How can your Identity and Access management (IAM) help meet regulatory compliance?
Blog Created: Aug 11, 2016
Last Updated: Sep 7, 2019
Within any sector, there's only a small subset of employees within the organization who 'truly' understand their respective industry standards and compliance and how Identity and Access Management space (IAM) helps the company satisfies the regulators and become compliant
The typical candidates are your CCO and other C-level executives, legal department, GRC/audit team, project sponsors, and your trusted partners. Undoubtedly, there are exceptions; Janet from HR and that bearded DBA guy that loves tuna sandwiches are often the exceptions
Generally speaking though, it's the negligence of that individual that causes non-compliance and may subsequently cause severe consequences to the business (either a fine, lost of license, or left with poor creditability) or to the individual (a fine or even jail time). (Sh*t gets real when you're sharing your ceil with someone that's doing time for a felony charge and you're in there for not meeting regulatory compliance!...)
Furthermore, if there's a lack of business support trickling down from the corporate hierarchy, how is it possible to take personal responsibility? The common phase, "compliance it's everyone's responsibility however though executives are ultimately responsible" is often redundant and quite simply as a buzz-phase if the definition of responsibility is not understood correctly.
Regardless of the specific regulatory enforcement in an industry, the majority of compliance is often driven by past events. SOX was legislated because of accounting infringements from companies such as Enron, NERC was largely driven due to the New York blackout of 1977, HIPPA was introduced because the Clinton administration realized that personal health information could be distributed
Your IAM Roadmap solution
So how can you implement an IAM roadmap solution to help meet your regulatory enforcements? After all, your Identity and Access Management solution is only the technical tool available to help meet compliance, not necessary the solution of compliance. Compliance is not about securing the processes and technologies but more about having the ability to demonstrate to the regulators that the business processes and technologies are meeting the regulatory requirements. So in terms of past events, your Identity and Access Management solution could simplify the complexities by demonstrating that your employees has principle of least privilege and segregation of duty implemented within your industry.
Regulation-IAM in a nutshell
Below is a matrix highlighting each of the major regulations and their respective focal requirements where your Identity and Access management solution comes into play - Enjoy!
|Regulation||Industries Involved||Focal Requirements||IAM Solution|
|SOX||Banking, Financials, Insurance||SOX Section 302 - Corporate Responsibility for Financial Reports: The company must take responsibility and demonstrate adequate safeguards to ensure that financials remain integral SOX Section 404: Management Assessment of Internal Controls: The annual reports must also include the internal control report stating that the business management is responsible for the assessment of the internal access. Any failings or conflict of interest of access must also be reported and mitigated to an adequate level. Furthermore, external auditors must be able to identify the accuracy of the attestation by the internal accounting controls as well as the operational processes||Identity Management: Account provisioning/de-provisioning, RBAC enforcements, and approval workflow processAccess Management: Centralized Authentication, SSO implementation, Step-up authentication on critical applications, authorizationPrivilege Account Management: Enforcing Step-Up authentication, authorization policiesIAM Auditing: detective and preventative Segregation of Duties (SOD)|
|HIPPA||Healthcare||Federal enforced by ensuring confidentiality and privacy during the transfer of information of personal health. Providing the 'use of access rights' so doctors can be completely transparent to patients without personal hinderance Allocation and use of access rights so that doctors can give patients their full attention. Title II - Privacy RuleAddresses the saving, accessing and sharing of medical and personal information of any individualTitle II - Security RuleOutlines the security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI) Title II - Transactions and Code Sets Rule Rule. All HIPPA health care plans are required to standardize the HIPPA transactions Title II - Unique Identifiers RuleAll HIPPA health care plans are required to standardize the HIPPA transactions||Identity Management: Provisioning/de-provisioning of access, RBAC enforcements, and approval workflow processAccess Management: Centralized Authentication, SSO implementation, Step-up authentication on critical applications, authorizationPrivilege Account Management: Enforcing Step-Up authentication, authorization policiesIAM Auditing: detective and preventative Segregation of Duties (SOD)|
|PCI DSS (Credit Card Security)||All industries that processes payment card transactions||The security standards for organizations to enhance their credit card security by ensuring point-to-point encryption over the network as well as ensuring the storage of credit card data remains private and integral.||Access Management - Centralized authenticationPrivilege Account Management - Password ManagementIdentity Management - Identifying users based on a single identity, provisioning and role polices to set access control|
|GLB(Gramm-Leach-Bliley Act)||All financial institutions||Focus 1999 mandate ensuring that all financial institutions apply a safeguard on customer data. Institutions published notification on how data is handled and demonstrate what security enforcements are in place||Access Management: Enforce access policies based on roles/privilegesPrivilege Identity: Demonstrate the enforced security rules for privilege accounts|
|NERC(North American Electric Reliability Corporation)||Energy/Utilities sector||Focus: Access GovernanceNERC outlines NERC CIP Standards 002-009, which ensures the core technical requirements are mandated.CIP 007 3a: Cyber Security: Systems Security ManagementR5 (Account Management): The Responsible Entity shall establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access.Standard CIP 003 3: Cyber Security: Security Management ControlsR4 Information Protection: The Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets.||Access Management: Centralized authentication, Single Sign-On (SSO)Identity Management: Role based enforcement, Identity provisioning/de-provisioningPrivilege Identity: Demonstrate the enforced security rules for privilege accounts|