The document discusses considerations for surviving an identity and access management (IAM) audit. It provides recommendations in four key areas:
1. Understand the different types of audits for IAM - compliance, corporate controls, internal IAM audits, and addressing IAM issues in other audits. Prepare for each by understanding requirements and risks.
2. Recognize how auditors think in terms of preventative, detective and corrective controls, and how they need to collect evidence that controls are properly designed and operating as intended.
3. Be prepared to address specific IAM topics like access approval processes, as well as broader issues like logical security, change management, availability and disaster recovery that relate
2. BEGIN WITH THE END IN MIND
• What kinds of audit are there?
Recommendations?
• How do Auditors think, and why?
– Preventative, detective, & corrective controls
– Technical vs procedural controls
3. TYPES OF AUDITS…
For the purposes of IAM there four kinds of audits
you need to be prepared for:
• Compliance Audit
• Corporate Controls
• Internal Audit of IAM
• Addressing IAM issues for audits of other areas
Tip – Find out who maintains the audit list for IT systems,
and meet with them in Q4 to identify all audits
that may have IAM questions or concerns.
4. TYPES OF AUDITS
Compliance Audit
• Often this is evaluated by external auditor
• Criteria are determined by external source
• Expectations are clear
Recommendations:
• Understand your regulatory environment
• Collect the relevant requirements documentation
• Review it annually, even in non-audit years
5. TYPES OF AUDITS…
Corporate Controls & Internal Audit of IAM
• Controls are determined by Internal Audit and by your
corporate auditors
• Criteria are not as black and white as Compliance Audits
Recommendations
• Usually these are annual or on-going in nature
• Strive to have consistent staff involved
• Try to have the auditors discuss the risk and control
objectives during audit preparation
6. TYPES OF AUDITS…
Addressing IAM issues for audits of other areas
• Occurs when IAM questions are raised during the audit
of another systems or process
• Timing and urgency often put the IAM team at a
disadvantage
Recommendations
• Understand high risk systems you provide IAM for, and
work with them proactively to address their audit needs
• Track the requests you receive, and inquire about when
the follow-up or next audit will occur
• Try to get involved early, during the other team’s audit
preparation.
7. AUDITOR MINDSET
RISKS, CONTROLS, & EVIDENCE
• Preventative Controls
• Detective Controls
• Corrective Controls
Type of Control
• Technical - Works without human oversight (e.g. locks)
• Procedural - Requires people follow processes & provide
oversight
Once controls are understood, auditors must collect evidence
that demonstrates the control is in-place and operating as expected.
This requires documentation or a random spot-check process.
8. AREAS OF INTEREST
When preparing for an IAM audit, view the process
holistically…
Be prepared to address:
• IAM specifics
• Logical security
• Change Management
• Availability, & Disaster Recovery
9. IAM SPECIFICS
• Details of the IAM system itself
– Business process (view) of the system
– Network and logical views of the system
– Monitoring for availability, intrusion, & change
• What oversight and controls are provided
– What is the access approval process
– Is there a periodic review of identity & access ?
– How are privilege concepts, such as “least privilege”
and “separation of duties” handled?
10. GENERAL SYSTEM CONCERNS
Logical security
Change Management
Availability, & Disaster Recovery
• Accountability is established for all IDs (human and
system)
• Passwords are secured and managed in compliance
with accepted standard
• How are changes reviewed, approved, tracked?
• How are change control violations detected?
• What are your processes for managing systems failures,
disasters, etc. ?
11. LET’S TAKE 10 MIN…
Audit preparation is a complex topic
We hope to have provided some insights
But, let’s take 10 min and discuss experiences,
problems, and insights as a group…