Identity Management for the Requirements of the Information Security
|
|
- Bernice Lang
- 8 years ago
- Views:
Transcription
1 Identity Management for the Requirements of the Information Security M. B. Ferreira 1, K. C. Alonso 2, 1 Industrial Engineer, Fluminense Federal University, Volta Redonda, Brazil 2 Department of Industrial Engineering, Fluminense Federal University, Volta Redonda, Brazil (mirleybf@id.uff.br; kellyalonso@id.uff.br) Abstract - One of the factors in successful information security management is the integration of security policies, processes, people and technologies. The deployment of identity management integrates these factors and provides benefits to management. This paper aims to establish the process flow for a system of identity and access management (IdM) of a multinational company in the mining sector, in order to create a unique identification to user in all corporate information systems and a standardization process for access requests after mergers and acquisitions. To achieve this, a search was conducted in literature and a case to identify the business need. Finally, the study identified and showed the principal benefits generated by new processes following the demands of SOX law. Keywords - IdM, information security, process, SOX law I. INTRODUCTION Increasingly, firms seek a competitive advantage in a global scenario. For this they go through restructuring processes and even mergers to gain market share. The organizations that undergo such processes incorporate new information systems and new databases into their existing systems. However, the employees, as users of these systems, receive numerous identifications that cause inconvenience, such as a lack of maintenance of identity and a lack of process standardization to request access to the systems. Thus there is increasing dissatisfaction among users due to high maintenance account expenses and slow access management processes. The flow of information systems becomes bureaucratic without effective police requirements of internal controls and also negligent with the conformities of the information security. Identity management is the most important platform to protect and manage the identity information flow of user and deal with system vulnerabilities [1, 2]. The identity and access management (IdM, Identity Management), according to [3], is the set of processes and technologies for the handling of user identities, from the birth data in HR systems to applications to web sites. The level of protection for personally identifiable information is the critical factor for a successful identity management service [4]. The IdM is responsible for consolidating and controlling authentication, authorization, and workflow of the user in these systems. This paper presents an application with the IdM concept in a public multinational company and has the objective of proposing a set of maintenance processes of flows for user access request in information systems. Therefore the company will align its processes with the requirements of SOX and its specifications [5]. Forecasting, security, planning and coordinating interactions among these drivers and solving problems that emerge are of utmost importance in the success of any organization[6]. II. INFORMATION SECURITY AND LAW SOX Information security for [7], is the area of knowledge designed to preserve information against prohibited entries, unavailability and inappropriate changes. As such, information security is not only a technical issue but also a behavioral issue involving users and also corporate governance actions through security policies. In terms of a model system, a safety margin is obtained by imposing restrictions to security. Each of these restrictions has the function of preventing the occurrence of a critical event that compromises the integrity of the model [8]. In the last ten years, information security has received a lot of attention from various business sectors, enterprises, organizations and governments [9]. Among the most recent actions in this area is the creation of the SOX Act. A U.S. law, the Sarbanes-Oxley - SOX or SARBOX, was published in 2002 with the purpose of mitigating risks to businesses. It has been applied to all companies that are listed on the New York stock exchange. The major motivation for creating this law was the corporate financial scandals that resulted in the emptying of investments on the NYSE by insecurity in the governance of these companies and the lack of reliability of the information provided by them. Thus, the SOX law aims to establish higher standards of corporate responsibility, ensuring the creation of mechanisms for auditing and information security to protect investors against financial fraud and accounting and also punish crimes of this kind. Some recommendations of this law are the implementations of access controls and segregation of function (it does not allow a person to have full control of the same activity simultaneously) as a way to follow the internal control policies [10]. The SOX law says the company must create internal controls to ensure the reliability of information among other regulatory rules [11]. These other rules have been divided into sections such as; the executives of these organizations must prove the effectiveness of internal controls, the requirement of both their signatures and the /13/$ IEEE
