SlideShare a Scribd company logo

Identity Management and Sarbanes-Oxley Compliance

Alexandre Luna
Alexandre Luna

This document discusses identity management (IdM) and how it relates to the Sarbanes-Oxley Act of 2002. IdM is a business strategy that involves technologies and processes to securely manage relationships with valuable assets. The Sarbanes-Oxley Act established regulations for public company financial reporting and internal controls. IdM can help companies comply with sections 302 and 404 which address management responsibilities and internal controls assessments. The document recommends a solution involving role engineering and an identity management infrastructure to address issues like segregation of duties conflicts.

1 of 29
Download to read offline
1 WE CAN HELP YOU SECURELY MANAGE YOUR RELATIONSHIPS WITH YOUR MOST VALUEABLE ASSETS… IDENTITY MANAGEMENT & SARBANES-OXLEY October 4, 2004 Ehab Dawoud Director, Advisory Practice !"#
2 Table of Contents • Identity Management • Value of Identity Management • Sarbanes Oxley $ Overview $ Section 302 $ Section 404 • Control Objectives of Sarbanes Oxley • The Issue • The Recommended Solution 2 !"# !"#
3 IdM Identity Management is not a turnkey solution – it is a business strategy manifested in a comprehensive and evolving solution deployment that must ultimately involve the entire enterprise. IdM is a convergence of technologies and business processes. There is no single approach to IdM because the strategy must reflect specific requirements within the business and technology context of each organization. 3 !"# !"#
4 Identity Management (IdM), its a business strategy affecting the entire organization. The Solution Key Drivers Cost Reduction Increased Security Increased Compliance Enhanced User Experience Centralised Policies Identity Management (IdM), from Delegated Administration %"& 4 !"# !"#
5 How do I manage all of the corporate Timeline - 2001 user’s identity and credentials across the enterprise application landscape? b2c e-business e-services HR extranet Intranet b2b e-market e-services EMPLOYEE portals places SUPPLIERS knowledge ERP e-services ERP sharing SCM SCM Portal extranet e-market places ERP Knowledge extranet b2c sharing CUSTOMERS BUSINESS e-services PARTNERS b2b e-services e-business e-business knowledge sharing 5 !"# !"#
6 Enterprise Security Enterprise Security ' The strategy for securing information and enabling resources ' The security delivery model for the company ' The security framework that serves the extended enterprise ' Provides a common security services component framework Identity Management ' The source of timely and trustworthy user management ' The place where user information is secured ' The vehicle for user enablement across the enterprise ' The focal point of securing the enterprise information ' The solution to effectively and efficiently be Sarbanes Oxley compliant 6 !"# !"#
What is the IdM value? 7 Key IdM Business Drivers and Objectives – Gartner/PwC Market Study Security $ Secure data and network access $ Increase ability to manage enterprise assets $ Assure authentication across platforms Strategic Regulatory $ Centrally managed environment Operations Management Initiatives Requirements $ Decrease administrative/help desk overhead $ Reduce number of logins/passwords $ Efficiently and effectively support high-turnover, high- Operations growth environments Increased Compliance Security Management $ Sarbanes Oxley $ HIPAA $ FDIC $ Gramm-Leach-Bliley $ Sarbanes-Oxley Business Initiatives $ Support CRM, Portals, SCM, ERP, etc. 7 !"# !"#
What is the IdM value? 8 Key IdM Business Drivers from a Sarbanes Oxley Point of View Short Term $ User access control $ Enterprise role definition $ Segregation of duties $ Delegation of authority $ Adequate methods of de-provisioning user accounts $ Audit trail for system access. Long Term $ Develop consistent, sustainable, reusable method of managing user access controls including: $ Addressing open audit issues $ Internal/external employees, non-employees, contractors, consultants, partners, and vendors $ The entire lifecycle from submission of an application to termination of employment or contract including job transfers 8 !"# !"#
What is the IdM value? 9 According to the Gartner/PwC market study, organizations are targeting identity management for compliance, cost savings, productivity improvement, increased security and increased user satisfaction. Productivity Improvement Lower user administration costs through centralized administrative Cost Savings and functions for multiple platforms: “saved 40 percent in less than one year” Gartner/PwC Market Study Breadth/Depth of IdM 9 !"# !"#
10 Sarbanes-Oxley Act of 2002: Overview Basic requirements of the Act • Management of “publicly traded companies” are required to make an assertion regarding the effectiveness of their internal controls over financial reporting. • The internal controls must be documented and management must be in a position to demonstrate to its auditors and regulators its support for its assertion. • An external auditor will have to attest to management’s assertion and include a report in public filings the results of the attestation. • Management must utilize a framework such as COSO for assessing its controls and making its assertion. Potential Ramifications of Non-Compliance • Violation of Federal law and regulations. • Civil and criminal liability exposure. • Damage to reputation, brand, and/or regulatory relationships. • Diminution in value of the company. 10 !"# !"#
