Alexandre Luna, profile picture
Uploaded byAlexandre Luna
PDF, PPTX699 views

E12 Sox And Identity Management

This document discusses identity management (IdM) and how it relates to the Sarbanes-Oxley Act of 2002. IdM is a business strategy that involves technologies and processes to securely manage relationships with valuable assets. The Sarbanes-Oxley Act established regulations for public company financial reporting and internal controls. IdM can help companies comply with sections 302 and 404 which address management responsibilities and internal controls assessments. The document recommends a solution involving role engineering and an identity management infrastructure to address issues like segregation of duties conflicts.

Embed presentation

Download as PDF, PPTX
1 WE CAN HELP YOU SECURELY MANAGE YOUR RELATIONSHIPS WITH YOUR MOST VALUEABLE ASSETS… IDENTITY MANAGEMENT & SARBANES-OXLEY October 4, 2004 Ehab Dawoud Director, Advisory Practice !"#
2 Table of Contents • Identity Management • Value of Identity Management • Sarbanes Oxley $ Overview $ Section 302 $ Section 404 • Control Objectives of Sarbanes Oxley • The Issue • The Recommended Solution 2 !"# !"#
3 IdM Identity Management is not a turnkey solution – it is a business strategy manifested in a comprehensive and evolving solution deployment that must ultimately involve the entire enterprise. IdM is a convergence of technologies and business processes. There is no single approach to IdM because the strategy must reflect specific requirements within the business and technology context of each organization. 3 !"# !"#
4 Identity Management (IdM), its a business strategy affecting the entire organization. The Solution Key Drivers Cost Reduction Increased Security Increased Compliance Enhanced User Experience Centralised Policies Identity Management (IdM), from Delegated Administration %"& 4 !"# !"#
5 How do I manage all of the corporate Timeline - 2001 user’s identity and credentials across the enterprise application landscape? b2c e-business e-services HR extranet Intranet b2b e-market e-services EMPLOYEE portals places SUPPLIERS knowledge ERP e-services ERP sharing SCM SCM Portal extranet e-market places ERP Knowledge extranet b2c sharing CUSTOMERS BUSINESS e-services PARTNERS b2b e-services e-business e-business knowledge sharing 5 !"# !"#
6 Enterprise Security Enterprise Security ' The strategy for securing information and enabling resources ' The security delivery model for the company ' The security framework that serves the extended enterprise ' Provides a common security services component framework Identity Management ' The source of timely and trustworthy user management ' The place where user information is secured ' The vehicle for user enablement across the enterprise ' The focal point of securing the enterprise information ' The solution to effectively and efficiently be Sarbanes Oxley compliant 6 !"# !"#
What is the IdM value? 7 Key IdM Business Drivers and Objectives – Gartner/PwC Market Study Security $ Secure data and network access $ Increase ability to manage enterprise assets $ Assure authentication across platforms Strategic Regulatory $ Centrally managed environment Operations Management Initiatives Requirements $ Decrease administrative/help desk overhead $ Reduce number of logins/passwords $ Efficiently and effectively support high-turnover, high- Operations growth environments Increased Compliance Security Management $ Sarbanes Oxley $ HIPAA $ FDIC $ Gramm-Leach-Bliley $ Sarbanes-Oxley Business Initiatives $ Support CRM, Portals, SCM, ERP, etc. 7 !"# !"#
What is the IdM value? 8 Key IdM Business Drivers from a Sarbanes Oxley Point of View Short Term $ User access control $ Enterprise role definition $ Segregation of duties $ Delegation of authority $ Adequate methods of de-provisioning user accounts $ Audit trail for system access. Long Term $ Develop consistent, sustainable, reusable method of managing user access controls including: $ Addressing open audit issues $ Internal/external employees, non-employees, contractors, consultants, partners, and vendors $ The entire lifecycle from submission of an application to termination of employment or contract including job transfers 8 !"# !"#
What is the IdM value? 9 According to the Gartner/PwC market study, organizations are targeting identity management for compliance, cost savings, productivity improvement, increased security and increased user satisfaction. Productivity Improvement Lower user administration costs through centralized administrative Cost Savings and functions for multiple platforms: “saved 40 percent in less than one year” Gartner/PwC Market Study Breadth/Depth of IdM 9 !"# !"#
10 Sarbanes-Oxley Act of 2002: Overview Basic requirements of the Act • Management of “publicly traded companies” are required to make an assertion regarding the effectiveness of their internal controls over financial reporting. • The internal controls must be documented and management must be in a position to demonstrate to its auditors and regulators its support for its assertion. • An external auditor will have to attest to management’s assertion and include a report in public filings the results of the attestation. • Management must utilize a framework such as COSO for assessing its controls and making its assertion. Potential Ramifications of Non-Compliance • Violation of Federal law and regulations. • Civil and criminal liability exposure. • Damage to reputation, brand, and/or regulatory relationships. • Diminution in value of the company. 10 !"# !"#