2 CEO and CFO having to certify the financial reports [12]. Thus, companies will need to put into practice this law to ensure the standardization of their processes and information security. Publicly traded companies can make the certificate in the requirements of this law in order to ensure their good practices to investors. These new regulations have brought greater complexity in managing IT and the business itself. Furthermore the law brought greater responsibilities to the IT and field further increased its importance in the strategies in organizations [13]. The identity management in turn, plays a key role in the regulations relating to internal control and corporate governance, such as the Sarbanes-Oxley law recommends [14]. III. IDENTITY MANAGEMENT AND ARCHITECTURE Identity management systems aim at increasing the user-friendliness of authentication procedures, whilst at the same time ensuring strong authentication to system security [15]. According to [16], there are different strategies for managing identity and specifications, especially in organizations. These strategies are relevant during periods of drastic downturn because companies look to restructure themselves to reduce security vulnerability. For example, the fusion of two different companies requires the integration of the identities of employees, partners and customers both in the short term. This scenario requires identity systems capable of integrating organizational boundaries [14]. The identity management proposes a central repository called for [3], as metadirectory (Fig 1). It aimed at centralizing the bases and creating automatic administration. In the left Figure 1 is shows the architecture disintegrated between the systems. The right Figure 2 displays the metadirectory that controls the flow of requests and user accounts. Fig1 - Metadirectory In this centralized data repository it is possible to apply the Single Sign-On (SSO), which refers to using the same login to connect to many systems of the company. As such, the SSO is useful to reduce the administrative costs of accounting management [14]. The identity has a life cycle (Fig 2) framed in: creation, use, upgrade, completion and supported by governance [12]. Fig2 - Identity life cycle Some of these phases can be initialized automatically, such as the shutdown of an employee in the HR system. This event may trigger the identity system to the inactivation event of that employee. Phases can sometimes occur in the manual mode, as is the case with password reset. IV. RESULTS The company of the case study is headquartered in Brazil and it is a private and publicly traded company with shares traded on the São Paulo, Paris, Madrid, Hong Kong and New York stock exchanges. Thus, by having ADR'S (American Depositary Receipts), i.e. shares traded on U.S. stock exchanges, it is one of the companies required to comply with SOX. It is present in over 30 countries worldwide and has approximately 195,000 employees. Of these employees more than 100,000 are IT users. The name of the organization cannot be revealed by restriction of their corporate policy. Since this is a global company, it is required to continuously improve their processes in order to meet the needs of customers and the market. In order to remain at the level of today or to achieve greater heights, it goes through restructuring and acquisitions, sales and mergers. With this restructuring, the information systems incorporated from numerous different sources need to somehow combine with other SI already present in the company. Some scenarios are described by the company for a proper understanding of the problems of the initial situation before the implementation of IdM. The company has gone through many mergers and acquisitions in recent years, requiring an analysis of its information security. When the expansion of the company occurs, it is necessary to store the information of new employees in the HR database (such as file name, title, and others) as well as to create accounts for network access. The integration of new users to existing systems occurred precariously through manipulation of spreadsheets, generating inconsistent information and controls in parallel. Another risk was when there were layoffs. The company shuts down the employee's HR system and consequently all its access should be blocked to other systems. However, in many cases, it was possible to
3 detect these employees with access to assets in other systems, and mainly in the network. The management of access network also had critical problems such as validation controls of passwords and access levels. Users had at least 3 different passwords, one for each different access. This situation increased user dissatisfaction and maintenance costs of these accesses. Added to those problems was the low efficiency of the help desk system with high costs. When an employee needed access to a new system or a new feature, requested access through the help desk, but they had difficulty with the data and the process was slow and flawed. The lack of control with new user accounts, as well as existing ones, caused various disorders in Beta Company. Examples include duplicate user accounts, inactive user's accounts which were still active in systems, a bureaucratic access requests process with little supervision and non-compliance with the internal and external policies of the company. Considering this scenario, the company will need to review some processes that are flawed, bureaucratic and do not fall into line with the new rules and regulations. These processes should; adapt the new SOX law, support the business in developing the bases of information systems that are less bureaucratic and more agile, reduce problems with user