Identity Access Management & Governance

Define Processes, Policies and Standards

Define Standards/Policies/Processes

The following are general findings and recommendations for detailing the policies and standards for a company's IAM program.

  1. Defining the Policies and Processes
    1. Set expectations for employees, contractors, students and other resources
      1. Clarity on who has what role
        1. Who reports to whom and what entitlements should be given
      2. Flexible to accommodate location, department and other differences without interrupting daily business operations
      3. Incorporate compliance concerns in standards
      4. Allow exceptions
        1. Justify the exception
        2. Out of norm for exceptions instead of current status of common place
  2. Standards
    1. Least Privilege
      1. The principle of least privilege has been described as essential for meeting integrity objectives. It requires a user be given the least amount of privileges necessary to perform a job. Ensuring least privilege requires identifying what the user's job is, determining the minimum set privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more.
    2. Role Based Access Control (RBAC)
      1. RBAC mechanisms can be used by a system administrator in enforcing a policy of separation of duties. Segregation of duties is valuable in deterring fraud since fraud can occur if an opportunity exists between various job-related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set.
    3. Business Specific Security Standards
      1. HIPAA, HITECH, FERPA, PII, etc.
    4. Privacy Act
    5. Records Management Act
    6. Bring your own device (BYOD) - Mobile Devices
      1. NIST SP 1800 – 1 (Healthcare)
      2. NIST SP 1800 - 4 (General)
      3. NIST SP 1800 - 9 (Financial)
      4. NIST SP 1800 - 13 (First Responders)
    7. General Security Standards
      1. IEC/ISO 27001-X (27002, and so on)
      2. IEC/ISO 15048
      3. NIST SP 500/800/1800
      4. NIST SP 1800 - 12 Personal Identity Verification (PIV)
    8. Business/Technical Role Definition
      1. Attribute definition
      2. Attribute hierarchy
      3. Guidelines NIST SP 1800 – 3
      4. Privacy Act
IAM Governance Processes, Policies and Standards