11 Section 302 of Sarbanes Oxley Who • A company’s management, with the participation of the principal executive and financial officer (the certifying officers) What • Certifying officers are responsible for establishing and maintaining internal control over financial reporting. • Certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. 11 !"# !"#
12 Section 302 of Sarbanes Oxley • Any changes in the company’s internal control over financial reporting that have occurred during the most recent fiscal quarter and have materially affected, or are reasonably likely to materially affect, the company’s internal control over financial reporting are disclosed. • When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading. When • Already in effect as of July 2002 12 !"# !"#
13 Section 404 of Sarbanes Oxley Who • Corporate management, executives and participation of the principal executive and financial officer (“management” has not been defined by the PCAOB—Public Company Accounting Oversight Board.) What • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company • A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting • An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether internal control over financial reporting is effective 13 !"# !"#
14 Section 404 of Sarbanes Oxley – Cont’d • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting • A written conclusion by management about the effectiveness of the company’s internal control over financial reporting. • Management is precluded from concluding that the company’s internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year. When • Year-ends beginning on or after 15 November 2004** **Non-accelerated filers (<US $75 million market capitalization) can defer to15 July 2005 14 !"# !"#
15 Control Objectives of Sarbanes Oxley that Identity Management can address 'Procedures exist and are followed to authenticate all users to the system to support the validity of transactions. - Authentication/Authorization 'Procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms - Authentication/Authorization (e.g., regular password changes). 'Procedures exist and are followed to ensure timely action - User Provisioning/De-provisioning relating to requesting, establishing, issuing, suspending and user accounts. 'A control process exists and is followed to periodically review and confirm access rights. - Monitoring of User Access 'Where appropriate, controls exist to ensure that neither party can deny transactions and controls are implemented to - Workflow and monitoring of workflows provide transaction initiation and approval. 15 !"# !"#
16 Control Objectives of Sarbanes Oxley that Identity Management can address 'Controls relating to appropriate segregation of duties over - User Provisioning/Work Flow requesting and granting access to systems and data exist and are followed. 'Access to user-developed systems is restricted to a limited - Authentication/Authorization number of users. 16 !"# !"#
17 How is Sarbanes affecting a company’s technology infrastructure and capabilities • Many companies are putting manual processes & “solutions” in place for first year compliance, which is acceptable. However, automating those processes & solutions for long term effectiveness is “critical”. • Key technology areas impacted within a company include: $ ERP systems $ Network infrastructure $ Directories, Identity provisioning, and access management systems $ Documentation control & monitoring $ Data quality & governance • Understanding the relationship between the Sarbanes-Oxley requirements and the tactical and strategic technology enablers is “critical” for the C suite of these companies. 17 !"# !"#
18 The Issue A potential for a control deficiency to be identified concerning conflicts in segregation of duties within the key applications, and potentially across other financial applications. The lack of user access controls over one or more of these applications can have a pervasive impact over financial processes that lead to a significant deficiency and/or material weakness if not remediated. 18 !"# !"#
19 Root Cause • User retains old Roles and privileges from previous positions • User may inherit Roles from others through delegation of authority • Roles are designed • Users may gain additional access Role specific to applications privileges due to dynamic Roles/groups Role SAP Role • Each application • No global view of user access rights maintains its own list of • Unauthorized sharing of passwords Roles and Access Role Control List Role Seibel Delegation Role • Segregation of duties are implemented on each application Role P individually P Billing P: Permission / Privilege P • Lack of centralized Inheritance Access Control systems Dynamic to enforce security P policies Roles/Groups Role P P Payroll Results Results $ Lack of check for segregation of duties across the enterprise $ Lack of check for segregation of duties across the enterprise $ Lack of enterprise user access control model $ Lack of enterprise user access control model 19 !"# !"#
