Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Mission

Assure that only the right people and entities have the right access at the right time to enable the organization to securely reach its goals.

Goals

See IAM Goals.

Responsibilities

Assure that only the right people or entities have the right access at the right time to enable the organization to securely reach its goals

ID

Responsibility

Domain

Category

R01

Identify key IAM stakeholders including but not limited to: Top Management, IT, Security, Compliance, Business Lines, HR, Procurement.

All

Status
titleGovernance

R02

Embrace Identity and Access Management holistically including all IAM domains: Workforce IAM, 3rd Party IAM, Client IAM, Object IAM, Technical IAM or PAM and Physical Access.

All

Status
titleGovernance

R03

Collect and prioritize IAM requirements from the key IAM stakeholders.

All

Status
titleGovernance

R04

Assess existing IAM capabilities, define a vision and develop a risk-based IAM strategic roadmap aligned with the organization's goals and obtain top management sponsorship for it. This implies coordination with the key IAM stakeholders.

All

Status
titleGovernance
Embrace Identity and Access Management holistically including Workforce IAM, 3rd Party IAM, Client IAM, Object IAM, Technical IAM or PAM and Physical Access

R05

Assure that the IAM function and program are supervised by and report to adequate governing bodies.

All

Status
titleGovernance

R06

Demonstrate leadership to execute the IAM strategic roadmap and co-create value with the organization.

All

Status
titleGovernance

R07

Maintain contact and exchange information with relevant authorities, special interest groups, and peers.

All

Status
titleGovernance

R08

Design and implement IAM policies that establishes clear requirements and accountability across all IAM domains

All

Status
titleGovernance

R09

Develop an IAM technological roadmap to sustain the organization's digital transformation

All

Status
titleGovernance

R10

Find, recruit, retain, train, and develop IAM talents

All

Status
titleGovernance

R11

Assure up-to-date quality documentation is maintained in IAM records, processes, systems, and their architecture.

All

Status
titleGovernance

R12

Design and implement an authorization process processes that assure the legitimacy and appropriateness of access permissions

All

Status
titleGovernance

R13

Assure coverage of IAM processes over the information system by dynamically integrating IT Asset Management inventories

All

Status
colourBlue
titleIdentify

R14

Identify and analyze IAM related risks in alignment with the organization's risk management framework

All

Status
colourBlue
titleIdentify

R15

Conduct regulatory and industrial watch to identify regulatory, contractual and industrial requirements and best practices

All

Status
colourBlue
titleIdentify

R16

Facilitate and provide evidences for internal and external audits on IAM related topics and manage related findings and recommendations

All

Status
colourBlue
titleIdentify

R17

Embed IAM requirements by design in the SDLC, Project, and Change Management processes

All

Status
colourBlue
titleIdentify

Assure adequate traceability in IAM processes to fullfill compliance and security requirements

Status
colourBlue
titleIdentify

R18

Effectively implement remediation plans to mitigate IAM related risks and remediate findings

All

Status
colourPurple
titleProtect

R19

Implement and maintain role-based and other access control models in consistency with the organizational structure and due respect for the least privilege and its specialized form the need-to-know principles

All

Status
colourPurple
titleProtect

R20

Design, implement, operate, and continuously improve IAM controls to efficiently and effectively assure compliance with regulatory, contractual and security requirements

All

Status
colourPurple
titleProtect

R21

Design, implement, and continuously improve privileged and technical access management processes and capabilities to effectively mitigate high privileged access risks

PAM/TAM

Status
colourPurple
titleProtect

R22

Mitigate fraud and accidents by deploying SoD and toxic rights controls

All

Status
colourPurple
titleProtect

R23

Deploy authentication mechanisms whose robustness is commensurate with risk

All

Status
colourPurple
titleProtect

R24

Clean the information system from anomalous identities, including orphaned accounts, and access permissions

All

Status
colourPurple
titleProtect

R25

Implement an efficient off-boarding process that effectively mitigates the risk of unauthorized access by former employees

Workforce IAM

Status
colourPurple
titleProtect

R26

  •  Add item: Federation with 3rd parties

3rd Party IAM

Status
colourPurple
titleProtect

R27

  •  Add item: Recertification

Workforce IAM

Status
colourPurple
titleProtect

R28

  •  Add item: Home office and remote access

Workforce IAM, 3rd Party IAM, PAM/TAM

Status
colourPurple
titleProtect

R29

  •  Add item: Identity proofing

All

Status
colourPurple
titleProtect

R30

  •  Add item: Password and secrets management

All

Status
colourPurple
titleProtect

R31

Reconciliate systems with authorizations to identify and act upon anomalous identities and accesses

All

Status
colourYellow
titleDetect

R32

Assure adequate traceability in IAM processes to fullfill compliance and security requirements

All

Status
colourYellow
titleDetect

R33

In coordination with Security Operations, deploy, maintain, and continuously improve monitoring and analytics capabilities to detect anomalous authentication and accesses to deter unauthorized accesses

All

Status
colourBlueYellow
titleIdentifyDetect

R34

Use data analytics to identify and respond to anomalous identities, accesses, and behaviors

All

Status
colourYellow
titleDetect

R35

In coordination with the CSIRT / Incident Response Team, continuously prepare and improve IAM response capabilities (including SOPs) to effectively contribute to the containment and eradication of security incidents when they occur

All

Status
colourRed
titleRespond

R36

Suspend anomalous identities and revoke their accesses in response to security incidents in liaison with the CSIRT / Incident Response Team

All

Status
colourRed
titleRespond

R37

Based on reconciliation, investigate the root causes of identity and access anomalies and initiate remediation plans accordingly

All

Status
colourRed
titleRespond

R38

Contribute to contingency planning by leveraging IAM capabilities for the recovery of large scale incidents or disaster

All

Status
colourBlueGreen
titleIdentifyRecover