencies HSPD-12 FISM Business Partners Web Portals Business
Applications 1,000+ users 100+applications
100,000+possiblefunctions 8. IAM Lifecycle Compliance Relationship
Begins Identity Lifecycle New project Change locations, roles, etc
Forget password Provisioning Authorization Self Service Password
Management De-Provisioning Authentication Relationship Ends 9. IAM
Capability Stack IAM Maturity Decentralized Administration
Centralized Administration Centralized Management Enterprise
Administration Enterprise Management Integration of Controlled
Systems Password Management Access & Authorization Management
Provisioning Automation Advanced Auditing Distributed
Administration Advanced Authorization Management(Role-Based Access)
Capabilities/Complexity IAM Capabilities 10. Key Business and
Enablement Drivers (i)
- Five (5) Key Business and Enablement Drivers:
11. Benefits of an IAM solution
- Centralizes processesin a single trusted identity-aware
system
- Eases administrationof identities with automation &
delegation
- Automates & streamlines application provisioningwith
workflows
- Centralizes access controlwith policies and enforcement
- Improves Authenticationwith Password Management
- Supports Compliancewith stronger controls, auditing &
reporting
- Enhances user-experience & reduces lost productivitywith
Single sign-on & User self-service
12. Q6. What are the top three most important business reasons
your enterprise installed an IAM initiative? (Choose up to 3 items)
Multiple Responses Allowed Among Those Who Have implemented An
Automated IAM Process Key Drivers For Implementation 13.
- Comprehensive vision, strategy, and roadmap and level of
executive sponsorship most important factors related to IAM
initiative
Key Findings What Worked? 67% Accuracy of initial project scope
67% Level of stakeholder expectations 67% The IAM technology tool
76% Level of executive sponsorship 73% Project Management %
Rating4-5Success Factors 61% Accuracy of Initial project budget 76%
Comprehensiveness of IAM vision, strategy, and roadmap 14. Appendix
Additional Reference Slides 15.
- Information Governance (or Information Management) is an
increasing priority for most entities, including State and Local
Government.The goal of most Information Governance programs focus
on:
-
- Establishing governance (responsibility, policy, procedures)
for organizational Information & Data
-
- Identifying and prioritizing critical Information Assets
-
- Developing and Implementing appropriate controls for the
Information Assets
- Some of the trends in Information Governance we have identified
include:
-
- More focus on Data Classification and Risk Assessments
-
-
- Data ownership is still a tug-of-war between Business and
IT
-
- Increased data portability risks are increasing
exponentially
-
-
- Data Leakage tools and processes are starting to mature
-
- Unstructured data is still a problem for most
organizations
-
- Increased focus on Operational Data rather than just privacy or
financial driven information
-
- Strong linkage to Storage projects and planning
Information Governance 16.
- Inconsistent standards and compliance approaches have created
inefficiencies including:
-
- Multiple compliance teams working in silos across the
organization
-
- Process Owners losing productivity due to multiple audit
requirements
-
- More focus on compliance rather than business improvement
-
- Tactical response to audit findings rather than root cause
- Some leading practices have emerged with demonstrable benefits
to the compliance efforts:
-
- Strong focus on Risk Management and assessment of Critical
Business Information and Business Processes
-
- Linking multiple compliance efforts into a more unified
approach including consistent governance, planning, and
testing
-
- Leverage well known standards (CObIT, ISO27001, ITIL) to drive
organizational improvements rather than silo-ed compliance
standards
-
- Prioritize focus on key areas of compliance focus (Identity
Management & Access Control, Change Management, Logging &
Monitoring, and Information Governance)
Unified Approach to Security & Compliance 17.
- Focus on Access Control and Identity Management will continue
to be a priority requirement, consistent across all
regulations
-
- Who is accessing systems and applications?
-
- What data/information do they have access to?
-
- Is it appropriate for their job/position?
-
- A priority remains the process and technology for provisioning
and de-provisioning of users (employees, contractors,
customers)
-
-
- Slightly less than previous years
-
- Focus on Role-Management to identify inconsistencies across the
enterprise
-
- Segregation of Duties analysis is growing concern
-
- Uniquely identifying privileged access users and system
accounts
-
- Regular certification of user access
-
- Improved logging and monitoring of sensitive transactions or
access
Access Control & Identity Management 18.
- Logging and monitoring requirements are becoming for
formalized, with a stronger focus on proactive monitoring of logs,
looking for potential incidents or issues.This is complicated
by:
-
- Multiple sets of logs (Application, OS, Database, Network)
- Some trends regarding logging and monitoring include:
-
- Prioritization of logging and monitoring to critical processes
and transactions
-
- Log standardization including format, configurations, and time
synchronization
-
- Using filters or analytical tools to facilitate proactive
monitoring
-
- More intelligent storing and rotation of logs
Logging & Monitoring 19. Key Business and Enablement
Drivers
- Centralized group/role based security infrastructure allows for
quick integration of many users
- User management functions standardized to meet specifications
identified by corporate governance
- Seamless and consistent integration of security and
personalization for portal environments
- User self-service for changes to personal and basic security
information
- Integration of large numbers of users
- Poor customer on-boarding processes
- Inconsistent customer experience
- No standardization of basic provisioning and de-provisioning
processes
- User complaints of red tape when making changes to personal
information
Business Facilitation
- Increased segregation of duties (SOD)
- Better enforcement of policy
- Alignment of financial system access
- Diverse security postures
- Increased likelihood of fraud
Reducing Risk
- Streamlined application provisioning
- Quicker go-live for new applications
- Administrative costs of employee and contractor user
profiles
- Applications Architecture Upgrades
Cost Containment
- Quicker re-branding of services
- Quicker integration of new users
- Reduced lost productivity
- Departmental consolidation
- Outsourcing / off-shoring
- Business process improvement
- Administrative process improvement
Operational Efficiency
- Flexibility to adapt to new regulations
- Increased reliance by external entities
Improving Regulatory Compliance I&AM Value Proposition
Pressures Driver 20. Identity & Access Management
-
- Processes and technologies that enable the management of a user
identities
-
- Propagation of identity and authorization data and policies to
IT resources
-
- Activities for effectively governing and managing the lifecycle
of identities
- Authentication Management
-
- Governing and determining that an entity is who or what they
claim to be
-
- Governing and determining what resources an entity is permitted
to access
-
- Enforcing policies for access to information or resources
-
- Consistent policies, processes, organizational structures and
decision rights
-
- The identifier and attributes for an entity (person,
organization, device, resource, or service)
-
- Monitoring, auditing and reporting compliance of users access
to resources based on the defined policies and requirements
-
- The ability to adapt to the changing user environment
Policies, processes and systems for effectively governing and
managing who has access to what is within an organization.
ProvisioningData ManagementIdentity Monitoring and Reporting
Governance Agility Audit and Compliance Authentication Management
Management User Access Management Authorization Management