The document discusses how regulatory demands and data growth are challenging organizations. There has been an 8x increase in compliance mandates and a 50x explosion in managed data. This is creating a hybrid IT environment. The document recommends that organizations take a risk-based approach to identity and access management to improve visibility, strengthen controls, reduce compliance costs and improve decision making.
Globalization of your business… new privacy laws you have understand and address. New federal regulations like iTAR
Healthcare… HIPAA has teeth. ePHI -- Up to $1.5M in penalties per violation
Insurance… many public entities but those not targeted with SOX were captured with the Model Audit Rule
SAS 70 has been replaced by SSAE 16… IT Control Attestation, that also include Subservice Organization (Business Associates)
INTRO THEME -- Three big challenges to today’s compliance efforts:
Ever growing number of rules and regulations
Explosion in data
Shifting / Hybrid IT Environments
Member, Customer and Partner Data
Operational and Business Data
Big Data…
The challenge to IT Organization and specially IT Audit, is the lack of understanding of this data
Shifts / fracturing of IT
What IT used to be… within your 4 walls, controlled, simple desktop access, etc
IT Controls… Auditors still want you to prove you have proper controls (Detective… and Preventative)
The Blanket Approach
5000 employee company requiring an annual certification of user access. Each review (cert) takes 5 min.
416 hours… 10 person weeks
If quarterly reviews… 1200 hours (30 person weeks)
It’s typical in our customers’ environments that the high risk is represented by only 5% of the population. And addressing that 5% can actually eliminate 85% of the risk. If you just start somewhere you’re more likely to complete 85% of the work and address 5% of the risk.
5000 employee company, annual reviews -- 416 hours or 10 person weeks
If quarterly reviews… 1200 hours (30 person weeks)
Leveraging the Risk model, certify ONLY the high risk users (~250)… 20 hours… 3 days.
Reduce the amount of “rubber stamping” and get more valid and accurate reviews
Fast Forward… BI for Identity Management
Where the level of risk for every user and every application is visible.
Where the entire approach allows you to focus your efforts on eliminating the highest levels of risk
Backup Info:
If you have Gartner or Forrester subscriptions, they can help you validate this approach
Our partners (auditors) also confirmed that they consider a risk-based approach superior/preferred to a blanket approach – it’s significant that the people auditing the customers are not only recommending this approach, they’re also telling us to demonstrate more use cases that further the impact of risk as a differentiator
Improve visibility and reduce access risks
Know who has access to what
Flag high-risk users and access
Align access to job responsibilities
Strengthen audit controls
Establish repeatable processes for reviewing access and scanning for policy violations
Prioritize controls for high risk users and applications
Demonstrate compliance with easy-to-use audit dashboards and reports
Spend less time and money demonstrating compliance
Reduce compliance costs by automating controls
Maximize business user productivity by focusing on high-risk
Minimize time spent generating and distributing audit reports
Improve decision making
Leverage business-friendly interfaces and terminology
Eliminate rubber-stamping
There are three goals with an Enterprise Role Model:
Business Language, Visibility and Alignment (IT & Business)
Usability (End User – Access Request)
User Management Automation
Enhance security and proactively address security threats
Automatically enforce identity governance policies
Dynamically assess risk impact of access changes
Ensure provisioning actions are compliant
Flag and prevent policy-violating requests
Assign access based on job function
Reduce cost of provisioning access across enterprise and cloud apps
Automate access delivery for users based on HR triggers
Eliminate help desk calls and improve day-one productivity
Choose the best option for driving change fulfillment
Empower business users with self-service
Leverage e-commerce based request experience
Simplify password reset and change activities