Recommended
More Related Content
Similar to Advanced IAM - Surviving the IAM Audit
Similar to Advanced IAM - Surviving the IAM Audit (20)
More from Dan Houser
More from Dan Houser (14)
Recently uploaded
Recently uploaded (20)
Advanced IAM - Surviving the IAM Audit
- 1. ADVANCED IAM AUDIT CONSIDERATIONS Surviving, or performing, the IAM Audit.
- 2. BEGIN WITH THE END IN MIND • What kinds of audit are there? Recommendations? • How do Auditors think, and why? – Preventative, detective, & corrective controls – Technical vs procedural controls
- 3. TYPES OF AUDITS… For the purposes of IAM there four kinds of audits you need to be prepared for: • Compliance Audit • Corporate Controls • Internal Audit of IAM • Addressing IAM issues for audits of other areas Tip – Find out who maintains the audit list for IT systems, and meet with them in Q4 to identify all audits that may have IAM questions or concerns.
- 4. TYPES OF AUDITS Compliance Audit • Often this is evaluated by external auditor • Criteria are determined by external source • Expectations are clear Recommendations: • Understand your regulatory environment • Collect the relevant requirements documentation • Review it annually, even in non-audit years
- 5. TYPES OF AUDITS… Corporate Controls & Internal Audit of IAM • Controls are determined by Internal Audit and by your corporate auditors • Criteria are not as black and white as Compliance Audits Recommendations • Usually these are annual or on-going in nature • Strive to have consistent staff involved • Try to have the auditors discuss the risk and control objectives during audit preparation
- 6. TYPES OF AUDITS… Addressing IAM issues for audits of other areas • Occurs when IAM questions are raised during the audit of another systems or process • Timing and urgency often put the IAM team at a disadvantage Recommendations • Understand high risk systems you provide IAM for, and work with them proactively to address their audit needs • Track the requests you receive, and inquire about when the follow-up or next audit will occur • Try to get involved early, during the other team’s audit preparation.
- 7. AUDITOR MINDSET RISKS, CONTROLS, & EVIDENCE • Preventative Controls • Detective Controls • Corrective Controls Type of Control • Technical - Works without human oversight (e.g. locks) • Procedural - Requires people follow processes & provide oversight Once controls are understood, auditors must collect evidence that demonstrates the control is in-place and operating as expected. This requires documentation or a random spot-check process.
- 8. AREAS OF INTEREST When preparing for an IAM audit, view the process holistically… Be prepared to address: • IAM specifics • Logical security • Change Management • Availability, & Disaster Recovery
- 9. IAM SPECIFICS • Details of the IAM system itself – Business process (view) of the system – Network and logical views of the system – Monitoring for availability, intrusion, & change • What oversight and controls are provided – What is the access approval process – Is there a periodic review of identity & access ? – How are privilege concepts, such as “least privilege” and “separation of duties” handled?
- 10. GENERAL SYSTEM CONCERNS Logical security Change Management Availability, & Disaster Recovery • Accountability is established for all IDs (human and system) • Passwords are secured and managed in compliance with accepted standard • How are changes reviewed, approved, tracked? • How are change control violations detected? • What are your processes for managing systems failures, disasters, etc. ?
- 11. LET’S TAKE 10 MIN… Audit preparation is a complex topic We hope to have provided some insights But, let’s take 10 min and discuss experiences, problems, and insights as a group…