identities, create globalized processes to manage the identity life cycle of users and access, improve the end-user experience with their accounts and finally suit the IT planning in the long term. The following figures show some flows to the improvement of management processes for monitoring user access keys. These propose the rationalization and standardization of processes, in addition to increasing competitiveness. Firstly, we will show the label (Fig 3) about types of process tasks. The common tasks, like notification, have not been represented. According to [3], the authentication activity validates an identity, the authorization determines whether the certain identity is authorized to access a resource or perform an action and the provisioning updates the data between their bases. Fig3 - Types of process tasks The creation process (Fig 4) is initiated by an event from the HR system. This event occurs when a user is admitted to the company. This system will inform the IdM which user needs to be created. The IdM will reserve a new key for the creation of the new user profile and will subsequently write the user information in their metadirectory. It will then notify the user by that their account was created. Finally, the flow is terminated by a notification to the manager. Fig4 - User creation Since the company is a mining operator not all users in the company must suffer this event. With this, the event occurs only when the employee was admitted as an IT user, i.e., one that makes use of the systems, networks and other IT resources. The access request flow describes the process that users must follow to request access to an application / system based on the recommendations of SOX. This flow also allows an ordinary user or manager to request access to another user. Fig 5 shows the simplified mapping of this process for a better view of its main features. Initially, the user should authenticate to the IdM with their key and password. Later, they should select the application and then select the desired function, and then a flow occurs automatically. IdM checks if the beneficiary has the training to perform that function. Then, it checks if this new function is conflicting with others that it has. The manager is the third approver that will confirm that employee needs that role. The access will be validated by the data owner, in addition the other approver will validate manually. Finally it is checked whether the company has the license application. If all checks and approvals were successful all access are provisioned in other systems and the user will be notified. If any of the authorization activities are denied the process will be interrupted and the user notified via . In this case the access is not granted nor provisioned. It is important to note that some of these activities may or may not occur depending on the business needs and on the information that it possesses when the deployment of identity management tools occurs. This flexibility makes the process even more customizable to different types of applications ranging from the simplest to the most complex.
4 Fig5 - Access request The flow of Fig 6 shows the process to disable the user. The HR system firstly creates an inactivation event. Automatically it informs this to the IdM. The tool will in turn notify the manager that this user will be disabled. If the user has access to any application, this will be informed to the manager. The manager in turn will review and confirm the inactivation of the user. Later, the IdM will revoke all accesses. The account of the user will be inactivated in the metadirectory and also in all applications of this account. The observation (*) in "Analyze request" task, is necessary because if the manager does not permit the inactivation he must make comments about this failure. Then, the log for audit purposes will be recorded in IdM. Fig 7 - Password change By mapping this it was possible to see that all systems are integrated to IdM according to the requirements of SOX, which include; they have an internal process standard for identity and access management and monitoring of the life cycle of identity with the integrated HR system (E.g. not allowing a user who has left the company to continue to access the system); allowing the user themself to service their account (for example, the user is allowed to change their password in IdM and this is replicated instantly to all other systems). Upon completion of the mapping it is possible to get a single database user system, increase reliability and obtain a safety audit; reduce costs associated with user accounts, ensure a secure and streamlined service for the lifecycle of the identity, as well as establish a standard process that can be adapted to work with any future application. An identity management and user access aligned with the company's organizational culture is consistent, efficient and effective, and is essential for improving information security and the improvement of the company before audits, productivity, costs and competitiveness. V. CONCLUSIONS Fig6 - User inactivation The flow of Fig 7 describes the process so that the user can self-manage their password. For this, the user must access the IdM and request the password update. The tool will check if the new password is according with policies for a company password. If the answer is yes, it will be recorded and updated in the metadirectory and in all other applications the user has access. Finally, the user will be informed about a change by IdM. The observation (*) is important because if the password is not correct the user will be informed. He should then recreate it. This study presented the mapping of processes for the lifecycle of the user identity as well as all steps to request access to applications that can be managed through a tool known as IdM in an enterprise. The resulting information is valuable not only to the research community but also to managers and policy makers striving to reduce security vulnerability in critical situations such as restructurings. Through the mapping of the fluxes it was possible to achieve several benefits in various areas such as: a) Business information: it has created a single data source of user identity and access to global systems; it has consolidated the information for the decision making; it has standardized the processes for updating and deleting users, in addition to the processes of solicitation and revocation of access in all areas of the company. b) Compliance and information security: it met the
5 requirements of SOX law, restricted the access to systems and data based on rules and policies, reduced the manual controls between systems, increased the reliability and security, reduced the data scattered in spreadsheets, and tracked the transactions. c) Business efficiency and growth support: it has greater ability to perform mergers and acquisitions since the systems are integrated; it accrues data between the metadirectory and other connected systems; provides quick and easy access to system users; it simplifies management through integrated and unique processes and facilitates the mobility of former employees. d) Usability: there is a unique process to request access in all applications connected to the metadirectory, with the user having only one key and one password to access all the apps in IdM. An identity management and access consistent, efficient and effective are fundamental to information security, allows standardization in processes business strategy, improvement of the company before audits, and cost competitiveness. Despite all the complexity involved in the whole process from conception to implementation, the identity management system is a tool that has come to unite business and IT in the information security. There are other studies that may be triggered, explored and developed from this stage. For example it could be used as a possible research tool for integrating mapping and monitoring the security levels; verifying the vulnerability of the mapping and proposing identity management and access to the company's stakeholders. REFERENCES [8] E. S. Christo, M. B. Ferreira, Use the chart control to minimize errors series forecasting electricity (in Portuguese), Uso do gráfico de controle para minimizar erros de previsão em séries de energia elétrica, ENGEVISTA, Niterói,, vol. 15, junho [9] M. Eminağaoğlu, E. Uçar, S. Eren, The positive outcomes of information security awareness training in companies A case study, Information Security Technical Report, vol. 14, no. 4, pp , Nov [10] L. H. Lima, External control: theory, legislation, case law and more than 450 questions (in Portuguese), Controle externo: teoria, legislação, jurisprudência e mais de 450 questões. Rio de Janeiro: Elsevier, [11] M. M. P. Souza, M. D. Figueredo, Sarbanes-Oxleyand Its Importance for the Brazilian Listed Companies from Year 2004 (in Portuguese), Lei Sarbanes-Oxley e Sua Importância para as Companhias Abertas Brasileiras a partir do Ano de 2004, vol. 10, no. 42, pp , out./dez [12] S. Wagner, L. Dittmar, The Unexpected Benefits of Sarbanex-Oxley, Harvard Business Review, pp. 4, [13] A. A. Fernandes, V. F. Abreu, Deploying IT governance: from strategy to process management and services (in Portuguese), Implantando a governança de TI: da estratégia à gestão de processos e serviços, 2. ed.rio de Janeiro: Brasport, [14] E. Bertino, K. Takahashi. Concepts, Technologies, and Systems. Norwood: Artech House, [15] J. Vossaert, J. Lapon, B. De Decker, V. Naessens, Usercentric identity management using trusted modules, Mathematical and Computer Modelling, vol.ume 57, Issues 7 8, pp , April [16] A. Jøsang, M.A. Zomai, S. Suriadi, Usability and privacy in identity management architectures, in: L. Brankovic, P.D. Coddington, J.F. Roddick, C. Steketee, J.R. Warren, A.L. Wendelborn (Eds.), ACSW Frontiers, in: CRPIT, vol. 68, pp , Australian Computer Society, [1] J. Chen, G. Wu, L.Shen, Z.Ji, Differentiated security levels for personal identifiable information in identity management system, Expert Systems with Applications, vol. 38, no. 11, pp , Oct. 2011,. [2]C.W. Thompson, D.R. Thompson, Identity management, IEEE Internet Computing, vol. 11, no. 3, pp , [3] A. Santos, Identity Management (in Portuguese), Gerenciamento de identidades.rj: Brasport, [4] L. Hyangjin, I. Jeun, H. Jung, "Criteria for Evaluating the Privacy Protection Level of Identity Management Services," in Third International Conference on Emerging Security Information, Systems and Technologies, pp.155,160, June [5] N. V. Vakkur, R. P. McAfee, F. Kipperman, The unintended effects of the Sarbanes Oxley Act of 2002, Research in Accounting Regulation, vol. 22, no. 1,pp , April [6] R. A. Macedo,K. C. M. Alonso, A. N. Haddad, Asset Prioritazation as a Modal Integrator in Organization Logistics Activities, in The IEEE International Conference on Industrial Engineering and Engineering Management, Macau, [7] M. Sêmula, Management of Information Security: An executive view (in Portuguese), Gestão da Segurança da Informação: Uma visão executiva.8. ed. Rio de Janeiro: Campus, 2003.
Identity Governance Evolution
Identity Governance Evolution Paola Marino Principal Sales Consultant Agenda Oracle Identity Governance Innovation Cloud Scenarios enabled by Oracle Identity Platform Agenda Oracle
More informationIdentity & access management solution IDM365 for the Pharma & Life Science
Identity & access management solution IDM365 for the Pharma & Life Science Achieve compliance with regulations such as FDA DEA Security Regulation Sarbanes Oxley 1 Challenges in your sector Pharmaceutical
More informationTHE THEME AREA. This situation entails:
IDENTITY AND ACCESS MANAGEMENT: DEFINING A PROCEDURE AND ORGANIZATION MODEL WHICH, SUPPORTED BY THE INFRASTRUCTURE, IS ABLE TO CREATE, MANAGE AND USE DIGITAL IDENTITIES ACCORDING TO BUSINESS POLICIES AND
More informationHow to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions
How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions Introduction This paper provides an overview of the integrated solution and a summary of implementation options
More informationIdentity and Access Management Point of View
Identity and Access Management Point of View Agenda What is Identity and Access Management (IAM)? Business Drivers and Challenges Compliance and Business Benefits IAM Solution Framework IAM Implementation
More informationGlobal Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
VENDOR PROFILE Passlogix and Enterprise Secure Single Sign-On: A Success Story Sally Hudson IDC OPINION Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
More informationWhitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff
Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff The Challenge IT Executives are challenged with issues around data, compliancy, regulation and making confident decisions on their business
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationSarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Publication Date: March 17, 2015 Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical software and services that transform high-volume
More informationSarbanes-Oxley Compliance for Cloud Applications
Sarbanes-Oxley Compliance for Cloud Applications What Is Sarbanes-Oxley? Sarbanes-Oxley Act (SOX) aims to protect investors and the general public from accounting errors and fraudulent practices. For this
More informationCertified Identity and Access Manager (CIAM) Overview & Curriculum
Identity and access management (IAM) is the most important discipline of the information security field. It is the foundation of any information security program and one of the information security management
More informationIdentity and Access Management
Cut costs. Increase security. Support compliance. www.siemens.com/iam Scenarios for greater efficiency and enhanced security Cost pressure is combining with increased security needs compliance requirements
More informationIdentity Management Overview. Bill Nelson bill.nelson@gca.net Vice President of Professional Services
Identity Management Overview Bill Nelson bill.nelson@gca.net Vice President of Professional Services 1 Agenda Common Identity-related Requests Business Drivers for Identity Management Account (Identity)
More informationWelcome to Modulo Risk Manager Next Generation. Solutions for GRC
Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS
More informationAchieving HIPAA Compliance with Identity and Access Management
Achieving HIPAA Compliance with Identity and Access Management A Healthcare Case Study Stephen A. Whicker Manager Security Compliance HIPAA Security Officer AHIS/St. Vincent Health DISCLAIMER: The views
More informationIdentity & Access Management new complex so don t start?
IT Advisory Identity & Access Management new complex so don t start? Ing. John A.M. Hermans RE Associate Partner March 2009 ADVISORY Agenda 1 KPMG s view on IAM 2 KPMG s IAM Survey 2008 3 Best approach
More informationImplementing HIPAA Compliance with ScriptLogic
Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE
More informationBest Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM
Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, 2004 9:00 AM Agenda Laura Robinson, Industry Analyst, RSA Security Definition of
More informationIdentity Access Management: Beyond Convenience
Identity Access Management: Beyond Convenience June 1st, 2014 Identity and Access Management (IAM) is the official description of the space in which OneLogin operates in but most people who are looking
More informationRackspace Archiving Compliance Overview
Rackspace Archiving Compliance Overview Freedom Information Act Sunshine Laws The federal government and nearly all state governments have established Open Records laws. The purpose of these laws is to
More informationSarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:
Beyond Sarbanes-Oxley: Using compliance requirements to boost business performance The business regulatory environment in the United States has changed. Public companies have new obligations to report
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More information1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges
1 Building an Identity Management Business Case Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Justifying investment in identity management automation. 2 Agenda Business challenges
More informationThe CIO s Guide to HIPAA Compliant Text Messaging
The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially
More informationCollege of Education Computer Network Security Policy
Introduction The College of Education Network Security Policy provides the operational detail required for the successful implementation of a safe and efficient computer network environment for the College
More informationidentity management in Linux and UNIX environments
Whitepaper identity management in Linux and UNIX environments EXECUTIVE SUMMARY In today s IT environments everything is growing, especially the number of users, systems, services, applications, and virtual
More informationWhite Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution
White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 Realization of the IAM (R)evolution Executive Summary Many organizations
More informationHMS Helps US Healthcare System Operate more Efficiently with Automated Identity and Access Management
CUSTOMER SUCCESS STORY MAY 2014 HMS Helps US Healthcare System Operate more Efficiently with Automated Identity Access Management CLIENT PROFILE Industry: Healthcare Company: HMS Employees: 2,000-plus
More informationStock Plan Administration in the Age of Sarbanes-Oxley. Compliance Considerations for Administrators
White Paper Stock Plan Administration in the Age of Sarbanes-Oxley Compliance Considerations for Administrators The information published in this paper is of a general nature and is intended merely as
More informationBUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT
Solution in Detail NetWeaver BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING NetWeaver IDENTITY MANAGEMENT Identity management today presents organizations with a host of challenges. System landscapes
More informationSurviving an Identity Audit
What small and midsize organizations need to know about the identity portion of an IT compliance audit Whitepaper Contents Executive Overview.......................................... 2 Introduction..............................................