20 Recommended Solution Design a user access control model and framework that supports key security principles: • Least Privilege: users to operate with minimum set of privileges necessary to do their jobs • Segregation of duties: for particular set of transactions, no single individual be allowed to execute all transaction within the set. • Data Abstraction: • Security policies be independent from data and system specific resources and • Adaptable across various systems Develop a reference architecture for the user access control systems to enforce the defined model Solution = Role Engineering + IdM Infrastructure Solution = Role Engineering + IdM Infrastructure 20 !"# !"#
21 Role Proliferation Many-to-one vs. many-to-many ' Many-to-many relationship: ' Many-to-one relationship: ' Role Permutation of five permissions: (5!) ' Role Permutation: Max of 5 Roles 5x4x3x2x1 = up to 120 unique roles to manage Role Role Role Role Role Role Role Role Role Role P1 P2 P3 P4 P5 P1 P2 P3 P4 P5 5 System permissions 5 System permissions 21 !"# !"#
22 Role Engineering Concepts ' Background information: 1000 end users, 500 permissions ' Issue: How many roles are needed? 1000 End Users Responsibility Oriented Design Factors Process Oriented Roles Roles Responsibility Role Oriented Function of ( Desire for less ( Need for more granular Role administration access Risk ( Responsibility oriented ( Process oriented roles roles ( Results in more roles ( Results in few roles Role: #??? Oriented Process Maintenance ( Lower number of roles ( Higher number of roles Maint. Implication ( Reduced administrative ( Increased administrative maintenance maintenance Risk ( Increased risk, through less ( Decreased risk, through Implication granular permission more granular permission groupings groupings Role Role Role Role Content of ( 10 roles ( 50 roles Role ( Each role has average of ( Each role has average of 10 Actions Resources 50 permissions permissions 22 500 Permissions !"# !"#
23 Solution Concepts •Profile represents a global view of user access rights Map user to profile Map profile to Roles Map Roles to Permissions •Each user can assume one profile at any given session Access Control Model Role P P Access Control System SAP •Each profile can map to Static segregation Role P P of duties multiple Roles •There is a centralized P access control system to Role Role P Seibel enforce security policies Profile P P •Access control systems that monitor segregation of Session Roles Role P P Role Billing duties to include: P P $Static Roles $Dynamic Roles Session $Delegation of P P Role authority Role P Payroll P Dynamic segregation of duties 23 !"# !"#
24 Enterprise Level and System Level View 24 !"# !"#
25 Reference Architecture User Provisioning and Workflow Process Flow Identity Approvers Application Landscape Authorative Portal Source(s) RBAC Security Workflow RBAC Roles Connectors Policy User Relational Users Store Store Database 25 !"# !"#
26 Key Deliverable - Organizational Access Matrix •The Organizational Access Matrix is composed of multiple relationships and provides a central repository for the RBAC design specifications. • User to Process Responsibility • Process to System • User to Profile Organizational Access Matrix • Profile to Role • Process to Task • Task to Permission • Permission to Role 26 !"# !"#
27 Key Task – Role to Profile Mapping Profile to Role Mapping - This sample matrix represents the E P 10 E P 11 E P 12 E P 13 E P 14 E P 15 E P 16 E P 17 E P 18 E P 19 E P 20 E P 21 E P 22 E P 23 E P 24 E P 25 E P 26 E P 27 E P 28 E P 29 EP1 EP2 EP3 EP4 EP5 EP6 EP7 EP8 EP9 alignment of the Role1 Role2 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X previously created Role3 Role4 X X X X X X X X X X X X X X X X X X X X X X Profiles and Roles. Role5 Role6 X X X X X X X X X X X X X X X X X X X X X X - This relationship Role7 Role8 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X defines the underlying Role9 Role10 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X roles that a user will Role11 Role12 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X inherit when assigned Role13 Role14 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X a Profile. Role15 Role16 X X X X X X X X X X X X X X X X X X X X X X X X X X Role17 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Role18 X X X X X X X X X X X X X X Role19 X X X X X X X X X X X X X X Role20 Role21 X X X X X X X X X X X X X X Role22 Role23 X X X X X X X X X X X X X X 27 !"# !"#
28 Conclusion • IdM is an enabling tool to implement a sustained-automated process for: - User Access Control - Segregation of Duties - Delegation of Authority • Most companies have 60-70% of their enterprise role already defined • Limit the number of key application list to 6-8 apps. • Validate and prototype the model for a subset of users. This group of users should include those who are involved with financial transactions. 28 !"# !"#
29 Ehab Dawoud Gretchen Lott edawoud @us.pwc.com Gretchen.l.lott@us.pwc.com 415-498-7333 415-281-4749 Your Worlds Our People 29 !"# © 2002, PricewaterhouseCoopers LLP. All rights reserved. !"# PricewaterhouseCoopers refers to the US firm of PricewaterhouseCoopers LLP and other member firms of the worldwide PricewaterhouseCoopers organization.

