Upcoming SlideShare
Loading in...5

Like this? Share it with your network

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • In the discussion of this slide, we should draw the correlation to the business challenges noted earlier. It is suggested to sequence and align with those points.


  • 1. Lynnette Richmann Partner Information Technology Advisory Services August 12, 2008 G O V E R N M E N T K P M G L L P Information Security Governance: Managing Risk and Access to States' Critical Assets
  • 2. Risk Management
    • New & Emerging Threats
    • Compliance Challenges
    • Foreign National Threats
    • US Federal Government Requirements
    • Integration with ERM Initiatives
    • Risk Management vs. Risk Elimination
    • Evaluation & Prioritization of Risks
    • GRC Solutions
    Business Enablement
    • Changing and Dynamic Business Needs
    • Mergers, Globalization, Sourcing
    • Customer and Business Self-Service
    • Increased Data Portability & Exchange
    • Reliance on Third Parties
    • Integrity of Key Business Information
    Operational Excellence
    • Improved Governance Models & Structures
    • Improved Budgeting
    • Team Structure and Sizing
    • Service Level Levels/Management
    • Executive Reporting & Metrics
    • Managed Security Services
    • “ How to provide more value with limited resources?”
    Technical Architecture
    • Changing view of “perimeters”
    • Identity and Access Platforms & Needs
    • Security Event Monitoring & Management
    • “ Data Centric” Security Models & Leakage Protection
    • Service Oriented Architectures
    • Highly Available Infrastructures
    • Security Program Management
    Information Security Agenda
  • 3. The Goal – A Balanced Approach Value Creation Value Preservation
    • Security as enabler to business
    • Alignment with business needs
    • Operational benefits
    • Solid risk management
    • The right control in the right place
    • Understanding regulations
    • Driving down cost of compliance
    • Information Protection Supports:
    • Better business decisions
    • Brand and reputation
    • Business Initiatives
    Business Performance Risk Management
  • 4. What is Information Protection?
    • Security Risk Assessment
    • Compliance and Risk Management
    • Legal and Discovery Efforts
    • Data Privacy and Identity Theft
    • Security Operations & Metrics
    • Business/Technology Resiliency
    • Third-Party Management
    • Security Breach Notification
    • Training and Awareness
    • Managing Internal/External Identities
    DEFINITION: An implemented, understood and measured program of policies, procedures and controls that help to consistently achieve compliance, regulatory, legal and business mandates.
  • 5.
    • Organizations are faced with new, updated, and changing regulatory landscape. Some the highlights include:
    • Privacy Notification Laws
      • 39+ States have privacy notification laws (including GA, FL, LA, TN, NC); Others have security & Identity Theft laws
      • Potential for Federal Privacy Standards
    • NERC – Cyber Security & Reliability Standards (CIP002- CIP009)
      • Increased scrutiny and formalization of penalties (risk & severity)
      • NOPR released in July may have more stringent implications
    • HSPD - 12
      • Security requirements for Federal Government Agencies
    • FISMA
      • Security requirements for companies or organizations serving US Government
    • HIPAA
      • Healthcare information security and privacy rules
    • PCI-DSS – Standards for Credit Card Security
      • Any business who accepts credit card payments are subject to PCI assessments
    • Sarbanes Oxley - Section 404
      • Many non-public entities are choosing to adopt Sarbanes-Oxley internal control principles
    A Cavalcade of Regulations
  • 6.
    • Information Governance
    • Goals:
    • Establish responsibility, policy, procedures & controls
    • Trends:
    • Focus on Data Classification, Risk Assessments, Data Ownership
    • Data portability risks
    • Unstructured data is a problem
    • Increased focus on operational data (vs PII & financial)
    • Strong linkage to storage
    Building Blocks – Key Elements
    • Unified Approach to Security & Compliance
    • Goals:
    • Bring multiple compliance teams together, reduce effort, balance business objectives
    • Trends:
    • Focus on Risk Management, Critical Business Information and Business Processes
    • Consistent approach to governance, planning, testing
    • Leverage standards (CObIT, ISO27001, ITIL)
    • Prioritize key areas of compliance focus (Identity, Access, Change Mgmt, Logging/Monitoring, Governance)
    • Access Control and Identity Management
    • Goals:
    • Control and know who has access to what and why
    • Trends:
    • High priority in tools for provisioning and de-provisioning users
    • Focus on Role-Management and Segregation of Duties
    • Uniquely identifying “privileged access” users
    • Regular “certification” of user access
    • Improved logging and monitoring
    • Logging and Monitoring
    • Goals:
    • Formalized, proactive monitoring across applications, OS, Databases, Networks
    • Trends :
    • Prioritization to critical processes and transactions
    • Log standardization
    • Use of filters or analytical tools
    • Intelligent storing and rotation of logs
  • 7. Typical Business Environment Today
    • How do you manage and control who has access to what in an efficient and effective way?