More informationIndividuals affected by the breach How many individuals are affected by the breach? Who was affected by the breach: employees, public, contractors, clients, service providers, other organizations? Foreseeable
More informationProviding Full Life-cycle Identity Management
Providing Full Life-cycle Identity Management Whitepaper contents 1 Introduction 2 Processes and Tools 3 Objectives 4 Scope 5 The Concept in a Nutshell 6 Business Benefits 7 Planning and Finances 8 Business
More informationIdentity Management: Securing Information in the HIPAA Environment
Identity Management: Securing Information in the HIPAA Environment Mark Dixon Chief Identity Officer North American Software Line of Business Sun Microsystems 1 Agenda Challenges we Face Identity and Access
More informationMaking Compliance Work for You
white paper Making Compliance Work for You with application lifecycle management Rocket bluezone.rocketsoftware.com Making Compliance Work for You with Application Lifecycle Management A White Paper by
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationIDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach
IDENTITY MANAGEMENT AND WEB SECURITY A Customer s Pragmatic Approach AGENDA What is Identity Management (IDM) or Identity and Access Management (IAM)? Benefits of IDM IDM Best Practices Challenges to Implement
More informationsecure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress
secure Identity and Access Management solutions user IDs and business processes Your business technologists. Powering progress 2 Protected identity through access management Cutting costs, increasing security
More informationRegulatory Compliance and its Impact on Software Development
Regulatory Compliance and its Impact on Software Development Abdelwahab Hamou-Lhadj Software Compliance Research Group Department of Electrical and Computer Engineering Concordia University 1455 de Maisonneuve
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationB2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value
B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value IDM, 12 th November 2014 Colin Miles Chief Technology Officer, Pirean Copyright 2014 Pirean Limited. All rights reserved. Safe Harbor All
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationThe Unique Alternative to the Big Four. Identity and Access Management
The Unique Alternative to the Big Four Identity and Access Management Agenda Introductions Identity and Access Management (I&AM) Overview Benefits of I&AM I&AM Best Practices I&AM Market Place Closing
More informationPortWise Access Management Suite
Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s
More informationAddressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations
White Paper September 2009 Addressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations Page 2 Contents 2 Executive
More informationStephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15
Program Name Identity and Access Management (IAM) Implementation IAM Executive Sponsors Jim Livingston Stephen Hess 1 P age Project Scope Project Description The goal of this project is to implement an
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationHow To Improve Your Business
IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationAudit of IT Asset Management Report
Audit of IT Asset Management Report Recommended by the Departmental Audit Committee for approval by the President on Approved by the President on September 4, 2012 e-doc : 3854899 1 Table of Contents EXECUTIVE
More informationA FRAMEWORK FOR INTEGRATING SARBANES-OXLEY COMPLIANCE INTO THE SOFTWARE DEVELOPMENT PROCESS
A FRAMEWORK FOR INTEGRATING SARBANES-OXLEY COMPLIANCE INTO THE SOFTWARE DEVELOPMENT PROCESS Sushma Mishra Virginia Commonwealth University mishras@vcu.edu Heinz Roland Weistroffer Virginia Commonwealth
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationBest Practices Report
Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general
More informationEffective Enterprise Performance Management
Seattle Office: 2211 Elliott Avenue Suite 200 Seattle, Washington, 98121 seattle@avanade.com www.avanade.com Avanade is a global IT consultancy dedicated to using the Microsoft platform to help enterprises
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationInternal Control Deliverables. For. System Development Projects
DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...