More Related Content

PDF
Ecz Services(2)
bysaima10
 
PDF
Is pervasive governance_part_of_your_ecm_strategy
byQuestexConf
 
PDF
IDM & IAM 2012
byAriel Evans
 
PPSX
Credexo IDM
bysiadehghan
 
PDF
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16
bylliu
 
PDF
E-commerce Technology for Safe money transaction over the net
byRaman K. Attri
 
PDF
Financial Technology Market Analysis - March 2012
byMMMTechLaw
 
PDF
QualyCloud
byFabrice Heurtaux
 
Ecz Services(2)
bysaima10
 
Is pervasive governance_part_of_your_ecm_strategy
byQuestexConf
 
IDM & IAM 2012
byAriel Evans
 
Credexo IDM
bysiadehghan
 
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16
bylliu
 
E-commerce Technology for Safe money transaction over the net
byRaman K. Attri
 
Financial Technology Market Analysis - March 2012
byMMMTechLaw
 
QualyCloud
byFabrice Heurtaux
 

What's hot

PDF
Northridge Webinar Share Point 2010 Public Web
byjfarq
 
PDF
Girnar Soft Profile April 2011
byGirnarsoft Pvt Ltd
 
PDF
SAS Forum India: Building for Success: The Foundation for Achievable Master D...
bySAS Institute India Pvt. Ltd
 
PPTX
Adam consulting corporate profile
byShanavas Ameerkannu
 
PDF
GirnarSoft Profile
byGirnarsoft Pvt Ltd
 
PDF
Market Intelligence Solution, Knowledge Partnership
byDeepak Pareek
 
PPTX
Intro to yakpact fexco prizebond team slideshare
byCormac Murphy
 
PDF
Introduction to SOA &amp; its Open Source Framework
byThanachart Numnonda
 
PDF
GirnarSoft Profile
byCharu Kishnani
 
PDF
B13 Driving Business Intelligence John Robson
byProvoke Solutions
 
PPT
Internet on business_print
byFrancis George
 
PDF
E intelligence
bySumit Sharma
 
PPTX
Cleverlance Group
byCleverlance Group
 
PDF
Magic finger
byInteractive BI Diamond
 
PDF
Mindtree's expertise in corporate banking portals.
byMindtree Ltd.
 
PDF
Comodo Overview Presentation Read Only
byJayHicks
 
PDF
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
byiCrossing
 
PDF
Enabling the Social Enterprise
byIMAGINE
 
PAGES
Company Profile
byVision Effect Technosolutions (Pvt.) Ltd.
 
Northridge Webinar Share Point 2010 Public Web
byjfarq
 
Girnar Soft Profile April 2011
byGirnarsoft Pvt Ltd
 
SAS Forum India: Building for Success: The Foundation for Achievable Master D...
bySAS Institute India Pvt. Ltd
 
Adam consulting corporate profile
byShanavas Ameerkannu
 
GirnarSoft Profile
byGirnarsoft Pvt Ltd
 
Market Intelligence Solution, Knowledge Partnership
byDeepak Pareek
 
Intro to yakpact fexco prizebond team slideshare
byCormac Murphy
 
Introduction to SOA &amp; its Open Source Framework
byThanachart Numnonda
 
GirnarSoft Profile
byCharu Kishnani
 
B13 Driving Business Intelligence John Robson
byProvoke Solutions
 
Internet on business_print
byFrancis George
 
E intelligence
bySumit Sharma
 
Cleverlance Group
byCleverlance Group
 
Magic finger
byInteractive BI Diamond
 
Mindtree's expertise in corporate banking portals.
byMindtree Ltd.
 
Comodo Overview Presentation Read Only
byJayHicks
 
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
byiCrossing
 
Enabling the Social Enterprise
byIMAGINE
 
Company Profile
byVision Effect Technosolutions (Pvt.) Ltd.
 

Similar to E12 Sox And Identity Management

PDF
IBSolution Bulgaria at SAP World tour 2011
byivanparvanov
 
PDF
Sun Gerenciamento de Identidade com Segurança
byVictor Castro
 
PDF
I B M ECM Roadmap
byAmrMohamedSamir
 
PDF
10 key decisions_your_ecm_checklist
byQuestexConf
 
PPTX
Integrated it portfolio management using epm live's it engine app
byEPM Live
 
PPTX
What does it take to be an ECM expert?
byAtle Skjekkeland
 
PDF
Business Process Management
byIBMGovernmentCA
 
PPTX
Create a 'Customer 360' with Master Data Management for Financial Services
byPerficient, Inc.
 
PPTX
Microsoft Business Intelligence Vision and Strategy
byNic Smith
 
PPT
Building an Effective Identity Management Strategy
byNetIQ
 
PPT
2005 Presentation - Annual ITAM Conference
bySteve Gerick
 
PPTX
Intellinet Overview 2009
bymclevenger
 
PDF
Lean IT
byGeorge Sullenberger III, PMP, CSM
 
PDF
Arrow ECS/IBM Partner Jam – MobileFirst – A BP’s Perspective - David Peacock...
byArrow ECS UK
 
PDF
SYMCAnnual
byfinance40
 
PPTX
2009 Intellinet Overview
byMark Seeley
 
PDF
SAP Portal Content and Site Management by OpenText
bySAP Portal
 
PDF
IT Enabled Higher Education
byInfosys
 
PDF
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
byIS Unified Digital Enterprise Management ERP for IT
 
PDF
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
byMicrosoft Private Cloud
 
IBSolution Bulgaria at SAP World tour 2011
byivanparvanov
 
Sun Gerenciamento de Identidade com Segurança
byVictor Castro
 
I B M ECM Roadmap
byAmrMohamedSamir
 
10 key decisions_your_ecm_checklist
byQuestexConf
 
Integrated it portfolio management using epm live's it engine app
byEPM Live
 
What does it take to be an ECM expert?
byAtle Skjekkeland
 
Business Process Management
byIBMGovernmentCA
 
Create a 'Customer 360' with Master Data Management for Financial Services
byPerficient, Inc.
 
Microsoft Business Intelligence Vision and Strategy
byNic Smith
 
Building an Effective Identity Management Strategy
byNetIQ
 
2005 Presentation - Annual ITAM Conference
bySteve Gerick
 
Intellinet Overview 2009
bymclevenger
 
Lean IT
byGeorge Sullenberger III, PMP, CSM
 
Arrow ECS/IBM Partner Jam – MobileFirst – A BP’s Perspective - David Peacock...
byArrow ECS UK
 
SYMCAnnual
byfinance40
 
2009 Intellinet Overview
byMark Seeley
 
SAP Portal Content and Site Management by OpenText
bySAP Portal
 
IT Enabled Higher Education
byInfosys
 
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
byIS Unified Digital Enterprise Management ERP for IT
 
Microsoft India - Forefront Value Of Identity And Security Offerings Presenta...
byMicrosoft Private Cloud
 

