Mission
Assure that only the right people and entities have the right access at the right time to enable the organization to securely reach its goals.
...
ID | Responsibility | Domain | Category | ||||||
|---|---|---|---|---|---|---|---|---|---|
R01 | Identify key IAM stakeholders including but not limited to: Top Management, IT, Security, Compliance, Business Lines, HR, Procurement. | All |
| ||||||
R02 | Embrace Identity and Access Management holistically including all IAM domains: Workforce IAM, 3rd Party IAM, Client IAM, Object IAM, Technical IAM or PAM and Physical Access. | All |
| ||||||
R03 | Collect and prioritize IAM requirements from the key IAM stakeholders. | All |
| ||||||
R04 | Assess existing IAM capabilities, define a vision and develop a risk-based IAM strategic roadmap aligned with the organization's goals and obtain top management sponsorship for it. This implies coordination with the key IAM stakeholders. | All |
| ||||||
R05 | Assure that the IAM function and program are supervised by and report to adequate governing bodies. | All |
| ||||||
R06 | Demonstrate leadership to execute the IAM strategic roadmap and co-create value with the organization. | All |
| ||||||
R07 | Maintain contact and exchange information with relevant authorities, special interest groups, and peers. | All |
| ||||||
R08 | Design and implement IAM policies that establishes clear requirements and accountability across all IAM domains | All |
| ||||||
R09 | Develop an IAM technological roadmap to sustain the organization's digital transformation | All |
| ||||||
R10 | Find, recruit, retain, train, and develop IAM talents | All |
| ||||||
R11 | Assure up-to-date quality documentation is maintained in IAM records, processes, systems, and their architecture. | All |
| ||||||
R12 | Design and implement authorization processes that assure the legitimacy and appropriateness of access permissions | All |
| ||||||
R13 | Assure coverage of IAM processes over the information system by dynamically integrating IT Asset Management inventories | All |
| ||||||
R14 | Identify and analyze IAM related risks in alignment with the organization's risk management framework | All |
| ||||||
R15 | Conduct regulatory and industrial watch to identify regulatory, contractual and industrial requirements and best practices | All |
| ||||||
R16 | Facilitate and provide evidences for internal and external audits on IAM related topics and manage related findings and recommendations | All |
| ||||||
R17 | Embed IAM requirements by design in the SDLC, Project, and Change Management processes | All |
| ||||||
R18 | Effectively implement remediation plans to mitigate IAM related risks and remediate findings | All |
| ||||||
R19 | Implement and maintain role-based and other access control models in consistency with the organizational structure and due respect for the least privilege and its specialized form the need-to-know principles | All |
| ||||||
R20 | Design, implement, operate, and continuously improve IAM controls to efficiently and effectively assure compliance with regulatory, contractual and security requirements | All |
| ||||||
R21 | Design, implement, and continuously improve privileged and technical access management processes and capabilities to effectively mitigate high privileged access risks | PAM/TAM |
| ||||||
R22 | Mitigate fraud and accidents by deploying SoD and toxic rights controls | All |
| ||||||
R23 | Deploy authentication mechanisms whose robustness is commensurate with risk | All |
| ||||||
R24 | Clean the information system from anomalous identities, including orphaned accounts, and access permissions | All |
| ||||||
R25 | Implement an efficient off-boarding process that effectively mitigates the risk of unauthorized access by former employees | Workforce IAM |
| ||||||
R26 |
| 3rd Party IAM |
| ||||||
R27 |
| Workforce IAM |
| ||||||
R28 |
| Workforce IAM, 3rd Party IAM, PAM/TAM |
| ||||||
R29 |
| All |
| ||||||
R30 |
| All |
| ||||||
R31 | Reconciliate systems with authorizations to identify and act upon anomalous identities and accesses | All |
| ||||||
R32 | Assure adequate traceability in IAM processes to fullfill compliance and security requirements | All |
| ||||||
R33 | In coordination with Security Operations, deploy, maintain, and continuously improve monitoring and analytics capabilities to detect anomalous authentication and accesses to deter unauthorized accesses | All |
| ||||||
R34 | Use data analytics to identify and respond to anomalous identities, accesses, and behaviors | All |
| ||||||
R35 | In coordination with the CSIRT / Incident Response Team, continuously prepare and improve IAM response capabilities (including SOPs) to effectively contribute to the containment and eradication of security incidents when they occur | All |
| ||||||
R36 | Suspend anomalous identities and revoke their accesses in response to security incidents in liaison with the CSIRT / Incident Response Team | All |
| ||||||
R37 | Based on reconciliation, investigate the root causes of identity and access anomalies and initiate remediation plans accordingly | All |
| ||||||
R38 | Contribute to contingency planning by leveraging IAM capabilities for the recovery of large scale incidents or disaster | All |
|
...