More informationOracle Privileged Account Manager 11gR2. Karsten Müller-Corbach karsten.mueller-corbach@oracle.com
R2 Oracle Privileged Account Manager 11gR2 Karsten Müller-Corbach karsten.mueller-corbach@oracle.com The following is intended to outline our general product direction. It is intended for information purposes
More informationThe Top 5 Federated Single Sign-On Scenarios
The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3
More informationMarket Comparison Report. Which ERP Architectures Best Handle Business Change?
Which ERP Architectures Best Handle Business Change? June - 2013 Which ERP Architectures Best Handle Business Change? Businesses are living in a constant state of flux due to increased competition and
More informationHow To Implement Data Loss Prevention
Data Loss Prevention Implementation Initiatives THE HITACHI WAY White Paper By HitachiSoft America Security Solutions Group September, 2009 HITACHI SOFTWARE ENGINEERING AMERICA, LTD. Executive Summary
More informationYour email is one of your most valuable assets. Catch mistakes before they happen. Protect your business.
Secure Messaging Data Loss Prevention (DLP) Your email is one of your most valuable assets. Catch mistakes before they happen. Protect your business. Businesses of every size, in every industry are recognizing
More informationROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER
July 22, 2010 ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER DEBORAH J. JUDY DIRECTOR, INFORMATION TECHNOLOGY OPERATIONS CHARLES L. MCGANN, JR. MANAGER, CORPORATE INFORMATION SECURITY
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationThe Return on Investment (ROI) for Forefront Identity Manager
The Return on Investment (ROI) for Forefront Identity Manager July 2009 2009 Edgile, Inc All Rights Reserved INTRODUCTION Managing identities within organizations and ensuring appropriate access to information
More informationWhen Data Loss Prevention Is Not Enough:
Email Encryption When Data Loss Prevention Is Not Enough: Secure Business Communications with Email Encryption Technical Brief WatchGuard Technologies, Inc. Need for Email Encryption Is at Its Peak Based
More informationFIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES
FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely
More informationORACLE HYPERION DATA RELATIONSHIP MANAGEMENT
Oracle Fusion editions of Oracle's Hyperion performance management products are currently available only on Microsoft Windows server platforms. The following is intended to outline our general product
More informationMitel Professional Services UK Catalogue for Unified Communications and Collaboration
Mitel Professional Services UK Catalogue for Unified Communications and Collaboration JUNE 2015 DOCUMENT RELEASE# 1.0 CATALOGUE SERVICES OVERVIEW... 3 TECHNICAL CONSULTING & DESIGN... 5 NETWORK ASSESSMENT...
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationSun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost
Sun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost Timothy Siu SE Manager, JES Nov/10/2003 sun.com/solutions/
More informationAn Oracle White Paper January 2010. Access Certification: Addressing & Building on a Critical Security Control
An Oracle White Paper January 2010 Access Certification: Addressing & Building on a Critical Security Control Disclaimer The following is intended to outline our general product direction. It is intended
More informationSeven Reasons to Use PlanView for Timesheets
Seven Reasons to Use PlanView for Timesheets Background Business professionals often face the tough job of choosing the right timesheet system for their enterprise. The wrong system can lead to lost productivity,
More informationNCAA Single-Source Sign-On System User Guide
NCAA Single-Source Sign-On System Table of Contents General Description... 1 Glossary of Terms... 1 Common Features Log In... 2 Password... 3 Log Out... 4 Tabs... 4 Buttons and Links... 4 Management and
More informationSecuring the Cloud through Comprehensive Identity Management Solution
Securing the Cloud through Comprehensive Identity Management Solution Millie Mak Senior IT Specialist What is Cloud Computing? A user experience and a business model Cloud computing is an emerging style
More informationThe Role of Password Management in Achieving Compliance
White Paper The Role of Password Management in Achieving Compliance PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 617.674.2727 E-mail: sales@portalguard.com Website: www.portalguard.com
More informationHSIN R3 User Accounts: Manual Identity Proofing Process
for the HSIN R3 User Accounts: Manual Identity Proofing Process DHS/OPS/PIA-008(a) January 15, 2013 Contact Point James Lanoue DHS Operations HSIN Program Management Office (202) 282-9580 Reviewing Official