E12 Sox And Identity Management

  • 1.
    1 WE CAN HELPYOU SECURELY MANAGE YOUR RELATIONSHIPS WITH YOUR MOST VALUEABLE ASSETS… IDENTITY MANAGEMENT & SARBANES-OXLEY October 4, 2004 Ehab Dawoud Director, Advisory Practice !"#
  • 2.
    2 Table of Contents •Identity Management • Value of Identity Management • Sarbanes Oxley $ Overview $ Section 302 $ Section 404 • Control Objectives of Sarbanes Oxley • The Issue • The Recommended Solution 2 !"# !"#
  • 3.
    3 IdM Identity Managementis not a turnkey solution – it is a business strategy manifested in a comprehensive and evolving solution deployment that must ultimately involve the entire enterprise. IdM is a convergence of technologies and business processes. There is no single approach to IdM because the strategy must reflect specific requirements within the business and technology context of each organization. 3 !"# !"#
  • 4.
    4 Identity Management (IdM), its a business strategy affecting the entire organization. The Solution Key Drivers Cost Reduction Increased Security Increased Compliance Enhanced User Experience Centralised Policies Identity Management (IdM), from Delegated Administration %"& 4 !"# !"#
  • 5.
    5 How do I manage all of the corporate Timeline - 2001 user’s identity and credentials across the enterprise application landscape? b2c e-business e-services HR extranet Intranet b2b e-market e-services EMPLOYEE portals places SUPPLIERS knowledge ERP e-services ERP sharing SCM SCM Portal extranet e-market places ERP Knowledge extranet b2c sharing CUSTOMERS BUSINESS e-services PARTNERS b2b e-services e-business e-business knowledge sharing 5 !"# !"#
  • 6.
    6 Enterprise Security Enterprise Security ' The strategy for securing information and enabling resources ' The security delivery model for the company ' The security framework that serves the extended enterprise ' Provides a common security services component framework Identity Management ' The source of timely and trustworthy user management ' The place where user information is secured ' The vehicle for user enablement across the enterprise ' The focal point of securing the enterprise information ' The solution to effectively and efficiently be Sarbanes Oxley compliant 6 !"# !"#
  • 7.
    What is theIdM value? 7 Key IdM Business Drivers and Objectives – Gartner/PwC Market Study Security $ Secure data and network access $ Increase ability to manage enterprise assets $ Assure authentication across platforms Strategic Regulatory $ Centrally managed environment Operations Management Initiatives Requirements $ Decrease administrative/help desk overhead $ Reduce number of logins/passwords $ Efficiently and effectively support high-turnover, high- Operations growth environments Increased Compliance Security Management $ Sarbanes Oxley $ HIPAA $ FDIC $ Gramm-Leach-Bliley $ Sarbanes-Oxley Business Initiatives $ Support CRM, Portals, SCM, ERP, etc. 7 !"# !"#
  • 8.
    What is theIdM value? 8 Key IdM Business Drivers from a Sarbanes Oxley Point of View Short Term $ User access control $ Enterprise role definition $ Segregation of duties $ Delegation of authority $ Adequate methods of de-provisioning user accounts $ Audit trail for system access. Long Term $ Develop consistent, sustainable, reusable method of managing user access controls including: $ Addressing open audit issues $ Internal/external employees, non-employees, contractors, consultants, partners, and vendors $ The entire lifecycle from submission of an application to termination of employment or contract including job transfers 8 !"# !"#
  • 9.
    What is theIdM value? 9 According to the Gartner/PwC market study, organizations are targeting identity management for compliance, cost savings, productivity improvement, increased security and increased user satisfaction. Productivity Improvement Lower user administration costs through centralized administrative Cost Savings and functions for multiple platforms: “saved 40 percent in less than one year” Gartner/PwC Market Study Breadth/Depth of IdM 9 !"# !"#
  • 10.
    10 Sarbanes-Oxley Act of2002: Overview Basic requirements of the Act • Management of “publicly traded companies” are required to make an assertion regarding the effectiveness of their internal controls over financial reporting. • The internal controls must be documented and management must be in a position to demonstrate to its auditors and regulators its support for its assertion. • An external auditor will have to attest to management’s assertion and include a report in public filings the results of the attestation. • Management must utilize a framework such as COSO for assessing its controls and making its assertion. Potential Ramifications of Non-Compliance • Violation of Federal law and regulations. • Civil and criminal liability exposure. • Damage to reputation, brand, and/or regulatory relationships. • Diminution in value of the company. 10 !"# !"#
  • 11.
    11 Section 302 ofSarbanes Oxley Who • A company’s management, with the participation of the principal executive and financial officer (the certifying officers) What • Certifying officers are responsible for establishing and maintaining internal control over financial reporting. • Certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. 11 !"# !"#