11 Section 302 of Sarbanes Oxley Who • A company’s management, with the participation of the principal executive and financial officer (the certifying officers) What • Certifying officers are responsible for establishing and maintaining internal control over financial reporting. • Certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. 11 !"# !"#
12 Section 302 of Sarbanes Oxley • Any changes in the company’s internal control over financial reporting that have occurred during the most recent fiscal quarter and have materially affected, or are reasonably likely to materially affect, the company’s internal control over financial reporting are disclosed. • When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading. When • Already in effect as of July 2002 12 !"# !"#
13 Section 404 of Sarbanes Oxley Who • Corporate management, executives and participation of the principal executive and financial officer (“management” has not been defined by the PCAOB—Public Company Accounting Oversight Board.) What • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company • A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting • An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether internal control over financial reporting is effective 13 !"# !"#
14 Section 404 of Sarbanes Oxley – Cont’d • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting • A written conclusion by management about the effectiveness of the company’s internal control over financial reporting. • Management is precluded from concluding that the company’s internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year. When • Year-ends beginning on or after 15 November 2004** **Non-accelerated filers (<US $75 million market capitalization) can defer to15 July 2005 14 !"# !"#
15 Control Objectives of Sarbanes Oxley that Identity Management can address 'Procedures exist and are followed to authenticate all users to the system to support the validity of transactions. - Authentication/Authorization 'Procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms - Authentication/Authorization (e.g., regular password changes). 'Procedures exist and are followed to ensure timely action - User Provisioning/De-provisioning relating to requesting, establishing, issuing, suspending and user accounts. 'A control process exists and is followed to periodically review and confirm access rights. - Monitoring of User Access 'Where appropriate, controls exist to ensure that neither party can deny transactions and controls are implemented to - Workflow and monitoring of workflows provide transaction initiation and approval. 15 !"# !"#
16 Control Objectives of Sarbanes Oxley that Identity Management can address 'Controls relating to appropriate segregation of duties over - User Provisioning/Work Flow requesting and granting access to systems and data exist and are followed. 'Access to user-developed systems is restricted to a limited - Authentication/Authorization number of users. 16 !"# !"#
17 How is Sarbanes affecting a company’s technology infrastructure and capabilities • Many companies are putting manual processes & “solutions” in place for first year compliance, which is acceptable. However, automating those processes & solutions for long term effectiveness is “critical”. • Key technology areas impacted within a company include: $ ERP systems $ Network infrastructure $ Directories, Identity provisioning, and access management systems $ Documentation control & monitoring $ Data quality & governance • Understanding the relationship between the Sarbanes-Oxley requirements and the tactical and strategic technology enablers is “critical” for the C suite of these companies. 17 !"# !"#
18 The Issue A potential for a control deficiency to be identified concerning conflicts in segregation of duties within the key applications, and potentially across other financial applications. The lack of user access controls over one or more of these applications can have a pervasive impact over financial processes that lead to a significant deficiency and/or material weakness if not remediated. 18 !"# !"#
19 Root Cause • User retains old Roles and privileges from previous positions • User may inherit Roles from others through delegation of authority • Roles are designed • Users may gain additional access Role specific to applications privileges due to dynamic Roles/groups Role SAP Role • Each application • No global view of user access rights maintains its own list of • Unauthorized sharing of passwords Roles and Access Role Control List Role Seibel Delegation Role • Segregation of duties are implemented on each application Role P individually P Billing P: Permission / Privilege P • Lack of centralized Inheritance Access Control systems Dynamic to enforce security P policies Roles/Groups Role P P Payroll Results Results $ Lack of check for segregation of duties across the enterprise $ Lack of check for segregation of duties across the enterprise $ Lack of enterprise user access control model $ Lack of enterprise user access control model 19 !"# !"#