More informationSAP Solution Brief SAP Solutions for Sustainability. Pave the Way for IT Innovation by Reducing Cost, Risk, and Energy Use
SAP Brief SAP s for Sustainability Objectives Pave the Way for IT Innovation by Reducing Cost, Risk, and Energy Use Charting the course for sustainable IT Charting the course for sustainable IT IT organizations
More informationEmptoris Contract Management Solution for Healthcare Providers
Emptoris Contract Management Solution for Healthcare Providers An Emptoris White Paper Emptoris, an IBM Company www.emptoris.com CMS-HP-4/12 Emptoris Contract Management Solution for Healthcare Providers
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationBusiness-Driven, Compliant Identity Management
Solution in Detail NetWeaver NetWeaver Identity Business-Driven, Compliant Identity Using NetWeaver Identity Managing users in heterogeneous IT landscapes presents many challenges for organizations. System
More informationCISM ITEM DEVELOPMENT GUIDE
CISM ITEM DEVELOPMENT GUIDE TABLE OF CONTENTS CISM ITEM DEVELOPMENT GUIDE Content Page Purpose of the CISM Item Development Guide 2 CISM Exam Structure 2 Item Writing Campaigns 2 Why Participate as a CISM
More informationTowards Securing E-Banking by an Integrated Service Model Utilizing Mobile Confirmation
Research Inventy: International Journal of Engineering And Science Vol.4, Issue 9 (Sept 2014), PP 26-30 Issn (e): 2278-4721, Issn (p):2319-6483, www.researchinventy.com Towards Securing E-Banking by an
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationHow to use identity management to reduce the cost and complexity of Sarbanes-Oxley compliance*
How to use identity management to reduce the cost and complexity of Sarbanes-Oxley compliance* PwC Advisory Performance Improvement Table of Contents Situation Pg.02 In the rush to meet Sarbanes-Oxley
More informationW H I T E P A P E R E X E C U T I V E S U M M AR Y S I T U AT I O N O V E R V I E W. Sponsored by: EMC Corporation. Laura DuBois May 2010
W H I T E P A P E R E n a b l i n g S h a r e P o i n t O p e r a t i o n a l E f f i c i e n c y a n d I n f o r m a t i o n G o v e r n a n c e w i t h E M C S o u r c e O n e Sponsored by: EMC Corporation
More informationIT governance in Brazil:
Article IT governance in Brazil: does it matter? Authors Prof. Dr. Guilherme Lerch Lunardi, Universidade Federal do Rio Grande (FURG), Brazil. IT governance in Brazil Prof. Dr. Joâo Luiz Becker, Universidade
More informationCERN, Information Technology Department alberto.pace@cern.ch
Identity Management Alberto Pace CERN, Information Technology Department alberto.pace@cern.ch Computer Security The present of computer security Bugs, Vulnerabilities, Known exploits, Patches Desktop Management
More informationSarbanes-Oxley Compliance and Identity and Access Management
A Bull Evidian White Paper Summary of Contents Introduction Sarbanes-Oxley Reference Framework IAM and Internal Controls over Financial Reporting Features Improve Efficiency with IAM Deploying IAM to Enforce
More informationProvide access control with innovative solutions from IBM.
Security solutions To support your IT objectives Provide access control with innovative solutions from IBM. Highlights Help protect assets and information from unauthorized access and improve business
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationBYOD File Sharing - Go Private Cloud to Mitigate Data Risks. Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks
BYOD File Sharing - Go Private Cloud to Mitigate Data Risks An Accellion Whitepaper BYOD File Sharing Go Private Cloud to Mitigate Data Risks Executive Summary The consumerization of IT and the popularity
More informationsolution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?
solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? provides identity and access management capabilities as a hosted cloud service. This allows you to quickly
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationHP Server Automation Standard
Data sheet HP Server Automation Standard Lower-cost edition of HP Server Automation software Benefits Time to value: Instant time to value especially for small-medium deployments Lower initial investment:
More informationCertified Identity Management Professional (CIMP) Overview & Curriculum
Overview There are many factors contributing to the growing need for identity management professionals and technologies. First, the number of devices and their users are growing. These devices are increasingly
More informationIBM Software A Journey to Adaptive MDM
IBM Software A Journey to Adaptive MDM What is Master Data? Why is it Important? A Journey to Adaptive MDM Contents 2 MDM Business Drivers and Business Value 4 MDM is a Journey 7 IBM MDM Portfolio An Adaptive
More informationSarbanes-Oxley Control Transformation Through Automation
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More information