  • 12.
    12 Section 302 ofSarbanes Oxley • Any changes in the company’s internal control over financial reporting that have occurred during the most recent fiscal quarter and have materially affected, or are reasonably likely to materially affect, the company’s internal control over financial reporting are disclosed. • When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading. When • Already in effect as of July 2002 12 !"# !"#
  • 13.
    13 Section 404 ofSarbanes Oxley Who • Corporate management, executives and participation of the principal executive and financial officer (“management” has not been defined by the PCAOB—Public Company Accounting Oversight Board.) What • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company • A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting • An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether internal control over financial reporting is effective 13 !"# !"#
  • 14.
    14 Section 404 ofSarbanes Oxley – Cont’d • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting • A written conclusion by management about the effectiveness of the company’s internal control over financial reporting. • Management is precluded from concluding that the company’s internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year. When • Year-ends beginning on or after 15 November 2004** **Non-accelerated filers (<US $75 million market capitalization) can defer to15 July 2005 14 !"# !"#
  • 15.
    15 Control Objectives ofSarbanes Oxley that Identity Management can address 'Procedures exist and are followed to authenticate all users to the system to support the validity of transactions. - Authentication/Authorization 'Procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms - Authentication/Authorization (e.g., regular password changes). 'Procedures exist and are followed to ensure timely action - User Provisioning/De-provisioning relating to requesting, establishing, issuing, suspending and user accounts. 'A control process exists and is followed to periodically review and confirm access rights. - Monitoring of User Access 'Where appropriate, controls exist to ensure that neither party can deny transactions and controls are implemented to - Workflow and monitoring of workflows provide transaction initiation and approval. 15 !"# !"#
  • 16.
    16 Control Objectives ofSarbanes Oxley that Identity Management can address 'Controls relating to appropriate segregation of duties over - User Provisioning/Work Flow requesting and granting access to systems and data exist and are followed. 'Access to user-developed systems is restricted to a limited - Authentication/Authorization number of users. 16 !"# !"#
  • 17.
    17 How is Sarbanesaffecting a company’s technology infrastructure and capabilities • Many companies are putting manual processes & “solutions” in place for first year compliance, which is acceptable. However, automating those processes & solutions for long term effectiveness is “critical”. • Key technology areas impacted within a company include: $ ERP systems $ Network infrastructure $ Directories, Identity provisioning, and access management systems $ Documentation control & monitoring $ Data quality & governance • Understanding the relationship between the Sarbanes-Oxley requirements and the tactical and strategic technology enablers is “critical” for the C suite of these companies. 17 !"# !"#
  • 18.
    18 TheIssue A potential for a control deficiency to be identified concerning conflicts in segregation of duties within the key applications, and potentially across other financial applications. The lack of user access controls over one or more of these applications can have a pervasive impact over financial processes that lead to a significant deficiency and/or material weakness if not remediated. 18 !"# !"#
  • 19.
    19 Root Cause • User retains old Roles and privileges from previous positions • User may inherit Roles from others through delegation of authority • Roles are designed • Users may gain additional access Role specific to applications privileges due to dynamic Roles/groups Role SAP Role • Each application • No global view of user access rights maintains its own list of • Unauthorized sharing of passwords Roles and Access Role Control List Role Seibel Delegation Role • Segregation of duties are implemented on each application Role P individually P Billing P: Permission / Privilege P • Lack of centralized Inheritance Access Control systems Dynamic to enforce security P policies Roles/Groups Role P P Payroll Results Results $ Lack of check for segregation of duties across the enterprise $ Lack of check for segregation of duties across the enterprise $ Lack of enterprise user access control model $ Lack of enterprise user access control model 19 !"# !"#
  • 20.
