SlideShare a Scribd company logo

NACD Directorship_Sept-Oct 2016_Director Advisory_Eisner

L
Lena Licata
1 of 1
Download to read offline
72 NACD Directorship September 201072 NACD Directorship September/October 2016 Director Advisory Addressing Cyber Risk From the Boardroom: Identity Access Management Considerations By Lena Licata One of today’s top boardroom concerns is cyber-risk oversight. Regulators dictate that it is no longer sufficient to simply ask if cy- ber risk is being addressed; directors need to know how and why a company is exposed. Identity access management (IAM)—the process used to determine how users gain, change, and remove access to a firm’s net- work, systems, applications, and hardware— provides a foundational assessment of how insider risk is being addressed. An effective IAM program is a crucial component in the minimization of insider threat. For example, employing the principle of least privilege— only providing permissions to users for the items they truly need—can greatly reduce a company’s exposure to cyber risk. Here are five questions boards should ask when examining IAM: 1. Do we have a centralized or decen- tralized IAM program? A centralized IAM program means there is one group within the company that handles access to com- pany resources. The advantages to this con- figuration are that consistent procedures can be more effectively applied and the effectiveness of the program measured for regulatory compliance. A decentralized IAM program means that personnel across different groups man- age access. The challenge here is that it is hard to ensure consistency and effective- ness without a lot of automation; the ben- efit is the personnel assigned likely know the assets they manage better than others and are in a better position to limit access by job function. 2. Do we use automation within our IAM program? There is a direct correla- tion between the amount of automation employed in an IAM program to its effec- tiveness. The more automation is used, the stronger the program: ■■ Automate human resources feeds to trigger workflow events such as disabling employee access to organizational assets when an employee leaves the company; sending newly appointed managers listings of their employees’ access to see if access should be modified; and assigning access to new employees based on their job title. ■■ Use workflow tools for any changes to access. Automating access request forms and building logic around required approv- als reduce the risk of regulatory observa- tions and human error. 3. Have we had regulatory observations in this area? Under Sarbanes-Oxley, orga- nizations are subject to reviews of their in- formation technology (IT) general controls process by an independent auditor. As part of this review, the following controls are of- ten reviewed: new hire access; terminated user access; transfer user access; and privi- leged user access. Third-party observations are key indi- cators of weaknesses within a company’s program. As a board or audit committee member, consideration should be given to whether these observations indicate one- time mistakes or systemic issues. System- ic issues can increase your risk for insider threats as well as exploitation from hackers. 4. How often are we monitoring or re- viewing our program? Third-party reviews are only focused on assets that directly im- pact financial statements. Other business systems that may include sensitive data such as customer information or health re- cords may not be subject to these reviews. It is important to understand what the IT organization and/or internal audit func- tions are doing to proactively review IAM. Also, targeted audits performed over non- financial statement applications and strong user recertifications performed on all orga- nizational assets are key tools. 5. Do we have external parties with ac- cess to our systems? Many corporations allow external parties access to their assets; for example: ■■ Customers inputting or viewing data through a portal. ■■ Vendors accessing systems to assist with management of an IT system or asset. ■■ Business partners accessing systems for business collaboration. In each of these scenarios, it is important to review this access, similar to internal ac- cess to systems. Automating analytics to review access-­ related behaviors is also important. Any ex- ternal exposure to privileged data needs to be closely monitored. Asking the right questions and involving IT and internal audit to examine and moni- tor your IAM program will allow the board to be more informed and effectively direct spending to reduce cybersecurity concerns. Lena Licata is a senior manager in Eisner Amper’s Consulting Services Group. She assists clients primarily in the financial services and phar- maceutical industries, provid- ing a host of IT audit and risk services. Risk Management

Recommended

Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33Rick Lemieux
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access IntelligenceTim Bell
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal ControlsBharath Rao
 
Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...happiestmindstech
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Sharing Slides Training
 
Ponemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMPonemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMEMC
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 

Recommended

Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33Rick Lemieux
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access IntelligenceTim Bell
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal ControlsBharath Rao
 
Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...happiestmindstech
 
Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Ais Romney 2006 Slides 06 Control And Ais Part 1
Ais Romney 2006 Slides 06 Control And Ais Part 1Sharing Slides Training
 
Ponemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMPonemon: Managing Complexity in IAM
Ponemon: Managing Complexity in IAMEMC
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
task 1
task 1task 1
task 1BIBEKCHAUDHARYBScHon
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007Danial Khan
 
Oracle Scene Oct 2017
Oracle Scene Oct 2017Oracle Scene Oct 2017
Oracle Scene Oct 2017Alice Cantu
 
Oracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessOracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessEmma Kelly
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisSharing Slides Training
 
Task 2
Task 2Task 2
Task 2BIBEKCHAUDHARYBScHon
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringObserveIT
 
Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementEMC
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business AccountsAnayaGrewal
 
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...Harshada Mulay
 
Managing complexity in IAM
Managing complexity in IAMManaging complexity in IAM
Managing complexity in IAMBee_Ware
 

More Related Content

What's hot

Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionRishabh Software
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Deloitte UK
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007Danial Khan
 
Oracle Scene Oct 2017
Oracle Scene Oct 2017Oracle Scene Oct 2017
Oracle Scene Oct 2017Alice Cantu
 
Oracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessOracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessEmma Kelly
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisSharing Slides Training
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and controlKashif Rana ACCA
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringObserveIT
 

What's hot (18)

Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
 
Governance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management SolutionGovernance, Risk & Compliance Management Solution
Governance, Risk & Compliance Management Solution
 
Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018Third-party Governance and Risk Management - 2018
Third-party Governance and Risk Management - 2018
 
task 1
task 1task 1
task 1
 
El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007El-Paso SOX TestingTraining- June 2007
El-Paso SOX TestingTraining- June 2007
 
Oracle Scene Oct 2017
Oracle Scene Oct 2017Oracle Scene Oct 2017
Oracle Scene Oct 2017
 
Oracle Scene Safeguard your Business
Oracle Scene Safeguard your BusinessOracle Scene Safeguard your Business
Oracle Scene Safeguard your Business
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
 
Ais Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And AisAis Romney 2006 Slides 06 Control And Ais
Ais Romney 2006 Slides 06 Control And Ais
 
Task 2
Task 2Task 2
Task 2
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity Monitoring
 

Similar to NACD Directorship_Sept-Oct 2016_Director Advisory_Eisner

Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementEMC
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business AccountsAnayaGrewal
 
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...Harshada Mulay
 
Managing complexity in IAM
Managing complexity in IAMManaging complexity in IAM
Managing complexity in IAMBee_Ware
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
The Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptxThe Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptxSecurityComplianceCo
 
Business-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersBusiness-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersEMC
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Gord Reynolds
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
SAM Susceptibility Index Assessment v1
SAM Susceptibility Index Assessment v1SAM Susceptibility Index Assessment v1
SAM Susceptibility Index Assessment v1Jim Hussey
 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptxKinetic Potential
 
Financial Services Automation: Taking Off the Training Wheels
Financial Services Automation: Taking Off the Training WheelsFinancial Services Automation: Taking Off the Training Wheels
Financial Services Automation: Taking Off the Training WheelsCognizant
 
Information systems and its components ii
Information systems and its components iiInformation systems and its components ii
Information systems and its components iiAshish Desai
 
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...PascalOtieno
 

Similar to NACD Directorship_Sept-Oct 2016_Director Advisory_Eisner (20)

Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access Management
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
 
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
unveiling-the-true-potential-of-identity-strengthening-security-through-compl...
 
Managing complexity in IAM
Managing complexity in IAMManaging complexity in IAM
Managing complexity in IAM
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
The Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptxThe Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptx
 
Business-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersBusiness-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach Matters
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots
 
A Guide To IT Compliance Assessment And Management
A Guide To IT Compliance Assessment And ManagementA Guide To IT Compliance Assessment And Management
A Guide To IT Compliance Assessment And Management
 
SAM Susceptibility Index Assessment v1
SAM Susceptibility Index Assessment v1SAM Susceptibility Index Assessment v1
SAM Susceptibility Index Assessment v1
 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptx
 
Intro To Secure Identity Management
Intro To Secure Identity ManagementIntro To Secure Identity Management
Intro To Secure Identity Management
 
Financial Services Automation: Taking Off the Training Wheels
Financial Services Automation: Taking Off the Training WheelsFinancial Services Automation: Taking Off the Training Wheels
Financial Services Automation: Taking Off the Training Wheels
 
Information systems and its components ii
Information systems and its components iiInformation systems and its components ii
Information systems and its components ii
 
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
ETHICS FRAUD AND INTERNAL CONTROL AND AUDITING COMPUTERIZED FINANCIAL SYSSTEM...
 
