The following are general findings and recommendations for detailing the policies and standards for a company's IAM program.
- Defining the Policies and Processes
- Set expectations for employees, contractors, students and other resources
- Clarity on who has what role
- Who reports to whom and what entitlements should be given
- Flexible to accommodate location, department and other differences without interrupting daily business operations
- Incorporate compliance concerns in standards
- Allow exceptions
- Justify the exception
- Out of norm for exceptions instead of current status of common place
- Least Privilege
- The principle of least privilege has been described as essential for meeting integrity objectives. It requires
a user be given the least amount of privileges necessary to perform a job. Ensuring least privilege requires identifying what the user's job is,
determining the minimum set privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more.
- Role Based Access Control (RBAC)
- RBAC mechanisms can be used by a system administrator in enforcing a policy of separation of duties. Segregation of duties is valuable in deterring fraud since fraud can occur if an opportunity exists between various job-related capabilities.
Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set.
- Business Specific Security Standards
- HIPAA, HITECH, FERPA, PII, etc.
- Privacy Act
- Records Management Act
- Bring your own device (BYOD) - Mobile Devices
- NIST SP 1800 – 1 (Healthcare)
- NIST SP 1800 - 4 (General)
- NIST SP 1800 - 9 (Financial)
- NIST SP 1800 - 13 (First Responders)
- General Security Standards
- IEC/ISO 27001-X (27002, and so on)
- IEC/ISO 15048
- NIST SP 500/800/1800
- NIST SP 1800 - 12 Personal Identity Verification (PIV)
- Business/Technical Role Definition
- Attribute definition
- Attribute hierarchy
- Guidelines NIST SP 1800 – 3
- Privacy Act