How can your Identity and Access management (IAM) help meet regulatory compliance?

Within any sector, there's only a small subset of employees within the organization who 'truly' understand their respective industry standards and compliance and how Identity and Access Management space (IAM) helps the company satisfies the regulators and become compliant
August 11, 2016
Identity-ManagementAccess-ManagementIdentity-ComplianceIAMSOXNERCHIPPAGLB

The typical candidates are your CCO and other C-level executives, legal department, GRC/audit team, project sponsors, and your trusted partners. Undoubtedly, there are exceptions; Janet from HR and that bearded DBA guy that loves tuna sandwiches are often the exceptions

Generally speaking though, it's the negligence of that individual that causes non-compliance and may subsequently cause severe consequences to the business (either a fine, lost of license, or left with poor creditability) or to the individual (a fine or even jail time). (Sh*t gets real when you're sharing your ceil with someone that's doing time for a felony charge and you're in there for not meeting regulatory compliance!...)

Furthermore, if there's a lack of business support trickling down from the corporate hierarchy, how is it possible to take personal responsibility? The common phase, "compliance it's everyone's responsibility however though executives are ultimately responsible" is often redundant and quite simply as a buzz-phase if the definition of responsibility is not understood correctly.

Regardless of the specific regulatory enforcement in an industry, the majority of compliance is often driven by past events. SOX was legislated because of accounting infringements from companies such as Enron, NERC was largely driven due to the New York blackout of 1977, HIPPA was introduced because the Clinton administration realized that personal health information could be distributed

So how can you implement an IAM roadmap solution to help meet your regulatory enforcements? After all, your Identity and Access Management solution is only the technical tool available to help meet compliance, not necessary the solution of compliance. Compliance is not about securing the processes and technologies but more about having the ability to demonstrate to the regulators that the business processes and technologies are meeting the regulatory requirements. So in terms of past events, your Identity and Access Management solution could simplify the complexities by demonstrating that your employees has principle of least privilege and segregation of duty implemented within your industry.

Below is a matrix highlighting each of the major regulations and their respective focal requirements where your Identity and Access management solution comes into play - Enjoy!

Regulation Industries Involved Focal Requirements IAM Solution
SOX Banking, Financials, Insurance SOX Section 302 - Corporate Responsibility for Financial Reports: The company must take responsibility and demonstrate adequate safeguards to ensure that financials remain integral

SOX Section 404: Management Assessment of Internal Controls: The annual reports must also include the internal control report stating that the business management is responsible for the assessment of the internal access. Any failings or conflict of interest of access must also be reported and mitigated to an adequate level. Furthermore, external auditors must be able to identify the accuracy of the attestation by the internal accounting controls as well as the operational processes
Identity Management: Account provisioning/de-provisioning, RBAC enforcements, and approval workflow process

Access Management: Centralized Authentication, SSO implementation, Step-up authentication on critical applications, authorization

Privilege Account Management: Enforcing Step-Up authentication, authorization policies

IAM Auditing: detective and preventative Segregation of Duties (SOD)

HIPPA Healthcare Federal enforcement by ensuring confidentiality and privacy during the transfer of information of personal health. Providing the 'use of access rights' so doctors can be completely transparent to patients without personal hinderance Allocation and use of access rights so that doctors can give patients their full attention.

Title II - Privacy Rule
Addresses the saving, accessing and sharing of medical and personal information of any individual

Title II - Security Rule
Outlines the security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI)

Title II - Transactions and Code Sets Rule Rule
All HIPPA health care plans are required to standardize the HIPPA transactions

Title II - Unique Identifiers Rule
All HIPPA health care plans are required to standardize the HIPPA transactions
Identity Management: Provisioning/de-provisioning of access, RBAC enforcements, and approval workflow process

Access Management: Centralized Authentication, SSO implementation, Step-up authentication on critical applications, authorization

Privilege Account Management: Enforcing Step-Up authentication, authorization policies

IAM Auditing: detective and preventative Segregation of Duties (SOD)

Regulation Industries Involved Focal Requirements IAM Solution
PCI DSS (Credit Card Security) All industries that processes payment card transactions The security standards for organizations to enhance their credit card security by ensuring point-to-point encryption over the network as well as ensuring the storage of credit card data remains private and integral.
Access Management - Centralized authentication

Privilege Account Management - Password Management

Identity Management - Identifying users based on a single identity, provisioning and role polices to set access control
GLB (Gramm-Leach-Bliley Act) All financial institutions Focus 1999 mandate ensuring that all financial institutions apply a safeguard on customer data. Institutions published notification on how data is handled and demonstrate what security enforcements are in place Access Management: Enforce access policies based on roles/privileges

Privilege Identity: Demonstrate the enforced security rules for privilege accounts
NERC (North American Electric Reliability Corporation) Energy/Utilities sector Focus: Access Governance
NERC outlines NERC CIP Standards 002-009, which ensures the core technical requirements are mandated.

CIP 007 3a: Cyber Security: Systems Security Management
R5 (Account Management): The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.

Standard CIP 003 3: Cyber Security: Security Management Controls
R4 Information Protection: The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets.
Access Management: Centralized authentication, Single Sign-On (SSO)

Identity Management: Role based enforcement, Identity provisioning/de-provisioning

Privilege Identity: Demonstrate the enforced security rules for privilege accounts

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments