Dan Houser, profile picture
Uploaded byDan Houser
PPT, PDF96 views

Advanced IAM - Surviving the IAM Audit

The document discusses considerations for surviving an identity and access management (IAM) audit. It provides recommendations in four key areas: 1. Understand the different types of audits for IAM - compliance, corporate controls, internal IAM audits, and addressing IAM issues in other audits. Prepare for each by understanding requirements and risks. 2. Recognize how auditors think in terms of preventative, detective and corrective controls, and how they need to collect evidence that controls are properly designed and operating as intended. 3. Be prepared to address specific IAM topics like access approval processes, as well as broader issues like logical security, change management, availability and disaster recovery that relate

Embed presentation

Download to read offline
ADVANCED IAM AUDIT CONSIDERATIONS Surviving, or performing, the IAM Audit.
BEGIN WITH THE END IN MIND • What kinds of audit are there? Recommendations? • How do Auditors think, and why? – Preventative, detective, & corrective controls – Technical vs procedural controls
TYPES OF AUDITS… For the purposes of IAM there four kinds of audits you need to be prepared for: • Compliance Audit • Corporate Controls • Internal Audit of IAM • Addressing IAM issues for audits of other areas Tip – Find out who maintains the audit list for IT systems, and meet with them in Q4 to identify all audits that may have IAM questions or concerns.
TYPES OF AUDITS Compliance Audit • Often this is evaluated by external auditor • Criteria are determined by external source • Expectations are clear Recommendations: • Understand your regulatory environment • Collect the relevant requirements documentation • Review it annually, even in non-audit years
TYPES OF AUDITS… Corporate Controls & Internal Audit of IAM • Controls are determined by Internal Audit and by your corporate auditors • Criteria are not as black and white as Compliance Audits Recommendations • Usually these are annual or on-going in nature • Strive to have consistent staff involved • Try to have the auditors discuss the risk and control objectives during audit preparation
TYPES OF AUDITS… Addressing IAM issues for audits of other areas • Occurs when IAM questions are raised during the audit of another systems or process • Timing and urgency often put the IAM team at a disadvantage Recommendations • Understand high risk systems you provide IAM for, and work with them proactively to address their audit needs • Track the requests you receive, and inquire about when the follow-up or next audit will occur • Try to get involved early, during the other team’s audit preparation.
AUDITOR MINDSET RISKS, CONTROLS, & EVIDENCE • Preventative Controls • Detective Controls • Corrective Controls Type of Control • Technical - Works without human oversight (e.g. locks) • Procedural - Requires people follow processes & provide oversight Once controls are understood, auditors must collect evidence that demonstrates the control is in-place and operating as expected. This requires documentation or a random spot-check process.
AREAS OF INTEREST When preparing for an IAM audit, view the process holistically… Be prepared to address: • IAM specifics • Logical security • Change Management • Availability, & Disaster Recovery
IAM SPECIFICS • Details of the IAM system itself – Business process (view) of the system – Network and logical views of the system – Monitoring for availability, intrusion, & change • What oversight and controls are provided – What is the access approval process – Is there a periodic review of identity & access ? – How are privilege concepts, such as “least privilege” and “separation of duties” handled?
GENERAL SYSTEM CONCERNS Logical security Change Management Availability, & Disaster Recovery • Accountability is established for all IDs (human and system) • Passwords are secured and managed in compliance with accepted standard • How are changes reviewed, approved, tracked? • How are change control violations detected? • What are your processes for managing systems failures, disasters, etc. ?
LET’S TAKE 10 MIN… Audit preparation is a complex topic We hope to have provided some insights But, let’s take 10 min and discuss experiences, problems, and insights as a group…

More Related Content

PDF
CNIT 160: Ch 3d: Operational Risk Management
bySam Bowne
 
PPTX
Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...
byBAKOTECH
 
PDF
CNIT 160 Ch 4b: Security Program Management
bySam Bowne
 
PDF
CNIT 160 Ch 4b: Security Program Management
bySam Bowne
 
PPTX
Hi600 u07_inst_slides
byljmcneill33
 
PDF
CNIT 160 Ch 4a: Information Security Programs
bySam Bowne
 
PDF
CNIT 160: Ch 3c: The Risk Management Life Cycle
bySam Bowne
 
PDF
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
bySam Bowne
 
CNIT 160: Ch 3d: Operational Risk Management
bySam Bowne
 
Integrated APT-IGA Solution - Future of IT Security (Vladislav Shapiro, Immer...
byBAKOTECH
 
CNIT 160 Ch 4b: Security Program Management
bySam Bowne
 
CNIT 160 Ch 4b: Security Program Management
bySam Bowne
 
Hi600 u07_inst_slides
byljmcneill33
 
CNIT 160 Ch 4a: Information Security Programs
bySam Bowne
 
CNIT 160: Ch 3c: The Risk Management Life Cycle
bySam Bowne
 
CNIT 160: Ch 3a: Risk Management Concepts & Implementing a Program
bySam Bowne
 

Similar to Advanced IAM - Surviving the IAM Audit

PPT
Rothke Patchlink
byBen Rothke
 
PPTX
Top-Rated Sailpoint Identity IQ Online Training - Visualpath.pptx
bypravinvisualpath
 
PDF
NACD Directorship_Sept-Oct 2016_Director Advisory_Eisner
byLena Licata
 
PPT
Security audit
byRosaria Dee
 
PPT
Project_Paper_Presentation_ISSC471_Intindolo
byJohn Intindolo
 
PPTX
IT Audit - Evolve and Stay in the Game
bySymptai Consulting Limited
 
PPTX
Sailpoint Online Training on IAM overview
byITJobZone.biz
 
PPS
Auditing
byPardhasaradhi ch
 
PPT
Information System Architecture and Audit Control Lecture 2
byYasir Khan
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PPT
The information security audit
byDhani Ahmad
 
PPTX
CONTROL AND AUDIT
byRos Dina
 
PPT
Building Your Roadmap Sucessful Identity And Access Management
byGovernment Technology Exhibition and Conference
 
PPTX
The Essential Experience for CAEs - Audit Committee Need for Insight
byInternational Federation of Accountants
 
PPTX
Automation of Information (Cyber) Security by Joe Hessmiller
byJoe Hessmiller
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PPTX
GRC is a framework that helps organizations manage rules, risks, and regulato...
byMaheshTengli3
 
PDF
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
byEQS Group
 
PPTX
Creating a Security Plan for Your Agency - Laird Rixford
byInsurance Technologies Corporation (ITC)
 
PDF
CISA-Exam-Prep-Domain-5-2019.pdf. CISA exam
bygregtap1
 
Rothke Patchlink
byBen Rothke
 
Top-Rated Sailpoint Identity IQ Online Training - Visualpath.pptx
bypravinvisualpath
 
NACD Directorship_Sept-Oct 2016_Director Advisory_Eisner
byLena Licata
 
Security audit
byRosaria Dee
 
Project_Paper_Presentation_ISSC471_Intindolo
byJohn Intindolo
 
IT Audit - Evolve and Stay in the Game
bySymptai Consulting Limited
 
Sailpoint Online Training on IAM overview
byITJobZone.biz
 
Auditing
byPardhasaradhi ch
 
Information System Architecture and Audit Control Lecture 2
byYasir Khan
 
IT System & Security Audit
byMufaddal Nullwala
 
The information security audit
byDhani Ahmad
 
CONTROL AND AUDIT
byRos Dina
 
Building Your Roadmap Sucessful Identity And Access Management
byGovernment Technology Exhibition and Conference
 
The Essential Experience for CAEs - Audit Committee Need for Insight
byInternational Federation of Accountants
 
Automation of Information (Cyber) Security by Joe Hessmiller
byJoe Hessmiller
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
GRC is a framework that helps organizations manage rules, risks, and regulato...
byMaheshTengli3
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
byEQS Group
 
