Turning Critical Regulatory Findings Into Enterprise Organizational Wins
•Download as PPTX, PDF•
0 likes•294 views
The document discusses how regulatory demands and data growth are challenging organizations. There has been an 8x increase in compliance mandates and a 50x explosion in managed data. This is creating a hybrid IT environment. The document recommends that organizations take a risk-based approach to identity and access management to improve visibility, strengthen controls, reduce compliance costs and improve decision making.
Recommended
Recommended
More Related Content
What's hot
What's hot (17)
Similar to Turning Critical Regulatory Findings Into Enterprise Organizational Wins
Similar to Turning Critical Regulatory Findings Into Enterprise Organizational Wins (20)
Recently uploaded
Recently uploaded (20)
Turning Critical Regulatory Findings Into Enterprise Organizational Wins
- 1. Turning Critical Regulatory Findings Into Enterprise Organizational Wins Andrew Ames Vice President, Identity & Access Management
- 2. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Agenda Regulatory Environment Data Explosion Shifting IT Landscape Risk Approach Enterprise Wins
- 3. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Meeting Today’s Compliance Demands
- 4. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Information Explosion • 50x… Growth in the Amount of Enterprise Information Managed Over the Next Decade • 1.5X… Growth in the Number of IT and Internal Audit Professionals, over the same time period
- 5. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Yesterday… Data (applications) Devices People
- 6. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Yesterday… Data (applications) Devices People
- 7. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Today… Applications Devices People + Legacy, + Cloud, + Custom Data (applications) Devices People + iPhone, + Android, + iPad + Remote, + Partners, + Customers Identity
- 8. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. 8x increase compliance mandates Summary 50x explosion in managed data Hybrid (disruptive) IT environment
- 9. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Still Need to Demonstrate Compliance
- 10. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Root of all Risk
- 11. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Risk Level Approach
- 12. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Enterprise Wins Improve visibility and reduce access risks Strengthen audit controls Spend less time/money demonstrating compliance Improve decision making
- 13. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Enterprise Win (Role Modeling) Enterprise Roles • Employee • Consultant • Student • Vendor Org Unit • PO • Surgery • Acad. Affairs • Pediatric • Psych • ITS Fund Center • Primary Care-East • Accounting • Payroll • Infrastructure • Security & IDM Job Roles • Physician • Patient Coord. • Payroll Clerk • Engineer Application Roles • EPIC – MR Physician • SAP – Time Administrator • GECB – Billing Acct. Receivable • AD – Surgery Automation Review & Approve • Data Driven • Little Administration • Little Certification • Access Request Driven • Potential Automation • Periodic Certification • Increased Approvals • Partial Automation • Rule Based Cert. Goal: Move the “automation” line as far to the right as possible.
- 14. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Enterprise Win (maturity for provisioning) Average time to provision access for new hires:
- 15. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Enterprise Win - SSO
- 16. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Act Now…
- 17. © 2012 FishNet Security Inc. All rights reserved. © 2012 FishNet Security Inc. All rights reserved. Questions Andrew Ames Vice President, Identity & Access Management FishNet Security andrew.ames@fishnetsecurity.com
Editor's Notes
- Globalization of your business… new privacy laws you have understand and address. New federal regulations like iTAR Healthcare… HIPAA has teeth. ePHI -- Up to $1.5M in penalties per violation Insurance… many public entities but those not targeted with SOX were captured with the Model Audit Rule SAS 70 has been replaced by SSAE 16… IT Control Attestation, that also include Subservice Organization (Business Associates) INTRO THEME -- Three big challenges to today’s compliance efforts: Ever growing number of rules and regulations Explosion in data Shifting / Hybrid IT Environments
- Member, Customer and Partner Data Operational and Business Data Big Data… The challenge to IT Organization and specially IT Audit, is the lack of understanding of this data
- Shifts / fracturing of IT What IT used to be… within your 4 walls, controlled, simple desktop access, etc
- IT Controls… Auditors still want you to prove you have proper controls (Detective… and Preventative) The Blanket Approach 5000 employee company requiring an annual certification of user access. Each review (cert) takes 5 min. 416 hours… 10 person weeks If quarterly reviews… 1200 hours (30 person weeks)
- It’s typical in our customers’ environments that the high risk is represented by only 5% of the population. And addressing that 5% can actually eliminate 85% of the risk. If you just start somewhere you’re more likely to complete 85% of the work and address 5% of the risk. 5000 employee company, annual reviews -- 416 hours or 10 person weeks If quarterly reviews… 1200 hours (30 person weeks) Leveraging the Risk model, certify ONLY the high risk users (~250)… 20 hours… 3 days. Reduce the amount of “rubber stamping” and get more valid and accurate reviews
- Fast Forward… BI for Identity Management Where the level of risk for every user and every application is visible. Where the entire approach allows you to focus your efforts on eliminating the highest levels of risk Backup Info: If you have Gartner or Forrester subscriptions, they can help you validate this approach Our partners (auditors) also confirmed that they consider a risk-based approach superior/preferred to a blanket approach – it’s significant that the people auditing the customers are not only recommending this approach, they’re also telling us to demonstrate more use cases that further the impact of risk as a differentiator
- Improve visibility and reduce access risks Know who has access to what Flag high-risk users and access Align access to job responsibilities Strengthen audit controls Establish repeatable processes for reviewing access and scanning for policy violations Prioritize controls for high risk users and applications Demonstrate compliance with easy-to-use audit dashboards and reports Spend less time and money demonstrating compliance Reduce compliance costs by automating controls Maximize business user productivity by focusing on high-risk Minimize time spent generating and distributing audit reports Improve decision making Leverage business-friendly interfaces and terminology Eliminate rubber-stamping
- There are three goals with an Enterprise Role Model: Business Language, Visibility and Alignment (IT & Business) Usability (End User – Access Request) User Management Automation
- Enhance security and proactively address security threats Automatically enforce identity governance policies Dynamically assess risk impact of access changes Ensure provisioning actions are compliant Flag and prevent policy-violating requests Assign access based on job function Reduce cost of provisioning access across enterprise and cloud apps Automate access delivery for users based on HR triggers Eliminate help desk calls and improve day-one productivity Choose the best option for driving change fulfillment Empower business users with self-service Leverage e-commerce based request experience Simplify password reset and change activities