General Motors Corporation 2008 Identity and Access Management Stuart McCubbrey Director, Information Technology Audit General Motors Corporation IIA Detroit.

Slides:



Advertisements
Similar presentations
RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.
Advertisements

CERN, Information Technology Department
BalaBit Shell Control Box
Privileged Identity Management Enterprise Password Vault
Sarbanes-Oxley Compliance Process Automation
Security Controls – What Works
Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Identity and Access Management
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Internal Auditing and Outsourcing
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
Identity and Access Management Dustin Puryear Sr. Consultant, Puryear IT, LLC
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.
IDENTITY MANAGEMENT: PROTECTING FROM THE INSIDE OUT MICHAEL FORNAL, SECURITY ANALYST PROVIDENCE HEALTH & SERVICES SOURCE SEATTLE CONFERENCE
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Unify and Simplify: Security Management
Hands-On Microsoft Windows Server 2008
©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.
Chapter Three IT Risks and Controls.
Chapter 5 Internal Control over Financial Reporting
Chapter 6 of the Executive Guide manual Technology.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Identity on Force.com & Benefits of SSO Nick Simha.
Auditing Information Systems (AIS)
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Chapter 8 Auditing in an E-commerce Environment
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
IS3220 Information Technology Infrastructure Security
Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
The Four Pillars of Identity: A Solution for Online Success Tom Shinder Principle Writer and Knowledge Engineer, SCD iX Solutions Group Microsoft Corporation.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Identity and Access Management
Cisco Compliance Management and Configuration Service
Identity and Access Management
Citrix: Proactively Addressing Enterprise Wide Access Compliance with SAP® Access Violation Management Company Citrix Systems Inc. Headquarters Ft. Lauderdale,
Identity and Access Management
IS4550 Security Policies and Implementation
IS4550 Security Policies and Implementation
QAD Enterprise Edition Segregation of Duties
IS4680 Security Auditing for Compliance
What a non-IT auditor needs to know about IT & IT controls
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
What are IAM Key Processes.
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Presentation transcript:

General Motors Corporation 2008 Identity and Access Management Stuart McCubbrey Director, Information Technology Audit General Motors Corporation IIA Detroit Chapter Dinner Meeting Vis Ta Tech Conference Center January 8, 2008 Sajai Rai Partner, Advisory Solutions Practice Ernst & Young LLP

2 General Motors Corporation 2008 Agenda Introduction –Business Drivers –Identity and Access Management Background Key Concepts –Identity Management vs Entitlement Management –Identity Components –Access Rights and Entitlements –Provisioning Process –Administration of Identities and Access Rights Process –Enforcement Process –Use of Technology The Role of Internal Auditors –Identifying Key Risks and Controls

3 General Motors Corporation 2008 Business Drivers Identity and Access Management –Touches entire business –Mix of Technology and Process Key Drivers –Reduced information security risks –Reduced IT operating and development costs –Improved operating efficiencies and transparency –Improved user satisfaction –Increased effectiveness of key business initiatives –Improved regulatory compliance

4 General Motors Corporation 2008 Identity and Access Management Background Three Key Questions –Define who has access to what information? –Is access appropriate? –Is access and activity logged and appropriately monitored? Adoption Risks –Organization complacency –Participation –Planning –Communication –Incorporation of all systems into the process –Process complexity –Weak process –Lack of enforcement

5 General Motors Corporation 2008 Key Concepts Identity Management vs. Entitlement Management –Identity and Access Management Process –Entitlement Management

6 General Motors Corporation 2008 Key Concepts Identity Components –Identity Types –Identity Onboarding –Identity Offboarding Access Rights And Entitlements –Entitlement Changes –Privileged Account Management –Segregation of Duties

7 General Motors Corporation 2008 User Provisioning Process Request Approve Propagate Communicate Log

8 General Motors Corporation 2008 Administration Periodic Audit –Segregation of Duties –Entitlement Review Policy Administration –Creation of IAM Policy if non-existant –Periodic update of IAM Policies IAM Strategy –Components –Process –Activities IAM System Administration –Manage processes & systems End-user Password Administration –Creation and communication of initial passwords –Resetting lost or stolen passwords –Managing complexity of passwords Reporting –Lists of identities and accesses for review –Approval lists –Lists of group and supervisory accounts

9 General Motors Corporation 2008 Enforcement Process

10 General Motors Corporation 2008 Use of Technology in Identity and Access Management Provisioning Process –Request forms & Workflow capabilities –Communication of changes –Generate initial passwords –Perform Segregation of Duties Analysis Enforcement Process –Authentication –Authorization Logging and Reporting –Create logs of use –Generate reports of users with access Single-Sign On Remote Access

General Motors Corporation 2008 The Role Of Internal Audit In Assessing IAM

12 General Motors Corporation 2008 Assessing Inherent Risk – Four Foundational Questions Can all users accessing any system be uniquely identified? As a supervisor, do you know all systems your employees have access to? Are all roles that create segregation of duties conflicts identified and do you know who can use them? When Human Resources exits employees from the organization, is all system access terminated? Show of hands – Who can confidently answer “Yes” to all four questions? Yes = Apply your Audit Resources elsewhere; No = There is risk to assess

