Download   Report
  1. No category

IAM and GRC: A Practical Perspective

IAM and GRC: A Practical Perspective
Panel Discussion
The Panel
Sumukh Tendulkar
Director of
Product Marketing
RSA Archer
Alicia Herring
Director of
Risk & Compliance
TSYS
Paul Bedi
Managing Director
IDMWORKS
Jim Ducharme
VP of Engineering
RSA Archer & IMG
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
2
RSA Identity and Access Management
Enabling trusted interactions between identities and information
Access Platform
Authentication
Federation/SSO
Employees/Partners/Customers Governance Platform
Compliance
Identity Intelligence
Identity Lifecycle
Provisioning
Applications/Data/Resources
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
3
RSA Archer
Governance, Risk and Compliance (GRC)
Board & CXOs
CIO/CISO
IT
LOB / Functional Executive
Business
Enterprise Risk
Practitioner
IT Security Risk
SecOps, VRM, ISMS, ITIL
Management
PCI, FISMA,
SOX,&NERC-CIP,
Regulatory
Corporate ISO,
Corporate
Policies
Compliance
Operational & Enterprise Risk
BC Planning, DR, Crisis
Business Resiliency
Event Management
Audit Management
3rd
Party
Relationship
Third
Party
& VendorMgmt.
Risk
Risk Control, Self Assessments,
Loss Event Analysis
Business Context, Workflows,
Common Foundation
Data Model, Data Integration
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
4
Three Use Cases
1 Continuous Monitoring of Identity Controls to Minimize Risk
2 Manage Access Decisions Based on Application Risk
3 Improve Incident Response with Business and Identity Context
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
5
Is There a Relationship?
Term
GRC
IMG
Corporate Objective
Statements established by executives for
SOX Compliant
company’s Shall
vision be
& mission.
Statements established by executives for
company’s vision & mission.
Directives to help achieve corporate objectives.
Rules for correctness of user access to
entitlements, based on user attributes.
Regulatory requirements & industry standards that
impact an organization.
SOX 404
Source of truth about users and their access
privileges.
Control Standard
Rules
for complying
with a &
policy
and authoritative
Access
to applications
functions
must be
source –restricted
mgmt. level.
to authorized users.
Requirement
team
implements
in IMG.
Review IAM
roles
and
disable orphaned
Control Procedure
Accountscontrols
of usersimplemented
who are notolonger
with
Operational
meet control
standards. company shall be deleted.
Requirement IAM team implements in IMG.
Application
An asset that enables a company to do what it
does.
System in which user has accounts.
Policy
Authoritative Source
Shall be SOX Compliant
Attestation for Control Procedure.
accounts.
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
6
Monitoring of Identity Controls
GRC and IAM
Authoritative Sources
PCI, HIPAA, SOX, NIST, …
“Access Control Policies and
Procedures”
Control Standard # 1
Periodic Review of General
Access Accounts
Control Standard # 2
Role Based Access Control
Control Procedures
Quarterly Access Review
Control Standard # 3
Application Controls
Control Procedures
Business / Technical Roles
Enforce Access Policies
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
7
Access Risk Management
Leveraging Risk to Manage Access Approvals
1
GRC
Catalog Applications
& Determine Risk
2
IMG
View of Application
Risk From Archer
3
IMG
Application
Risk Drives
Approval Workflow &
Review Frequency
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
8
Business + Identity Context During Security Investigations
Identity
Context
Launch into
RSA IMG
System of Record for
Identity & Access Context
Access to User & Application
Entitlement Context
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
9
THANK YOU
Risk Dashboard for Access Controls
Corporate Objectives, Policies
& Regulatory Standards
Access Controls
Control
Procedures
Risk Dashboard
•
•
•
•
•
SoD
Orphaned Account Reviews
Process for Managing Access
Contractor Access
…
Business Units, Products,
Services, Processes,
Technology
#RSAsummit
© Copyright 2014 EMC Corporation. All rights reserved.
11
RSA’s Approach to GRC
Governance
Risk
•
•
•
•
Corporate Objectives
Policy Framework
Authoritative Sources
Control Framework
•
•
•
Metrics
Risk Register
Loss Events
•
Compliance
Enterprise
Management
•
•
© Copyright 2014 EMC Corporation. All rights reserved.
Issue
Management
•
•
Exception
Requests
Remediation
Plans
Testing
•
Manual
•
Automated
Business Hierarchy
Business Processes
•
•
•
•
Product
Services
Applications
Data
#RSAsummit
12
Measure, Manage, and Win

Measure, Manage, and Win

How to successfully implement Identity and Access Governance Frank Schubert

How to successfully implement Identity and Access Governance Frank Schubert

Security Operations Centers in action Richard Nichols

Security Operations Centers in action Richard Nichols

Improving Visibility Into Cyber Threats Using Security Analytics

Improving Visibility Into Cyber Threats Using Security Analytics

TITLE 32 POINT VERDANA ALL CAPS

TITLE 32 POINT VERDANA ALL CAPS

View Presentation

View Presentation

Software Authenticators: Showcasing Convenience with Security

Software Authenticators: Showcasing Convenience with Security

“The Corporation at/in War”

“The Corporation at/in War”

part-time education & community relations specialist

part-time education & community relations specialist

The Keys to a successful Security Operations Center

The Keys to a successful Security Operations Center

VERIFICATION OF EMC COMPLIANCE

VERIFICATION OF EMC COMPLIANCE

H8781.1 Big Data Vision Workshop

H8781.1 Big Data Vision Workshop

Who Says a SOC Can`t Have Windows?

Who Says a SOC Can`t Have Windows?

Economic Value Added (EVA) - How to Calculate Economic Viability... Economic Value Added is a performance ratio that determines the... a corporation because it factors ...

Economic Value Added (EVA) - How to Calculate Economic Viability... Economic Value Added is a performance ratio that determines the... a corporation because it factors ...

MyAccessMobile Mobile IAM for iPhone / iOS and Android WHY

MyAccessMobile Mobile IAM for iPhone / iOS and Android WHY

EMC DATA LAKE SERVICES Identify, Plan, and Monetize Big Data Opportunities ESSENTIALS CHALLENGE

EMC DATA LAKE SERVICES Identify, Plan, and Monetize Big Data Opportunities ESSENTIALS CHALLENGE

Kearfott Corporation - Astronautics Corporation of America

Kearfott Corporation - Astronautics Corporation of America

Centera Content-Addressed Storage System Specifications Architecture

Centera Content-Addressed Storage System Specifications Architecture

H7449.2 EMC Unified Communications Service

H7449.2 EMC Unified Communications Service

EMC ISILON SCALE

EMC ISILON SCALE

EMC ISILON SCALE

EMC ISILON SCALE

Contact: Shannon Todesca CHEN PR, Inc. stodesca

Contact: Shannon Todesca CHEN PR, Inc. stodesca

abcdocz.com

© Copyright 2024