SlideShare a Scribd company logo

Advanced IAM - Surviving the IAM Audit

Download as PPT, PDF
D
Dan Houser

The document discusses considerations for surviving an identity and access management (IAM) audit. It provides recommendations in four key areas: 1. Understand the different types of audits for IAM - compliance, corporate controls, internal IAM audits, and addressing IAM issues in other audits. Prepare for each by understanding requirements and risks. 2. Recognize how auditors think in terms of preventative, detective and corrective controls, and how they need to collect evidence that controls are properly designed and operating as intended. 3. Be prepared to address specific IAM topics like access approval processes, as well as broader issues like logical security, change management, availability and disaster recovery that relate

Technology
1 of 11
ADVANCED IAM AUDIT CONSIDERATIONS Surviving, or performing, the IAM Audit.
BEGIN WITH THE END IN MIND • What kinds of audit are there? Recommendations? • How do Auditors think, and why? – Preventative, detective, & corrective controls – Technical vs procedural controls
TYPES OF AUDITS… For the purposes of IAM there four kinds of audits you need to be prepared for: • Compliance Audit • Corporate Controls • Internal Audit of IAM • Addressing IAM issues for audits of other areas Tip – Find out who maintains the audit list for IT systems, and meet with them in Q4 to identify all audits that may have IAM questions or concerns.
TYPES OF AUDITS Compliance Audit • Often this is evaluated by external auditor • Criteria are determined by external source • Expectations are clear Recommendations: • Understand your regulatory environment • Collect the relevant requirements documentation • Review it annually, even in non-audit years
TYPES OF AUDITS… Corporate Controls & Internal Audit of IAM • Controls are determined by Internal Audit and by your corporate auditors • Criteria are not as black and white as Compliance Audits Recommendations • Usually these are annual or on-going in nature • Strive to have consistent staff involved • Try to have the auditors discuss the risk and control objectives during audit preparation
TYPES OF AUDITS… Addressing IAM issues for audits of other areas • Occurs when IAM questions are raised during the audit of another systems or process • Timing and urgency often put the IAM team at a disadvantage Recommendations • Understand high risk systems you provide IAM for, and work with them proactively to address their audit needs • Track the requests you receive, and inquire about when the follow-up or next audit will occur • Try to get involved early, during the other team’s audit preparation.
AUDITOR MINDSET RISKS, CONTROLS, & EVIDENCE • Preventative Controls • Detective Controls • Corrective Controls Type of Control • Technical - Works without human oversight (e.g. locks) • Procedural - Requires people follow processes & provide oversight Once controls are understood, auditors must collect evidence that demonstrates the control is in-place and operating as expected. This requires documentation or a random spot-check process.
AREAS OF INTEREST When preparing for an IAM audit, view the process holistically… Be prepared to address: • IAM specifics • Logical security • Change Management • Availability, & Disaster Recovery
IAM SPECIFICS • Details of the IAM system itself – Business process (view) of the system – Network and logical views of the system – Monitoring for availability, intrusion, & change • What oversight and controls are provided – What is the access approval process – Is there a periodic review of identity & access ? – How are privilege concepts, such as “least privilege” and “separation of duties” handled?
GENERAL SYSTEM CONCERNS Logical security Change Management Availability, & Disaster Recovery • Accountability is established for all IDs (human and system) • Passwords are secured and managed in compliance with accepted standard • How are changes reviewed, approved, tracked? • How are change control violations detected? • What are your processes for managing systems failures, disasters, etc. ?
LET’S TAKE 10 MIN… Audit preparation is a complex topic We hope to have provided some insights But, let’s take 10 min and discuss experiences, problems, and insights as a group…

Recommended

Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...
Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...
Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...BAKOTECH
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementSam Bowne
 
Hi600 u07_inst_slides
Hi600 u07_inst_slidesHi600 u07_inst_slides
Hi600 u07_inst_slidesljmcneill33
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 

Recommended

Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...
Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...
Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...BAKOTECH
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementSam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementCNIT 160: Ch 3d: Operational Risk Management
CNIT 160: Ch 3d: Operational Risk ManagementSam Bowne
 
Hi600 u07_inst_slides
Hi600 u07_inst_slidesHi600 u07_inst_slides
Hi600 u07_inst_slidesljmcneill33
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleCNIT 160: Ch 3c: The Risk Management Life Cycle
CNIT 160: Ch 3c: The Risk Management Life CycleSam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramCNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a ProgramSam Bowne
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
Proactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemProactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemSafetyChain Software
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdfchetanvchaudhari
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
Advance audit
Advance auditAdvance audit
Advance auditpreeti garg
 
L6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxL6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxStevenTharp2
 