13 General Motors Corporation 2008 Assessing Inherent Risk – Why is IAM important? Central to Confidentiality & Integrity of Business Information –Information Security is commonly defined as protecting the Confidentiality, Integrity & Availability of Business Information –IAM directly covers the “C” and the “I” and even indirectly the “A” –Applies to: The Information element itself Credentials to access the information System software that hosts the information Application transactions that can allow access Do you care who can view and change your business information? Of course you do…… Your Company’s success depends on it

14 General Motors Corporation 2008 Assessing Inherent Risk – Why is IAM important? Regulatory Compliance –If IAM is linked to Information Security, then multiple laws and regulations apply: Sarbanes Oxley, HIPAA, Gramm-Leach- Bliley, various privacy laws etc., etc., etc. –Companies have received SOX Significant Deficiencies for Access Control deficiencies (STATS ??) 10 years ago – A Big Collective Yawn from Management Today – Public disclosure of control weaknesses

15 General Motors Corporation 2008 Assessing Inherent Risk – Why is IAM so problematic? Proliferation of Identities Required –# of applications (GM has over 2,500) –# of different platforms hosting applications & devices: Mainframe, Windows, UNIX, Cisco, VPN etc. –# of non-employee users: Suppliers, Dealers, Joint Ventures, Consumers, Outsourced Providers etc. –Human beings & programs –Varying levels of access required, from limited view access to full administrative control –Bigger risk issue for larger, de-centralized companies In 1989, I had one ID & password to log onto the mainframe – That changed with PC & Server platforms

16 General Motors Corporation 2008 Assessing Inherent Risk – Why is IAM so problematic? (CHART – LAYERS OF IT CIRCLE DIAGRAM)

17 General Motors Corporation 2008 Assessing Inherent Risk – The Big Picture Assess IAM risk in terms of People, Process & Technology: –People: Any process or technology is going to be executed by human beings –Are people aware of policies & processes? –Are those policies & processes clear and effectively communicated? –Are there specific management control expectations? –Are there consequences for non-compliance? Accountability without consequences is meaningless The “problem” is rarely access change requests not being processed, its more they were never submitted

18 General Motors Corporation 2008 Assessing Inherent Risk – The Big Picture Assess IAM risk in terms of People, Process & Technology: –Process: Is everybody on the same page? –Is there a common understanding of how to add/change/delete Identities and Access levels? If not, execution will be all over the map –Are the processes documented? –Are the processes manual-intensive? If so, they are very people-dependent and prone to error and/or non-performance How global, common, standard are the processes?

19 General Motors Corporation 2008 Assessing Inherent Risk – The Big Picture Assess IAM risk in terms of People, Process & Technology: –Technology: Is it there? –Are there multiple directories holding access data (identities, authentication credentials, authorization levels)? Are they at all linked? –Is there any automated workflow in the various access add/change/delete processes? All manual? –Are their usable reports for data owners to conduct periodic access reviews? You can’t control what you don’t know

20 General Motors Corporation 2008 Assessing Controls – Key Control Themes Prevention vs. Detection –Sure, you need periodic access reviews – But they are after-the-fact, typically manually intensive and resisted by system owners –Focus on controls at the front-end of the “Add-Change-Delete” access process: Are SOD conflicts and business need truly assessed before access is granted? Are their links between Human Resource processes and systems and down-stream systems to revoke access? A controlled process at the start should mean cleaner access reviews later on

21 General Motors Corporation 2008 Assessing Controls – Key Control Themes Use layers to your advantage –When users leave, ensure the front doors are shut off first: Network, , VPN –Helps mitigate the risk of unauthorized external access, can work on internal application access revocation next –With internal application access, the risk is narrowed to users with existing access using inactive accounts

22 General Motors Corporation 2008 Assessing Controls – Key Control Themes Data Cleansing –Is Management addressing dirty data? –Identify and remediate duplicate IDs: How can you have accountability if you can’t link access activity to a specific human being or program? –Identify and remove application segregation of duties conflicts

23 General Motors Corporation 2008 Assessing Controls – Key Control Themes Reduced Signon (let’s not call it “Single Signon” just yet…) –As you reduce the distinct numbers of identities required, you reduce potential points of control failure –Have applications use central authentication sources (e.g., LDAP Directories, Active Directory) –Synchronize passwords between applications Start to unwind the complexity

24 General Motors Corporation 2008 Assessing Controls – Key Control Themes User Education & Awareness –Usually the most cost-effective control –Do employees know the true cost of uncontrolled access? Can you make them care? –Do they want to do the right thing, but just don’t know how? –Does an existing Information Security Awareness Program exist and does it address access risks?

25 General Motors Corporation 2008 GTAG 9 – Identity and Access Management

General Motors Corporation 2008 Questions and Answers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.