Your SlideShare is downloading. ×

The Business Of Identity, Access And Security V1.0

473

Published on

Identity management …

Identity management
Access control
Information Security

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
473
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Methodology: From April 25 to May 7, 2006 a total of 1,037 surveys were completed in the U.S. and 1,203 in Europe (UK 235; France 238; Germany 242; Spain 245; Italy 243). The statistical confidence interval for the U.S. and the European results is plus or minus 3% at a 95% level of significance.
  • Methodology: From April 25 to May 7, 2006 a total of 1,037 surveys were completed in the U.S. and 1,203 in Europe (UK 235; France 238; Germany 242; Spain 245; Italy 243). The statistical confidence interval for the U.S. and the European results is plus or minus 3% at a 95% level of significance.
  • Methodology: From April 25 to May 7, 2006 a total of 1,037 surveys were completed in the U.S. and 1,203 in Europe (UK 235; France 238; Germany 242; Spain 245; Italy 243). The statistical confidence interval for the U.S. and the European results is plus or minus 3% at a 95% level of significance.
  • Raising Your Return on Innovation Investment By Alexander Kandybin and Martin Kihn   5/11/04 Each company has an intrinsic innovation effectiveness curve. Here are three ways to lift it. Pillar One: Understand Your Innovation Effectiveness Curve Pillar Two: Master the Entire Innovation Value Chain Pillar Three: Don’t Do It All Yourself
  • Raising Your Return on Innovation Investment By Alexander Kandybin and Martin Kihn   5/11/04 Each company has an intrinsic innovation effectiveness curve. Here are three ways to lift it. Pillar One: Understand Your Innovation Effectiveness Curve Pillar Two: Master the Entire Innovation Value Chain Pillar Three: Don’t Do It All Yourself
  • Transcript