Ahmed
AhmedAhmed
AhmedAhmed Abd Elhamed
 
IT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the GameIT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the GameSymptai Consulting Limited
 
Tqm quality audit
Tqm quality auditTqm quality audit
Tqm quality auditpremsruthi
 
Fundamentals of Auditing PTC
Fundamentals of Auditing PTCFundamentals of Auditing PTC
Fundamentals of Auditing PTCcarroll sams
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxhowtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxHibatulMuqlis
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Marie Pagnotta
 
Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010
Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010
Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010Pharmaceutical Compliance Inspection unit, Crown College of Canada
 
ISA 3 COBIT
ISA 3 COBITISA 3 COBIT
ISA 3 COBITDarshan Kumar
 
Proactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxProactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxSafetyChain Software
 
Proactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxProactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxSafetyChain Software
 
Mt s4 types
Mt s4 typesMt s4 types
Mt s4 typesTestingGeeks
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)bagarza
 
Hacking Bourbon
Hacking BourbonHacking Bourbon
Hacking BourbonDan Houser
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called EthicsDan Houser
 

More Related Content

Similar to Advanced IAM - Surviving the IAM Audit

CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
Proactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemProactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemSafetyChain Software
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
L6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxL6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxStevenTharp2
 
Tqm quality audit
Tqm quality auditTqm quality audit
Tqm quality auditpremsruthi
 
Fundamentals of Auditing PTC
Fundamentals of Auditing PTCFundamentals of Auditing PTC
Fundamentals of Auditing PTCcarroll sams
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxhowtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxHibatulMuqlis
 
Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Marie Pagnotta
 
Proactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxProactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxSafetyChain Software
 
Proactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxProactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxSafetyChain Software
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)bagarza
 

Similar to Advanced IAM - Surviving the IAM Audit (20)

CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
Proactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemProactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality System
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdf
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
Advance audit
Advance auditAdvance audit
Advance audit
 
L6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptxL6 RMF Phase 5 Assess.pptx
L6 RMF Phase 5 Assess.pptx
 
Ahmed
AhmedAhmed
Ahmed
 
IT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the GameIT Audit - Evolve and Stay in the Game
IT Audit - Evolve and Stay in the Game
 
Tqm quality audit
Tqm quality auditTqm quality audit
Tqm quality audit
 
Fundamentals of Auditing PTC
Fundamentals of Auditing PTCFundamentals of Auditing PTC
Fundamentals of Auditing PTC
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxhowtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1
 
Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk Emerging Contractors Mitigating Control Risk
Emerging Contractors Mitigating Control Risk
 
Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010
Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010
Pharmaceutical Auditing and Inspections Professor Peivand Pirouzi 2010
 
ISA 3 COBIT
ISA 3 COBITISA 3 COBIT
ISA 3 COBIT
 
Proactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxProactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptx
 
Proactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptxProactive Internal Auditing (QMMI) - April 2023.pptx
Proactive Internal Auditing (QMMI) - April 2023.pptx
 
Mt s4 types
Mt s4 typesMt s4 types
Mt s4 types
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)
 

More from Dan Houser

Hacking Bourbon
Hacking BourbonHacking Bourbon
Hacking BourbonDan Houser
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called EthicsDan Houser
 
Securing Big Data and the Grid
Securing Big Data and the GridSecuring Big Data and the Grid
Securing Big Data and the GridDan Houser
 
RSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated IdentityRSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated IdentityDan Houser
 
The Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & PolicyThe Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & PolicyDan Houser
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsDan Houser
 
Risk Based Planning for Mission Continuity
Risk Based Planning for Mission ContinuityRisk Based Planning for Mission Continuity
Risk Based Planning for Mission ContinuityDan Houser
 
Security Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIIISecurity Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIIIDan Houser
 
Certifications and Career Development for Security Professionals
Certifications and Career Development for Security ProfessionalsCertifications and Career Development for Security Professionals
Certifications and Career Development for Security ProfessionalsDan Houser
 
Debunking Information Security myths
Debunking Information Security mythsDebunking Information Security myths
Debunking Information Security mythsDan Houser
 
Hacking a Major Security Conference
Hacking a Major Security ConferenceHacking a Major Security Conference
Hacking a Major Security ConferenceDan Houser
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity ProgramDan Houser
 
Case Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big DataCase Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big DataDan Houser
 
Crypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT AuditorCrypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT AuditorDan Houser
 

More from Dan Houser (14)

Hacking Bourbon
Hacking BourbonHacking Bourbon
Hacking Bourbon
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics2013 (ISC)² Congress: This Curious Thing Called Ethics
2013 (ISC)² Congress: This Curious Thing Called Ethics
 
Securing Big Data and the Grid
Securing Big Data and the GridSecuring Big Data and the Grid
Securing Big Data and the Grid
 
RSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated IdentityRSA2008: What Vendors Won’t Tell You About Federated Identity
RSA2008: What Vendors Won’t Tell You About Federated Identity
 
The Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & PolicyThe Challenges & Risks of New Technology: Privacy Law & Policy
The Challenges & Risks of New Technology: Privacy Law & Policy
 
Perimeter Defense in a World Without Walls
Perimeter Defense in a World Without WallsPerimeter Defense in a World Without Walls
Perimeter Defense in a World Without Walls
 
Risk Based Planning for Mission Continuity
Risk Based Planning for Mission ContinuityRisk Based Planning for Mission Continuity
Risk Based Planning for Mission Continuity
 
Security Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIIISecurity Capability Model - InfoSec Forum VIII
Security Capability Model - InfoSec Forum VIII
 
Certifications and Career Development for Security Professionals
Certifications and Career Development for Security ProfessionalsCertifications and Career Development for Security Professionals
Certifications and Career Development for Security Professionals
 
Debunking Information Security myths
Debunking Information Security mythsDebunking Information Security myths
Debunking Information Security myths
 
Hacking a Major Security Conference
Hacking a Major Security ConferenceHacking a Major Security Conference
Hacking a Major Security Conference
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity Program
 
Case Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big DataCase Study: Securing & Tokenizing Big Data
Case Study: Securing & Tokenizing Big Data
 
Crypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT AuditorCrypto in the Real World: or How to Scare an IT Auditor
Crypto in the Real World: or How to Scare an IT Auditor
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Advanced IAM - Surviving the IAM Audit

  • 1. ADVANCED IAM AUDIT CONSIDERATIONS Surviving, or performing, the IAM Audit.
  • 2. BEGIN WITH THE END IN MIND • What kinds of audit are there? Recommendations? • How do Auditors think, and why? – Preventative, detective, & corrective controls – Technical vs procedural controls
  • 3. TYPES OF AUDITS… For the purposes of IAM there four kinds of audits you need to be prepared for: • Compliance Audit • Corporate Controls • Internal Audit of IAM • Addressing IAM issues for audits of other areas Tip – Find out who maintains the audit list for IT systems, and meet with them in Q4 to identify all audits that may have IAM questions or concerns.
  • 4. TYPES OF AUDITS Compliance Audit • Often this is evaluated by external auditor • Criteria are determined by external source • Expectations are clear Recommendations: • Understand your regulatory environment • Collect the relevant requirements documentation • Review it annually, even in non-audit years
  • 5. TYPES OF AUDITS… Corporate Controls & Internal Audit of IAM • Controls are determined by Internal Audit and by your corporate auditors • Criteria are not as black and white as Compliance Audits Recommendations • Usually these are annual or on-going in nature • Strive to have consistent staff involved • Try to have the auditors discuss the risk and control objectives during audit preparation
  • 6. TYPES OF AUDITS… Addressing IAM issues for audits of other areas • Occurs when IAM questions are raised during the audit of another systems or process • Timing and urgency often put the IAM team at a disadvantage Recommendations • Understand high risk systems you provide IAM for, and work with them proactively to address their audit needs • Track the requests you receive, and inquire about when the follow-up or next audit will occur • Try to get involved early, during the other team’s audit preparation.
  • 7. AUDITOR MINDSET RISKS, CONTROLS, & EVIDENCE • Preventative Controls • Detective Controls • Corrective Controls Type of Control • Technical - Works without human oversight (e.g. locks) • Procedural - Requires people follow processes & provide oversight Once controls are understood, auditors must collect evidence that demonstrates the control is in-place and operating as expected. This requires documentation or a random spot-check process.
  • 8. AREAS OF INTEREST When preparing for an IAM audit, view the process holistically… Be prepared to address: • IAM specifics • Logical security • Change Management • Availability, & Disaster Recovery
  • 9. IAM SPECIFICS • Details of the IAM system itself – Business process (view) of the system – Network and logical views of the system – Monitoring for availability, intrusion, & change • What oversight and controls are provided – What is the access approval process – Is there a periodic review of identity & access ? – How are privilege concepts, such as “least privilege” and “separation of duties” handled?
  • 10. GENERAL SYSTEM CONCERNS Logical security Change Management Availability, & Disaster Recovery • Accountability is established for all IDs (human and system) • Passwords are secured and managed in compliance with accepted standard • How are changes reviewed, approved, tracked? • How are change control violations detected? • What are your processes for managing systems failures, disasters, etc. ?
  • 11. LET’S TAKE 10 MIN… Audit preparation is a complex topic We hope to have provided some insights But, let’s take 10 min and discuss experiences, problems, and insights as a group…