20 Recommended Solution Design a user access control model and framework that supports key security principles: • Least Privilege: users to operate with minimum set of privileges necessary to do their jobs • Segregation of duties: for particular set of transactions, no single individual be allowed to execute all transaction within the set. • Data Abstraction: • Security policies be independent from data and system specific resources and • Adaptable across various systems Develop a reference architecture for the user access control systems to enforce the defined model Solution = Role Engineering + IdM Infrastructure Solution = Role Engineering + IdM Infrastructure 20 !"# !"#
21 Role Proliferation Many-to-one vs. many-to-many ' Many-to-many relationship: ' Many-to-one relationship: ' Role Permutation of five permissions: (5!) ' Role Permutation: Max of 5 Roles 5x4x3x2x1 = up to 120 unique roles to manage Role Role Role Role Role Role Role Role Role Role P1 P2 P3 P4 P5 P1 P2 P3 P4 P5 5 System permissions 5 System permissions 21 !"# !"#
22 Role Engineering Concepts ' Background information: 1000 end users, 500 permissions ' Issue: How many roles are needed? 1000 End Users Responsibility Oriented Design Factors Process Oriented Roles Roles Responsibility Role Oriented Function of ( Desire for less ( Need for more granular Role administration access Risk ( Responsibility oriented ( Process oriented roles roles ( Results in more roles ( Results in few roles Role: #??? Oriented Process Maintenance ( Lower number of roles ( Higher number of roles Maint. Implication ( Reduced administrative ( Increased administrative maintenance maintenance Risk ( Increased risk, through less ( Decreased risk, through Implication granular permission more granular permission groupings groupings Role Role Role Role Content of ( 10 roles ( 50 roles Role ( Each role has average of ( Each role has average of 10 Actions Resources 50 permissions permissions 22 500 Permissions !"# !"#
23 Solution Concepts •Profile represents a global view of user access rights Map user to profile Map profile to Roles Map Roles to Permissions •Each user can assume one profile at any given session Access Control Model Role P P Access Control System SAP •Each profile can map to Static segregation Role P P of duties multiple Roles •There is a centralized P access control system to Role Role P Seibel enforce security policies Profile P P •Access control systems that monitor segregation of Session Roles Role P P Role Billing duties to include: P P $Static Roles $Dynamic Roles Session $Delegation of P P Role authority Role P Payroll P Dynamic segregation of duties 23 !"# !"#
24 Enterprise Level and System Level View 24 !"# !"#
25 Reference Architecture User Provisioning and Workflow Process Flow Identity Approvers Application Landscape Authorative Portal Source(s) RBAC Security Workflow RBAC Roles Connectors Policy User Relational Users Store Store Database 25 !"# !"#
26 Key Deliverable - Organizational Access Matrix •The Organizational Access Matrix is composed of multiple relationships and provides a central repository for the RBAC design specifications. • User to Process Responsibility • Process to System • User to Profile Organizational Access Matrix • Profile to Role • Process to Task • Task to Permission • Permission to Role 26 !"# !"#
27 Key Task – Role to Profile Mapping Profile to Role Mapping - This sample matrix represents the E P 10 E P 11 E P 12 E P 13 E P 14 E P 15 E P 16 E P 17 E P 18 E P 19 E P 20 E P 21 E P 22 E P 23 E P 24 E P 25 E P 26 E P 27 E P 28 E P 29 EP1 EP2 EP3 EP4 EP5 EP6 EP7 EP8 EP9 alignment of the Role1 Role2 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X previously created Role3 Role4 X X X X X X X X X X X X X X X X X X X X X X Profiles and Roles. Role5 Role6 X X X X X X X X X X X X X X X X X X X X X X - This relationship Role7 Role8 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X defines the underlying Role9 Role10 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X roles that a user will Role11 Role12 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X inherit when assigned Role13 Role14 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X a Profile. Role15 Role16 X X X X X X X X X X X X X X X X X X X X X X X X X X Role17 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Role18 X X X X X X X X X X X X X X Role19 X X X X X X X X X X X X X X Role20 Role21 X X X X X X X X X X X X X X Role22 Role23 X X X X X X X X X X X X X X 27 !"# !"#
28 Conclusion • IdM is an enabling tool to implement a sustained-automated process for: - User Access Control - Segregation of Duties - Delegation of Authority • Most companies have 60-70% of their enterprise role already defined • Limit the number of key application list to 6-8 apps. • Validate and prototype the model for a subset of users. This group of users should include those who are involved with financial transactions. 28 !"# !"#
29 Ehab Dawoud Gretchen Lott edawoud @us.pwc.com Gretchen.l.lott@us.pwc.com 415-498-7333 415-281-4749 Your Worlds Our People 29 !"# © 2002, PricewaterhouseCoopers LLP. All rights reserved. !"# PricewaterhouseCoopers refers to the US firm of PricewaterhouseCoopers LLP and other member firms of the worldwide PricewaterhouseCoopers organization.