Creating a Security Plan for Your Agency - Laird Rixford
byInsurance Technologies Corporation (ITC)
 
CISA-Exam-Prep-Domain-5-2019.pdf. CISA exam
bygregtap1
 

More from Dan Houser

PPT
MFA, 42 & Compliance - Answers to the Wrong Questions
byDan Houser
 
PPTX
Protect passwords - User Awareness Training
byDan Houser
 
PPTX
Cryptography Overview Presentation circa 2005
byDan Houser
 
PPTX
RSA2003: Forget Firewalls - early Zero Trust
byDan Houser
 
PPTX
Digital Deception: Raising the Stakes on Hackers
byDan Houser
 
PPTX
The Hidden Enemy Within - Why Ungoverned Data is Such a Big Problem
byDan Houser
 
PPT
RSA2008: Sins of our Fathers, for which we still are punished
byDan Houser
 
PPTX
Now More than Ever: Ethics in Cybersecurity
byDan Houser
 
PPT
RSA 2005 H&T: Die Script Kiddie! Die, Die, Die!
byDan Houser
 
PPTX
Crypto in the Real World - ISACA 10-Jan-2008
byDan Houser
 
PPT
Power Up your LinkedIn Profile, Effectively Highlight your Branc
byDan Houser
 
PPTX
My Baby Done Bad Crypto - My Sweet Baby Done Me Wrong
byDan Houser
 
PPTX
The Death of Best-of-Breed - Leveraging Cloud for Security Transformation
byDan Houser
 
PPTX
2024 Security Outlook & Essential Security Practices
byDan Houser
 
PPTX
Hacking and Armoring Identity Ecosystems: When MFA Isn't Good Enough Any Longer
byDan Houser
 
PPTX
Driving Change and Resilience: Aligning Cybersecurity with Organizational St...
byDan Houser
 
ODP
2013 (ISC)² Congress: This Curious Thing Called Ethics
byDan Houser
 
PPTX
Securing Big Data and the Grid
byDan Houser
 
PPT
RSA2008: What Vendors Won’t Tell You About Federated Identity
byDan Houser
 
PPT
The Challenges & Risks of New Technology: Privacy Law & Policy
byDan Houser
 
MFA, 42 & Compliance - Answers to the Wrong Questions
byDan Houser
 
Protect passwords - User Awareness Training
byDan Houser
 
Cryptography Overview Presentation circa 2005
byDan Houser
 
RSA2003: Forget Firewalls - early Zero Trust
byDan Houser
 
Digital Deception: Raising the Stakes on Hackers
byDan Houser
 
The Hidden Enemy Within - Why Ungoverned Data is Such a Big Problem
byDan Houser
 
RSA2008: Sins of our Fathers, for which we still are punished
byDan Houser
 
Now More than Ever: Ethics in Cybersecurity
byDan Houser
 
RSA 2005 H&T: Die Script Kiddie! Die, Die, Die!
byDan Houser
 
Crypto in the Real World - ISACA 10-Jan-2008
byDan Houser
 
Power Up your LinkedIn Profile, Effectively Highlight your Branc
byDan Houser
 
My Baby Done Bad Crypto - My Sweet Baby Done Me Wrong
byDan Houser
 
The Death of Best-of-Breed - Leveraging Cloud for Security Transformation
byDan Houser
 
2024 Security Outlook & Essential Security Practices
byDan Houser
 
Hacking and Armoring Identity Ecosystems: When MFA Isn't Good Enough Any Longer
byDan Houser
 
Driving Change and Resilience: Aligning Cybersecurity with Organizational St...
byDan Houser
 
2013 (ISC)² Congress: This Curious Thing Called Ethics
byDan Houser
 
Securing Big Data and the Grid
byDan Houser
 
RSA2008: What Vendors Won’t Tell You About Federated Identity
byDan Houser
 
The Challenges & Risks of New Technology: Privacy Law & Policy
byDan Houser
 

Recently uploaded

PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
PPTX
AI and Digital Transformation Solutions.
byBuildingblocks
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PPTX
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
PDF
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PPTX
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PPTX
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PDF
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
AI and Digital Transformation Solutions.
byBuildingblocks
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Advance Computer Architecture Lecture 4.pptx
byBottshikanBottshikan
 
Router-DHCP-Printer-SharingRouter-DHCP-Printer-Sharing
byarbendi2160
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Understanding-Search-Algorithms_09-12-25.pptx
byshaikmahammedtauheed
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
apidays Australia 2025 | Building AI RAG Applications with No Code.pptx
byapidays
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
CISO_2027_Playbook: Sovereign AI Resilience & Quantum-Proof Identity
bySaraDavis91
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 

Advanced IAM - Surviving the IAM Audit

  • 1.
    ADVANCED IAM AUDIT CONSIDERATIONS Surviving,or performing, the IAM Audit.
  • 2.
    BEGIN WITH THEEND IN MIND • What kinds of audit are there? Recommendations? • How do Auditors think, and why? – Preventative, detective, & corrective controls – Technical vs procedural controls
  • 3.
    TYPES OF AUDITS… Forthe purposes of IAM there four kinds of audits you need to be prepared for: • Compliance Audit • Corporate Controls • Internal Audit of IAM • Addressing IAM issues for audits of other areas Tip – Find out who maintains the audit list for IT systems, and meet with them in Q4 to identify all audits that may have IAM questions or concerns.
  • 4.
    TYPES OF AUDITS ComplianceAudit • Often this is evaluated by external auditor • Criteria are determined by external source • Expectations are clear Recommendations: • Understand your regulatory environment • Collect the relevant requirements documentation • Review it annually, even in non-audit years
  • 5.
    TYPES OF AUDITS… CorporateControls & Internal Audit of IAM • Controls are determined by Internal Audit and by your corporate auditors • Criteria are not as black and white as Compliance Audits Recommendations • Usually these are annual or on-going in nature • Strive to have consistent staff involved • Try to have the auditors discuss the risk and control objectives during audit preparation
  • 6.
    TYPES OF AUDITS… AddressingIAM issues for audits of other areas • Occurs when IAM questions are raised during the audit of another systems or process • Timing and urgency often put the IAM team at a disadvantage Recommendations • Understand high risk systems you provide IAM for, and work with them proactively to address their audit needs • Track the requests you receive, and inquire about when the follow-up or next audit will occur • Try to get involved early, during the other team’s audit preparation.
  • 7.
    AUDITOR MINDSET RISKS, CONTROLS,& EVIDENCE • Preventative Controls • Detective Controls • Corrective Controls Type of Control • Technical - Works without human oversight (e.g. locks) • Procedural - Requires people follow processes & provide oversight Once controls are understood, auditors must collect evidence that demonstrates the control is in-place and operating as expected. This requires documentation or a random spot-check process.
  • 8.
    AREAS OF INTEREST Whenpreparing for an IAM audit, view the process holistically… Be prepared to address: • IAM specifics • Logical security • Change Management • Availability, & Disaster Recovery
  • 9.
    IAM SPECIFICS • Detailsof the IAM system itself – Business process (view) of the system – Network and logical views of the system – Monitoring for availability, intrusion, & change • What oversight and controls are provided – What is the access approval process – Is there a periodic review of identity & access ? – How are privilege concepts, such as “least privilege” and “separation of duties” handled?
  • 10.
    GENERAL SYSTEM CONCERNS Logicalsecurity Change Management Availability, & Disaster Recovery • Accountability is established for all IDs (human and system) • Passwords are secured and managed in compliance with accepted standard • How are changes reviewed, approved, tracked? • How are change control violations detected? • What are your processes for managing systems failures, disasters, etc. ?
  • 11.
    LET’S TAKE 10MIN… Audit preparation is a complex topic We hope to have provided some insights But, let’s take 10 min and discuss experiences, problems, and insights as a group…