Your SlideShare is downloading. ×
CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture

420
views

Published on

Jennifer Darwin, Senior Manager, Sallie Mae …

Jennifer Darwin, Senior Manager, Sallie Mae
Jennifer Darwin will discuss how Sallie Mae used identity management to address its compliance and security challenges. This identity governance case study will discuss how Sallie Mae was able to address more than 3,000 security controls (including FISMA and FFIEC regulations), while simultaneously eliminating critical security vulnerabilities associated with user access privileges, including SoD policy violations, entitlement creep and orphan accounts. She will also provide best practices to help companies achieve the same results.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
420
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. FINANCIAL SERVICES CASE STUDY: Improving Compliance & Risk Posture With Next-gen IAM Speaker: Jennifer Darwin, Manager of IAM, Corporate Information Security CLOUD IDENTITY SUMMIT JULY 2013
  • 2. 2 ABOUT SALLIE MAE ▶  The nation’s #1 financial services company specializing in education ▶  Over 10 million student and parent customers, more than 9,000 employees and 2,000 contractors ▶  Manages $207 billion in education loans & 529 college- savings plans ▶  The company’s saving programs, planning resources and financing options have helped more than 31 million people make the investment in higher education
  • 3. 3 ▶  Comply With Major Regulations –  FISMA, SOX, GLBA, PCI and SAS-70’s (Sallie Mae) –  FFIEC and State of Utah (Sallie Mae Bank ) –  SEC, FINRA & FTC (Upromise Rewards and Investments ) ▶  Enhance Efficiencies Through Automated Provisioning –  Some relatively high turnover functions create demand for more rapid SLAs –  Restructuring creates short-term demand –  New business initiatives require rapid but controlled response ▶  Reduce Operational Risk –  Eliminate redundant, sub-optimal processes and centralize controls in one place across the enterprise –  Prevent/detect fraud - manual processes and hand-offs make security policy enforcement challenging KEY BUSINESS DRIVERS
  • 4. 4 ▶  Increase efficiency through Automation ▶  Improve effectiveness through process Optimization ▶  Improve Quality of compliance activities PROJECT STRATEGY Ariba ADP Workday Databases Mainframe Exchange AD App 1 App 2 App 3 Etc.
  • 5. 5 PROJECT OVERVIEW Compliance Management Employee Customer Business Partner HR & Other Authoritative Sources Enterprise Roles Access Management BusinessEvents Business Role - IT Roles - - Entitlements User Provisioning Apps&Users Copyright ©2010 by Deloitte
  • 6. 6 PROJECT OVERVIEW: IMPLEMENT ROLE-BASED ACCESS Compliance Management Employee Customer Business Partner HR & Other Authoritative Sources Enterprise Roles Access Management BusinessEvents Business Role - IT Roles - - Entitlements User Provisioning Apps&Users Copyright ©2010 by Deloitte Enterprise Roles
  • 7. 7 PROJECT OVERVIEW: STREAMLINE ACCESS CERTIFICATIONS Compliance Management Employee Customer Business Partner HR & Other Authoritative Sources Enterprise Roles Access Management BusinessEvents Business Role - IT Roles - - Entitlements User Provisioning Apps&Users Copyright ©2010 by Deloitte Automated Access Certification
  • 8. 8 PROJECT OVERVIEW: FOCUS ON ACCESS REQUEST FORMS Compliance Management Employee Customer Business Partner HR & Other Authoritative Sources Enterprise Roles Access Management BusinessEvents Business Role - IT Roles - - Entitlements User Provisioning Apps&Users Copyright ©2010 by Deloitte Application Access Request Form
  • 9. 9 RESULTS: CLEARLY DEFINED USER ROLES Phase  1 Phase  2 Phase  3 Phase  4 Phase  5 250 2500 5000 6000 6500 #  of  Users  with  Enterprise  Roles #  of  Users
  • 10. 10 RESULTS: ENHANCED PROVISIONING Original State Current State Future State Request Request Request Provision Provision Provision Duration Provisioning Efficiencies 33% Reduction 60% Reduction (est.)
  • 11. 11 RESULTS: STREAMLINED ACCESS CERTIFICATION PROCESS
  • 12. 12 RESULTS: 64% IMPROVEMENT ACHIEVED, EXCEEDING EXPECTATIONS! Separate, manual spreadsheets Single repository, solution enabled Before After INTEGRATED 400 •  64% overlap removed •  400 Integrated Requirements •  Common Framework using 16 Functional Risk Areas •  Full traceability to 160+ mandates •  Includes FISMA, ICE, PCI DSS, GLBA, etc. •  Over 1100 Controls •  Different frameworks; different risk areas •  Inconsistent traceability to mandates •  Incomplete coverage of mandates PCI 240 FISMA 200 ICE (for IT) 400 GLBA / FFIEC 250 FACTA 14
  • 13. 13 ▶  More than 700 applications on-boarded ▶  Over 6,500 users in a job role (approximately 75% of the company) ▶  Seven segregation of duty or monitoring processes implemented ▶  Access certification improvements institutionalized –  This consists of over 20,000 user entitlements to be reviewed this year WHERE WE ARE NOW
  • 14. 14 ▶  Continue to expand current project scope –  Goal is to have 90% of the company in enterprise roles –  Goal is to have 24 certifications scheduled ▶  Continue expanding project scope to include even more SaaS and hosted apps –  ADP, Ariba, Workday –  Looking at externally hosted apps too (FIS, FNI, FDR) ▶  Moving to make Workday becoming our authoritative source –  Corporate HR system moving to Workday – tentatively scheduled for Q4 2014 WHERE WE WANT TO BE BY Q4 2013
  • 15. 15 ▶  Do Enterprise Roles First –  Simplifies the implementation of all IAM components and reduces future rework –  Team MUST include someone who has successfully deployed Enterprise Roles ▶  Well Defined Roadmap –  Requires shared vision from business and executives –  Part of broader program ▶  Achieve Quick Wins –  Showing results is critical to keep momentum of multi-year program LESSONS LEARNED/BEST PRACTICES User Provisioning Enterprise Roles Access Requests Access Certification Can be leveraged across…
  • 16. 16 Jennifer Darwin 317.598.4104 jennifer.a.darwin@salliemae.com THANK YOU AND QUESTIONS