    • 1. The business of identity, access and security Theo Nassiokas Head of Risk & Compliance, Information Security Westpac Banking Corporation Identity Management Forum 2007 – November 28 - 30 th What’s in it for me?
    • 2. Overview
      • Compliance, risk & governance and identity management
      • Identity management convergence
      • Aligning IT projects to business
      • Minimising project risk
      • Conclusion
      • Regulatory focus – Access control or identity management?
      • Identity Management (IDM) – What is it?
      • Objective of identity management
      • Executive summary
    • 3. Executive summary
      • Identity management (funny enough) is the management of identities – not the management of technology
      • The emerging global regulatory framework focuses on knowing your customer (KYC) and knowing your risk
      • Compliance, risk & governance all have a crucial role to play in the diligent management of identities
      • The objective of good identity management is to enable business – not to document processes and pass audits
      • Traditionally disparate identity databases (e.g. physical & logical access) are converging into one source of truth!
      • Aligning a proposed project to business objectives demonstrates its value proposition
      • Understanding your organisation’s culture and risk appetite will increase the chance of initial project funding approvals
    • 4. Identity Management (IDM) What is it?
    • 5. Identity management defined
      • Identity management is the management of the Identity Life Cycle of Entities (ILCE) , which consists of identities being:
      • Established
        • A name (or number) is connected to the subject or object;
      • Re-established
        • A new or additional name (or number) is connected to the subject or object;
      • Described
        • One or more attributes which are applicable to this particular subject or object may be assigned to the identity;
      • Newly described
        • One or more attributes which are applicable to this particular subject or object may be changed; and
      • Destroyed
      • Source: Wikipedia - http://en.wikipedia.org/wiki/Identity_management
    • 6. Two perspectives of IDM
      • User Access paradigm
      • An integrated system of business processes, policies and technologies that facilitate and control a users' access to critical online applications and resources
      • Service paradigm
      • Converged services, covering all the resources of the company that are used to deliver online services, including unified services and single customer view facilities
      • Source: Wikipedia - http://en.wikipedia.org/wiki/Identity_management
        • IDM Convergence
    • 7. Regulatory focus Access control or identity management?
    • 8. What comes 1 st – The chicken or the egg?
      • Access control, as the name suggests, is a set of controls in governing access to information systems, including:
        • Technology
          • User IDs and passwords
          • Tokens
          • Biometrics
        • Processes
          • Issuing user IDs and passwords and technologies
          • Periodical user access revalidation reporting
          • On-boarding and off-boarding
      • Identity management is a process that provides the required degree of assurance that the holder of an identity is its rightful owner. It is therefore no surprise that this is the common regulatory thread…
    • 9. The common regulatory thread
      • Identity management is the focus of an emerging regulatory framework:
        • Anti Money Laundering (AML) and Counter Terrorism Financing (CTF) Act 2006 (Commonwealth of Australia) (banks and insurance)
        • Basel II Capital Adequacy Accord 2005 – Bank for International Settlements (Basel, Switzerland) (banks)
        • Public Company Accounting Reform and Investor Protection (Sarbanes Oxley) Act 2002 (USA) (SEC registered/NYSE or NASDAQ listed)
        • Crimes Act 1914 (Commonwealth of Australia)
        • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act 2001 (USA)
        • Financial Modernization (Gramm-Leach-Bliley Act [GLB]) Act 1999 (USA) (US banking & finance)
        • Data Protection Act 1998 (UK & USA)
        • Privacy Act 1988 (as amended) (Commonwealth of Australia)
        • Financial Transactions Reports Act 1988 (as amended) (Commonwealth of Australia)
        • The regulatory environment is the new DNA of identity management.
    • 10. Compliance, risk & governance and identity management
    • 11. Regulatory compliance
      • Common benchmarks are:
        • Regulatory
          • Basel II Capital Adequacy Accord 2005 – Bank for International Settlements – Basel, Switzerland
          • Public Company Accounting Reform and Investor Protection (Sarbanes Oxley) Act 2002 (USA)
          • Privacy laws (local and foreign)
          • Anti-cybercrime laws (local and foreign)
    • 12. Policy compliance
      • Common benchmarks are:
        • Policy
          • Technology Code of Use
          • Information Security Policy
          • Standard Operating Environment (SOE)
          • Architecture and Strategy
          • Standards (internal and external)
    • 13. Business risk
      • Areas according to the Basel Accord are:
        • Credit Risk
        • Market Risk
        • Operational Risk
        • Interest Rate Risk (optional)
      • Focus on operational risk re: identity management
        • Likelihood and Consequence
        • Quantitative vs Qualitative
        • Scenario based
          • Ontology and Taxonomy
    • 14. Risk is easy!? Source: Dr Peter Tippett - ICSA Labs (Verizon Business), Mechanicsburg, Pennsylvania, USA
    • 15. Governance
      • What is it?
      • It is the overall corporate oversight framework, consisting of:
        • Enterprise strategy & planning
        • Service delivery capability requirements
        • Management frameworks
        • Management structures
        • ii. Assurance that strategies are aligned to the business and that operational plans are aligned with strategic plans
        • iii. Assessment of future capabilities and innovations
      • i. Transparency of the enterprise capability and strategic risks across the enterprise
      • Governance is required to give the Board:
    • 16. Governance
        • Risk/Security and IT Governance are the main focus of areas of IDM.
      Corporate governance consists of five main areas CORPORATE GOVERNANCE Risk/Security Governance Administrative and Financial Governance Operational Governance Regulatory and Legal Governance IT Governance
    • 17. Objective of identity management
    • 18. Conservative corporate culture
      • Why is this relevant to identity management?
        • Conservative culture
