IAM and GRC: A Practical Perspective. Panel Discussion

Transcription

1 IAM and GRC: A Practical Perspective Panel Discussion

2 The Panel Sumukh Tendulkar Director of Product Marketing RSA Archer Alicia Herring Director of Risk & Compliance TSYS Paul Bedi Managing Director IDMWORKS Jim Ducharme VP of Engineering RSA Archer & IMG 2

3 RSA Identity and Access Management Enabling trusted interactions between identities and information Access Platform Authentication Federation/SSO Employees/Partners/Customers Identity Intelligence Governance Platform Compliance Identity Lifecycle Provisioning Applications/Data/Resources 3

4 RSA Archer Governance, Risk and Compliance (GRC) Board & CXOs LOB / Functional Executive CIO/CISO IT Business Practitioner Enterprise Risk IT Security Risk SecOps, VRM, ISMS, ITIL Management BC Planning, DR, Crisis Business Resiliency Event Management PCI, FISMA, Regulatory SOX, & NERC-CIP, Corporate ISO, Corporate Compliance Policies Audit Management Risk Control, Self Assessments, Operational & Enterprise Risk Loss Event Analysis 3 Third Party Party Relationship & Vendor Mgmt. Risk Business Context, Workflows, Common Foundation Data Model, Data Integration 4

5 Three Use Cases 1 Continuous Monitoring of Identity Controls to Minimize Risk 2 Manage Access Decisions Based on Application Risk 3 Improve Incident Response with Business and Identity Context 5

6 Is There a Relationship? Term GRC IMG Corporate Objective Statements established by executives for company s Shall vision be & mission. SOX Compliant Statements established by executives for company s vision & mission. Policy Authoritative Source Control Standard Control Procedure Application Directives to help achieve corporate objectives. Shall be SOX Compliant Regulatory requirements & industry standards that impact an organization. SOX 404 Rules Access for complying to applications with a & policy functions and authoritative must be source restricted mgmt. level. to authorized users. Operational Accounts controls of users implemented who are no to longer meet control with standards. company shall be deleted. An asset that enables a company to do what it does. Rules for correctness of user access to entitlements, based on user attributes. Source of truth about users and their access privileges. Attestation for Control Procedure. Review roles and disable orphaned accounts. Requirement IAM team implements in IMG. Requirement IAM team implements in IMG. System in which user has accounts. 6

7 Monitoring of Identity Controls GRC and IAM Authoritative Sources PCI, HIPAA, SOX, NIST, Access Control Policies and Procedures Control Standard # 1 Periodic Review of General Access Accounts Control Procedures Control Standard # 2 Role Based Access Control Control Procedures Control Standard # 3 Application Controls Quarterly Access Review Business / Technical Roles Enforce Access Policies 7

8 Access Risk Management Leveraging Risk to Manage Access Approvals 1 GRC Catalog Applications & Determine Risk 2 IMG View of Application Risk From Archer 3 IMG Application Risk Drives Approval Workflow & Review Frequency 8

9 Business + Identity Context During Security Investigations Identity Context Launch into RSA IMG System of Record for Identity & Access Context Access to User & Application Entitlement Context 9

10 THANK YOU

11 Risk Dashboard for Access Controls Corporate Objectives, Policies & Regulatory Standards Control Procedures Business Units, Products, Services, Processes, Technology Risk Dashboard Access Controls SoD Orphaned Account Reviews Process for Managing Access Contractor Access 11

12 RSA s Approach to GRC Governance Risk Corporate Objectives Policy Framework Authoritative Sources Control Framework Metrics Risk Register Loss Events Issue Management Exception Requests Remediation Plans Compliance Testing Manual Automated Enterprise Management Business Hierarchy Business Processes Product Services Applications Data 12