    20 RecommendedSolution Design a user access control model and framework that supports key security principles: • Least Privilege: users to operate with minimum set of privileges necessary to do their jobs • Segregation of duties: for particular set of transactions, no single individual be allowed to execute all transaction within the set. • Data Abstraction: • Security policies be independent from data and system specific resources and • Adaptable across various systems Develop a reference architecture for the user access control systems to enforce the defined model Solution = Role Engineering + IdM Infrastructure Solution = Role Engineering + IdM Infrastructure 20 !"# !"#
  • 21.
    21 Role Proliferation Many-to-one vs. many-to-many ' Many-to-many relationship: ' Many-to-one relationship: ' Role Permutation of five permissions: (5!) ' Role Permutation: Max of 5 Roles 5x4x3x2x1 = up to 120 unique roles to manage Role Role Role Role Role Role Role Role Role Role P1 P2 P3 P4 P5 P1 P2 P3 P4 P5 5 System permissions 5 System permissions 21 !"# !"#
  • 22.
    22 Role Engineering Concepts ' Background information: 1000 end users, 500 permissions ' Issue: How many roles are needed? 1000 End Users Responsibility Oriented Design Factors Process Oriented Roles Roles Responsibility Role Oriented Function of ( Desire for less ( Need for more granular Role administration access Risk ( Responsibility oriented ( Process oriented roles roles ( Results in more roles ( Results in few roles Role: #??? Oriented Process Maintenance ( Lower number of roles ( Higher number of roles Maint. Implication ( Reduced administrative ( Increased administrative maintenance maintenance Risk ( Increased risk, through less ( Decreased risk, through Implication granular permission more granular permission groupings groupings Role Role Role Role Content of ( 10 roles ( 50 roles Role ( Each role has average of ( Each role has average of 10 Actions Resources 50 permissions permissions 22 500 Permissions !"# !"#
  • 23.
    23 Solution Concepts •Profile represents a global view of user access rights Map user to profile Map profile to Roles Map Roles to Permissions •Each user can assume one profile at any given session Access Control Model Role P P Access Control System SAP •Each profile can map to Static segregation Role P P of duties multiple Roles •There is a centralized P access control system to Role Role P Seibel enforce security policies Profile P P •Access control systems that monitor segregation of Session Roles Role P P Role Billing duties to include: P P $Static Roles $Dynamic Roles Session $Delegation of P P Role authority Role P Payroll P Dynamic segregation of duties 23 !"# !"#
  • 24.
    24 Enterprise Level andSystem Level View 24 !"# !"#
  • 25.
    25 Reference Architecture User Provisioning and Workflow Process Flow Identity Approvers Application Landscape Authorative Portal Source(s) RBAC Security Workflow RBAC Roles Connectors Policy User Relational Users Store Store Database 25 !"# !"#
  • 26.
    26 Key Deliverable -Organizational Access Matrix •The Organizational Access Matrix is composed of multiple relationships and provides a central repository for the RBAC design specifications. • User to Process Responsibility • Process to System • User to Profile Organizational Access Matrix • Profile to Role • Process to Task • Task to Permission • Permission to Role 26 !"# !"#
  • 27.
    27 Key Task – Role to Profile Mapping Profile to Role Mapping - This sample matrix represents the E P 10 E P 11 E P 12 E P 13 E P 14 E P 15 E P 16 E P 17 E P 18 E P 19 E P 20 E P 21 E P 22 E P 23 E P 24 E P 25 E P 26 E P 27 E P 28 E P 29 EP1 EP2 EP3 EP4 EP5 EP6 EP7 EP8 EP9 alignment of the Role1 Role2 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X previously created Role3 Role4 X X X X X X X X X X X X X X X X X X X X X X Profiles and Roles. Role5 Role6 X X X X X X X X X X X X X X X X X X X X X X - This relationship Role7 Role8 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X defines the underlying Role9 Role10 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X roles that a user will Role11 Role12 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X inherit when assigned Role13 Role14 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X a Profile. Role15 Role16 X X X X X X X X X X X X X X X X X X X X X X X X X X Role17 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Role18 X X X X X X X X X X X X X X Role19 X X X X X X X X X X X X X X Role20 Role21 X X X X X X X X X X X X X X Role22 Role23 X X X X X X X X X X X X X X 27 !"# !"#
  • 28.
    28 Conclusion •IdM is an enabling tool to implement a sustained-automated process for: - User Access Control - Segregation of Duties - Delegation of Authority • Most companies have 60-70% of their enterprise role already defined • Limit the number of key application list to 6-8 apps. • Validate and prototype the model for a subset of users. This group of users should include those who are involved with financial transactions. 28 !"# !"#
  • 29.
    29 Ehab Dawoud Gretchen Lott edawoud @us.pwc.com Gretchen.l.lott@us.pwc.com 415-498-7333 415-281-4749 Your Worlds Our People 29 !"# © 2002, PricewaterhouseCoopers LLP. All rights reserved. !"# PricewaterhouseCoopers refers to the US firm of PricewaterhouseCoopers LLP and other member firms of the worldwide PricewaterhouseCoopers organization.