1. 72 NACD Directorship September 201072 NACD Directorship September/October 2016
Director Advisory
Addressing Cyber Risk From the Boardroom:
Identity Access Management Considerations
By Lena Licata
One of today’s top boardroom concerns is
cyber-risk oversight. Regulators dictate that
it is no longer sufficient to simply ask if cy-
ber risk is being addressed; directors need to
know how and why a company is exposed.
Identity access management (IAM)—the
process used to determine how users gain,
change, and remove access to a firm’s net-
work, systems, applications, and hardware—
provides a foundational assessment of how
insider risk is being addressed. An effective
IAM program is a crucial component in the
minimization of insider threat. For example,
employing the principle of least privilege—
only providing permissions to users for the
items they truly need—can greatly reduce a
company’s exposure to cyber risk.
Here are five questions boards should ask
when examining IAM:
1. Do we have a centralized or decen-
tralized IAM program? A centralized IAM
program means there is one group within
the company that handles access to com-
pany resources. The advantages to this con-
figuration are that consistent procedures
can be more effectively applied and the
effectiveness of the program measured for
regulatory compliance.
A decentralized IAM program means
that personnel across different groups man-
age access. The challenge here is that it is
hard to ensure consistency and effective-
ness without a lot of automation; the ben-
efit is the personnel assigned likely know
the assets they manage better than others
and are in a better position to limit access
by job function.
2. Do we use automation within our
IAM program? There is a direct correla-
tion between the amount of automation
employed in an IAM program to its effec-
tiveness. The more automation is used, the
stronger the program:
■■ Automate human resources feeds to
trigger workflow events such as disabling
employee access to organizational assets
when an employee leaves the company;
sending newly appointed managers listings
of their employees’ access to see if access
should be modified; and assigning access to
new employees based on their job title.
■■ Use workflow tools for any changes
to access. Automating access request forms
and building logic around required approv-
als reduce the risk of regulatory observa-
tions and human error.
3. Have we had regulatory observations
in this area? Under Sarbanes-Oxley, orga-
nizations are subject to reviews of their in-
formation technology (IT) general controls
process by an independent auditor. As part
of this review, the following controls are of-
ten reviewed: new hire access; terminated
user access; transfer user access; and privi-
leged user access.
Third-party observations are key indi-
cators of weaknesses within a company’s
program. As a board or audit committee
member, consideration should be given to
whether these observations indicate one-
time mistakes or systemic issues. System-
ic issues can increase your risk for insider
threats as well as exploitation from hackers.
4. How often are we monitoring or re-
viewing our program? Third-party reviews
are only focused on assets that directly im-
pact financial statements. Other business
systems that may include sensitive data
such as customer information or health re-
cords may not be subject to these reviews.
It is important to understand what the IT
organization and/or internal audit func-
tions are doing to proactively review IAM.
Also, targeted audits performed over non-
financial statement applications and strong
user recertifications performed on all orga-
nizational assets are key tools.
5. Do we have external parties with ac-
cess to our systems? Many corporations
allow external parties access to their assets;
for example:
■■ Customers inputting or viewing data
through a portal.
■■ Vendors accessing systems to assist
with management of an IT system or asset.
■■ Business partners accessing systems
for business collaboration.
In each of these scenarios, it is important
to review this access, similar to internal ac-
cess to systems.
Automating analytics to review access-
related behaviors is also important. Any ex-
ternal exposure to privileged data needs to
be closely monitored.
Asking the right questions and involving
IT and internal audit to examine and moni-
tor your IAM program will allow the board
to be more informed and effectively direct
spending to reduce cybersecurity concerns.
Lena Licata is a senior manager in Eisner
Amper’s Consulting Services Group. She
assists clients primarily in the
financial services and phar-
maceutical industries, provid-
ing a host of IT audit and risk
services.
Risk Management