Head of IAM
Mission
Assure that only the right people and entities have the right access at the right time to enable the organization to securely reach its goals.
Goals
See https://open-measure.atlassian.net/wiki/spaces/GOALS/pages/1442045.
Responsibilities
ID | Responsibility | Domain | Category |
|---|---|---|---|
R01 | Identify key IAM stakeholders including but not limited to: Top Management, IT, Security, Compliance, Business Lines, HR, Procurement. | All | Governance |
R02 | Embrace Identity and Access Management holistically including all IAM domains: Workforce IAM, 3rd Party IAM, Client IAM, Object IAM, Technical IAM or PAM and Physical Access. | All | Governance |
R03 | Collect and prioritize IAM requirements from the key IAM stakeholders. | All | Governance |
R04 | Assess existing IAM capabilities, define a vision and develop a risk-based IAM strategic roadmap aligned with the organization's goals and obtain top management sponsorship for it. This implies coordination with the key IAM stakeholders. | All | Governance |
R05 | Assure that the IAM function and program are supervised by and report to adequate governing bodies. | All | Governance |
R06 | Demonstrate leadership to execute the IAM strategic roadmap and co-create value with the organization. | All | Governance |
R07 | Maintain contact and exchange information with relevant authorities, special interest groups, and peers. | All | Governance |
R08 | Design and implement IAM policies that establishes clear requirements and accountability across all IAM domains | All | Governance |
R09 | Develop an IAM technological roadmap to sustain the organization's digital transformation | All | Governance |
R10 | Find, recruit, retain, train, and develop IAM talents | All | Governance |
R11 | Assure up-to-date quality documentation is maintained in IAM records, processes, systems, and their architecture. | All | Governance |
R12 | Design and implement authorization processes that assure the legitimacy and appropriateness of access permissions | All | Governance |
R13 | Assure coverage of IAM processes over the information system by dynamically integrating IT Asset Management inventories | All | Identify |
R14 | Identify and analyze IAM related risks in alignment with the organization's risk management framework | All | Identify |
R15 | Conduct regulatory and industrial watch to identify regulatory, contractual and industrial requirements and best practices | All | Identify |
R16 | Facilitate and provide evidences for internal and external audits on IAM related topics and manage related findings and recommendations | All | Identify |
R17 | Embed IAM requirements by design in the SDLC, Project, and Change Management processes | All | Identify |
R18 | Effectively implement remediation plans to mitigate IAM related risks and remediate findings | All | Protect |
R19 | Implement and maintain role-based and other access control models in consistency with the organizational structure and due respect for the least privilege and its specialized form the need-to-know principles | All | Protect |
R20 | Design, implement, operate, and continuously improve IAM controls to efficiently and effectively assure compliance with regulatory, contractual and security requirements | All | Protect |
R21 | Design, implement, and continuously improve privileged and technical access management processes and capabilities to effectively mitigate high privileged access risks | PAM/TAM | Protect |
R22 | Mitigate fraud and accidents by deploying SoD and toxic rights controls | All | Protect |
R23 | Deploy authentication mechanisms whose robustness is commensurate with risk | All | Protect |
R24 | Clean the information system from anomalous identities, including orphaned accounts, and access permissions | All | Protect |
R25 | Implement an efficient off-boarding process that effectively mitigates the risk of unauthorized access by former employees | Workforce IAM | Protect |
R26 | Add item: Federation with 3rd parties | 3rd Party IAM | Protect |
R27 | Add item: Recertification | Workforce IAM | Protect |
R28 | Add item: Home office and remote access | Workforce IAM, 3rd Party IAM, PAM/TAM | Protect |
R29 | Add item: Identity proofing | All | Protect |
R30 | Add item: Password and secrets management | All | Protect |
R31 | Reconciliate systems with authorizations to identify and act upon anomalous identities and accesses | All | Detect |
R32 | Assure adequate traceability in IAM processes to fullfill compliance and security requirements | All | Detect |
R33 | In coordination with Security Operations, deploy, maintain, and continuously improve monitoring and analytics capabilities to detect anomalous authentication and accesses to deter unauthorized accesses | All | Detect |
R34 | Use data analytics to identify and respond to anomalous identities, accesses, and behaviors | All | Detect |
R35 | In coordination with the CSIRT / Incident Response Team, continuously prepare and improve IAM response capabilities (including SOPs) to effectively contribute to the containment and eradication of security incidents when they occur | All | Respond |
R36 | Suspend anomalous identities and revoke their accesses in response to security incidents in liaison with the CSIRT / Incident Response Team | All | Respond |
R37 | Based on reconciliation, investigate the root causes of identity and access anomalies and initiate remediation plans accordingly | All | Respond |
R38 | Contribute to contingency planning by leveraging IAM capabilities for the recovery of large scale incidents or disaster | All | Recover |
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.