Buyers Guide for Governance
Buyers Guide for GovernanceBuyers Guide for Governance
Buyers Guide for Governance
 
How Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party RisksHow Audit Committees Can Help with Third-Party Risks
How Audit Committees Can Help with Third-Party Risks
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
 

NACD Directorship_Sept-Oct 2016_Director Advisory_Eisner

  • 1. 72 NACD Directorship September 201072 NACD Directorship September/October 2016 Director Advisory Addressing Cyber Risk From the Boardroom: Identity Access Management Considerations By Lena Licata One of today’s top boardroom concerns is cyber-risk oversight. Regulators dictate that it is no longer sufficient to simply ask if cy- ber risk is being addressed; directors need to know how and why a company is exposed. Identity access management (IAM)—the process used to determine how users gain, change, and remove access to a firm’s net- work, systems, applications, and hardware— provides a foundational assessment of how insider risk is being addressed. An effective IAM program is a crucial component in the minimization of insider threat. For example, employing the principle of least privilege— only providing permissions to users for the items they truly need—can greatly reduce a company’s exposure to cyber risk. Here are five questions boards should ask when examining IAM: 1. Do we have a centralized or decen- tralized IAM program? A centralized IAM program means there is one group within the company that handles access to com- pany resources. The advantages to this con- figuration are that consistent procedures can be more effectively applied and the effectiveness of the program measured for regulatory compliance. A decentralized IAM program means that personnel across different groups man- age access. The challenge here is that it is hard to ensure consistency and effective- ness without a lot of automation; the ben- efit is the personnel assigned likely know the assets they manage better than others and are in a better position to limit access by job function. 2. Do we use automation within our IAM program? There is a direct correla- tion between the amount of automation employed in an IAM program to its effec- tiveness. The more automation is used, the stronger the program: ■■ Automate human resources feeds to trigger workflow events such as disabling employee access to organizational assets when an employee leaves the company; sending newly appointed managers listings of their employees’ access to see if access should be modified; and assigning access to new employees based on their job title. ■■ Use workflow tools for any changes to access. Automating access request forms and building logic around required approv- als reduce the risk of regulatory observa- tions and human error. 3. Have we had regulatory observations in this area? Under Sarbanes-Oxley, orga- nizations are subject to reviews of their in- formation technology (IT) general controls process by an independent auditor. As part of this review, the following controls are of- ten reviewed: new hire access; terminated user access; transfer user access; and privi- leged user access. Third-party observations are key indi- cators of weaknesses within a company’s program. As a board or audit committee member, consideration should be given to whether these observations indicate one- time mistakes or systemic issues. System- ic issues can increase your risk for insider threats as well as exploitation from hackers. 4. How often are we monitoring or re- viewing our program? Third-party reviews are only focused on assets that directly im- pact financial statements. Other business systems that may include sensitive data such as customer information or health re- cords may not be subject to these reviews. It is important to understand what the IT organization and/or internal audit func- tions are doing to proactively review IAM. Also, targeted audits performed over non- financial statement applications and strong user recertifications performed on all orga- nizational assets are key tools. 5. Do we have external parties with ac- cess to our systems? Many corporations allow external parties access to their assets; for example: ■■ Customers inputting or viewing data through a portal. ■■ Vendors accessing systems to assist with management of an IT system or asset. ■■ Business partners accessing systems for business collaboration. In each of these scenarios, it is important to review this access, similar to internal ac- cess to systems. Automating analytics to review access-­ related behaviors is also important. Any ex- ternal exposure to privileged data needs to be closely monitored. Asking the right questions and involving IT and internal audit to examine and moni- tor your IAM program will allow the board to be more informed and effectively direct spending to reduce cybersecurity concerns. Lena Licata is a senior manager in Eisner Amper’s Consulting Services Group. She assists clients primarily in the financial services and phar- maceutical industries, provid- ing a host of IT audit and risk services. Risk Management