          • ‘ Realistic’ valuation methods, eg NPV, Cost Benefit, IRR, etc
          • Value perception limited to ‘passing audits’
          • Scope of work limited to ‘minimum compliance requirements’
          • Drivers are usually threats from regulator or ‘near death experiences’
    • 19. Innovative corporate culture
      • Why is this relevant to identity management?
        • Innovative culture
          • ‘ Perceived’ valuation methods, i.e. subjective SME valuations
          • ‘ Normative’ valuation methods, i.e. comparative ‘best practice' data
          • Value perception broadened to ‘enabling business’
          • Scope of work broadened to ‘maximum value requirements’
          • Driver is future growth through innovation e.g. enhancing brand through greater ‘customer trust’
    • 20. Research re: IDM as enabler
      • CMO Council
        • “ Secure the Trust of Your Brand” – Aug 2006
    • 21. Research re: IDM as enabler
        • “ Secure the Trust of Your Brand” – Aug 2006
    • 22. Research re: IDM as enabler
        • “ Secure the Trust of Your Brand” – Aug 2006
          • 65% of European and U.S. respondents, on average, have experienced computer security problems
          • 1 in 6 respondents have had their personal information lost or compromised
          • 40% of respondents have actually stopped a transaction due to a security incident
          • Over one third would consider taking their business elsewhere if personal information were compromised
          • 25% would definitely take their business elsewhere if their personal information were compromised
    • 23. Identity management convergence
    • 24. Physical and logical convergence
      • What is identity management convergence?
        • Merger of disparate Identity Management capabilities
        • It can be physical and/or intellectual
          • Physical: the sharing office facilities & space; and
          • Intellectual: the sharing of knowledge
        • It can be project driven
          • Implementation of staff smartcards for physical building and logical information systems access
      • Why are physical and logical capabilities converging?
        • One holistic identity management strategy
          • Easier to align with CIO and business strategies
        • One single point of contact (e.g. the CIO or the business)
        • Increased information sharing between stakeholders
        • Cross-train staff (comparative advantage)
        • Lower total cost of ownership
    • 25. Who are the stakeholders? IDM Governance Physical IT Legal, Regulatory Industry codes IP Data Protection Act (UK) Sarbanes Oxley S302, 404, 409 USA PATRIOT Act ISO 27001 California Senate Bill 1386 BCP failure Phishing Cyber crime Basel II ISO 27002 Virus incidents Physical Theft Of Info Unauthorised Software Usage System Access Control License Breach Staff screening Checks Outsourced Service Provider Control Information Access Control Network domain access Unauthorised Physical access Targeted Attack – Mass Extinction Event Privacy laws
    • 26. IDM convergence is innovative
      • Strategy is “ how the mission will be achieved” i.e. IDM convergence
      Example – Convergence strategy
      • Strategic Planning is “ how the strategy will be achieved” i.e. trajectory
      Strategic Planning achieves strategy Capability Today Capability Tomorrow
      • Trajectory is “ the time required to deliver the strategy”
      • Identification of stakeholders
      • Leveraging synergies
      • Identification of Synergies
      • between stakeholders
      achieved through:
    • 27. Is leading an innovation easy?
      • “ Let it be noted that there is no more delicate matter to take in hand, nor more dangerous to conduct, nor more doubtful in its success, than to set up as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order, and only lukewarm supporters in those who might be better off under the new.”
        • [Niccol ò Machiavelli (1469-1527), The Prince , 1513, Chapter VI, para.5]
    • 28. Aligning IT projects with business
    • 29. Why is alignment to business important?
        • Example – Technology ‘line of sight’ to business
      Assessment of Identity Management Requirements Vision and mission for Identity Management Identity Management Strategy Identity Management Strategic Plan Identity Management Operational Plans And Budgets Assessment of technology Requirements Vision and mission for technology Technology Strategy Technology Operational Plans And Budgets Technology Strategic Plan Assessment of the Business Vision and mission for the Business Business Strategy Business Operational Plans and Budgets Business Strategic Plan
    • 30. Minimising project risk
    • 31. The innovation effectiveness curve
    • 32. The innovation value chain
    • 33. Conclusion
      • “ Identity management” isn’t a fancy term for “access control”. Get your processes right and then build the technology to support them.
      • The emerging global regulatory framework is the new DNA of identity management planning. Ignore this at your own peril!
      • Identity management processes should be designed within an effective compliance, risk & governance framework for effectiveness
      • To manage identities well is to ‘know your customer’ well and understand associated business risks – this enables business
      • Get to one source of truth, in terms of identity databases! It is far more effective and efficient and reduces total cost of ownership.
      • Get the business to ‘own’ a proposed project, so that it is promoted by the business. This makes ‘selling’ value straight forward!
      • Building the organisational culture and risk appetite into the project design will provide the right delivery trajectory and increase the likelihood of effective and timely execution and success.
    • 34. Questions?
      • Contact details:
      • Theo Nassiokas
      • Head of Risk & Compliance, Information Security
      • Westpac Banking Corporation
      •  [email_address]
      •  +61 (0)2 8254 2064 office
      •  +61 (0)419 885 930 mobile
      Thank you for your time!
    • 35. Appendix A – Security Convergence
      • Where is the evidence?
      (Source: Forrester Research, "Trends 2005: Security Convergence Gets Real“) Actual ‘security convergence’ project budgets, based on surveying 60 end users from Canada, Europe and the United States: $7,039 $3,707 $1,713 $691 $311 Total $315 $191 $92 $35 $10 Other projects performed jointly by IT and physical security departments $277 $172 $81 $30 $10 Small projects $453 $202 $93 $36 $10 Large-scale convergence projects $994 $542 $248 $90 $30 Physical/logical access control projects $5,001 $2,600 $1,200 $500 $250 Public sector 2008 2007 2006 2005 2004   Spending on Converged Security Projects (per year in millions)

    ×