    System administrators Outstanding audit issues Internal Controls Business Managers Short user life cycles Immediate access requirements Segregation of duties Employees Suppliers Citizens Third parties SAP PeopleSoft Windows Employee self service Consolidation Security administrators Mainframe SSO Provisioning Data protection acts FIPS 201 Privacy legislation Federal, State, Local Agencies HSPD-12 FISM Business Partners Web Portals Business Applications 1,000+ users 100+ applications 100,000+ possible functions
  • 8. IAM Lifecycle Compliance Relationship Begins Identity Lifecycle New project Change locations, roles, etc Forget password Provisioning Authorization Self Service Password Management De-Provisioning Authentication Relationship Ends
  • 9. IAM Capability Stack IAM Maturity Decentralized Administration Centralized Administration Centralized Management Enterprise Administration Enterprise Management Integration of Controlled Systems Password Management Access & Authorization Management Provisioning Automation Advanced Auditing Distributed Administration Advanced Authorization Management (Role-Based Access) Capabilities/Complexity IAM Capabilities
  • 10. Key Business and Enablement Drivers (i)
    • Five (5) Key Business and Enablement Drivers:
      • Regulatory Compliance
      • IT Risk Management
      • Operational Efficiency
      • Cost Containment
      • Business Facilitation
  • 11. Benefits of an IAM solution
    • Centralizes processes in a single trusted identity-aware system
    • Eases administration of identities with automation & delegation
    • Automates & streamlines application provisioning with workflows
    • Centralizes access control with policies and enforcement
    • Improves Authentication with Password Management
    • Supports Compliance with stronger controls, auditing & reporting
    • Enhances user-experience & reduces lost productivity with Single sign-on & User self-service
  • 12. Q6. What are the top three most important business reasons your enterprise installed an IAM initiative? (Choose up to 3 items) Multiple Responses Allowed Among Those Who Have implemented An Automated IAM Process Key Drivers For Implementation
  • 13.
    • Comprehensive vision, strategy, and roadmap and level of executive sponsorship most important factors related to IAM initiative
    Key Findings – What Worked? 67% Accuracy of initial project scope 67% Level of stakeholder expectations 67% The IAM technology tool 76% Level of executive sponsorship 73% Project Management % Rating 4-5 Success Factors 61% Accuracy of Initial project budget 76% Comprehensiveness of IAM vision, strategy, and roadmap
  • 14. Appendix – Additional Reference Slides
  • 15.
    • Information Governance (or Information Management) is an increasing priority for most entities, including State and Local Government. The goal of most Information Governance programs focus on:
      • Establishing governance (responsibility, policy, procedures) for organizational Information & Data
      • Identifying and prioritizing critical Information Assets
      • Developing and Implementing appropriate controls for the Information Assets
    • Some of the trends in Information Governance we have identified include:
      • More focus on Data Classification and Risk Assessments
        • Data ownership is still a tug-of-war between Business and IT
      • Increased data portability risks are increasing exponentially
        • Data Leakage tools and processes are starting to mature
      • Unstructured data is still a problem for most organizations
      • Increased focus on Operational Data rather than just privacy or financial driven information
      • Strong linkage to Storage projects and planning
    Information Governance
  • 16.
    • Inconsistent standards and compliance approaches have created inefficiencies including:
      • Multiple compliance teams working in silos across the organization
      • Process Owners losing productivity due to multiple audit requirements
      • More focus on compliance rather than business improvement
      • Tactical response to audit findings rather than root cause
    • Some leading practices have emerged with demonstrable benefits to the compliance efforts:
      • Strong focus on Risk Management and assessment of Critical Business Information and Business Processes
      • Linking multiple compliance efforts into a more unified approach including consistent governance, planning, and testing
      • Leverage well known standards (CObIT, ISO27001, ITIL) to drive organizational improvements rather than silo-ed compliance standards
      • Prioritize focus on key areas of compliance focus (Identity Management & Access Control, Change Management, Logging & Monitoring, and Information Governance)
    Unified Approach to Security & Compliance
  • 17.
    • Focus on Access Control and Identity Management will continue to be a priority requirement, consistent across all regulations
      • Who is accessing systems and applications?
      • What data/information do they have access to?
      • Is it appropriate for their job/position?
    • Some trends include:
      • A priority remains the process and technology for provisioning and de-provisioning of users (employees, contractors, customers)
        • Slightly less than previous years
      • Focus on Role-Management to identify inconsistencies across the enterprise
      • Segregation of Duties analysis is growing concern
      • Uniquely identifying “privileged access” users and system accounts
      • Regular “certification” of user access
      • Improved logging and monitoring of “sensitive” transactions or access
    Access Control & Identity Management
  • 18.
    • Logging and monitoring requirements are becoming for formalized, with a stronger focus on “proactive” monitoring of logs, looking for potential incidents or issues. This is complicated by:
      • Multiple sets of logs (Application, OS, Database, Network)
      • Volume of data
      • Performance issues
    • Some trends regarding logging and monitoring include:
      • Prioritization of logging and monitoring to critical processes and transactions
      • Log standardization including format, configurations, and time synchronization
      • Using filters or analytical tools to facilitate “proactive” monitoring
      • More intelligent storing and rotation of logs
    Logging & Monitoring
  • 19. Key Business and Enablement Drivers
    • Centralized group/role based security infrastructure allows for quick integration of many users
    • User management functions standardized to meet specifications identified by corporate governance
    • Seamless and consistent integration of security and personalization for portal environments
    • User self-service for changes to personal and basic security information
    • Integration of large numbers of users
    • Poor customer on-boarding processes
    • Inconsistent customer experience
    • No standardization of basic provisioning and de-provisioning processes
    • User complaints of “red tape” when making changes to personal information
    Business Facilitation
    • Reduce / prevent fraud
    • Increased segregation of duties (SOD)
    • Better enforcement of policy
    • Alignment of financial system access
    • Diverse security postures
    • Increased likelihood of fraud
    • Increased security risk
    Reducing Risk
    • Streamlined application provisioning
    • Reduction in audit time
    • Reduced Costs, Resources
    • Reduced Licensing Fees
    • Quicker go-live for new applications
    • Administrative costs of employee and contractor user profiles
    • Infrastructure Upgrades
    • Applications Architecture Upgrades
    • Consolidation of IT
    Cost Containment
    • Consistent security
    • Quicker re-branding of services
    • Quicker integration of new users
    • Reduced lost productivity
    • Improved workflow
    • Departmental consolidation
    • Diverse business mixes
    • Outsourcing / off-shoring
    • Business process improvement
    • Administrative process improvement
    Operational Efficiency
    • Compliance automation
    • Improved monitoring
    • Flexibility to adapt to new regulations
    • Improved reporting
    • Increased reliance by external entities
    • Privacy Legislation
    • HSPD – 12
    • FISM
    • FIPS 201
    • HIPAA
    Improving Regulatory Compliance I&AM Value Proposition Pressures Driver
  • 20. Identity & Access Management
    • Data Management
      • Processes and technologies that enable the management of a user identities
    • Provisioning
      • Propagation of identity and authorization data and policies to IT resources
    • User Management
      • Activities for effectively governing and managing the lifecycle of identities
    • Authentication Management
      • Governing and determining that an entity is who or what they claim to be
    • Authorization Management
      • Governing and determining what resources an entity is permitted to access
    • Access Management
      • Enforcing policies for access to information or resources
    • Governance
      • Consistent policies, processes, organizational structures and decision rights
    • Identity
      • The identifier and attributes for an entity (person, organization, device, resource, or service)
    • Monitoring and Audit
      • Monitoring, auditing and reporting compliance of users access to resources based on the defined policies and requirements
    • Agility
      • The ability to adapt to the changing user environment
    Policies, processes and systems for effectively governing and managing who has access to what is within an organization. Provisioning Data Management Identity Monitoring and Reporting Governance Agility Audit and Compliance Authentication Management Management User Access Management Authorization Management