Recommended

Ecz Services(2)
Ecz Services(2)Ecz Services(2)
Ecz Services(2)saima10
 
Is pervasive governance_part_of_your_ecm_strategy
Is pervasive governance_part_of_your_ecm_strategyIs pervasive governance_part_of_your_ecm_strategy
Is pervasive governance_part_of_your_ecm_strategyQuestexConf
 
IDM & IAM 2012
IDM & IAM 2012IDM & IAM 2012
IDM & IAM 2012Ariel Evans
 
Credexo IDM
Credexo IDMCredexo IDM
Credexo IDMsiadehghan
 
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16lliu
 
E-commerce Technology for Safe money transaction over the net
E-commerce Technology for Safe money transaction over the netE-commerce Technology for Safe money transaction over the net
E-commerce Technology for Safe money transaction over the netRaman K. Attri
 
Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012MMMTechLaw
 
QualyCloud
QualyCloudQualyCloud
QualyCloudFabrice Heurtaux
 

Recommended

Ecz Services(2)
Ecz Services(2)Ecz Services(2)
Ecz Services(2)saima10
 
Is pervasive governance_part_of_your_ecm_strategy
Is pervasive governance_part_of_your_ecm_strategyIs pervasive governance_part_of_your_ecm_strategy
Is pervasive governance_part_of_your_ecm_strategyQuestexConf
 
IDM & IAM 2012
IDM & IAM 2012IDM & IAM 2012
IDM & IAM 2012Ariel Evans
 
Credexo IDM
Credexo IDMCredexo IDM
Credexo IDMsiadehghan
 
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16
Cisco IT's Journey to Enterprise 2.0 and Beyond - #E2Conf-16lliu
 
E-commerce Technology for Safe money transaction over the net
E-commerce Technology for Safe money transaction over the netE-commerce Technology for Safe money transaction over the net
E-commerce Technology for Safe money transaction over the netRaman K. Attri
 
Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012Financial Technology Market Analysis - March 2012
Financial Technology Market Analysis - March 2012MMMTechLaw
 
QualyCloud
QualyCloudQualyCloud
QualyCloudFabrice Heurtaux
 
Northridge Webinar Share Point 2010 Public Web
Northridge Webinar Share Point 2010 Public WebNorthridge Webinar Share Point 2010 Public Web
Northridge Webinar Share Point 2010 Public Webjfarq
 
Girnar Soft Profile April 2011
Girnar Soft Profile April 2011Girnar Soft Profile April 2011
Girnar Soft Profile April 2011Girnarsoft Pvt Ltd
 
SAS Forum India: Building for Success: The Foundation for Achievable Master D...
SAS Forum India: Building for Success: The Foundation for Achievable Master D...SAS Forum India: Building for Success: The Foundation for Achievable Master D...
SAS Forum India: Building for Success: The Foundation for Achievable Master D...SAS Institute India Pvt. Ltd
 
Adam consulting corporate profile
Adam consulting corporate profileAdam consulting corporate profile
Adam consulting corporate profileShanavas Ameerkannu
 
GirnarSoft Profile
GirnarSoft ProfileGirnarSoft Profile
GirnarSoft ProfileGirnarsoft Pvt Ltd
 
Market Intelligence Solution, Knowledge Partnership
Market Intelligence Solution, Knowledge PartnershipMarket Intelligence Solution, Knowledge Partnership
Market Intelligence Solution, Knowledge PartnershipDeepak Pareek
 
Intro to yakpact fexco prizebond team slideshare
Intro to yakpact fexco prizebond team slideshareIntro to yakpact fexco prizebond team slideshare
Intro to yakpact fexco prizebond team slideshareCormac Murphy
 
Introduction to SOA &amp; its Open Source Framework
Introduction to SOA &amp; its Open Source FrameworkIntroduction to SOA &amp; its Open Source Framework
Introduction to SOA &amp; its Open Source FrameworkThanachart Numnonda
 
GirnarSoft Profile
GirnarSoft ProfileGirnarSoft Profile
GirnarSoft ProfileCharu Kishnani
 
B13 Driving Business Intelligence John Robson
B13 Driving Business Intelligence John RobsonB13 Driving Business Intelligence John Robson
B13 Driving Business Intelligence John RobsonProvoke Solutions
 
Internet on business_print
Internet on business_printInternet on business_print
Internet on business_printFrancis George
 
E intelligence
E intelligenceE intelligence
E intelligenceSumit Sharma
 
Cleverlance Group
Cleverlance GroupCleverlance Group
Cleverlance GroupCleverlance Group
 
Magic finger
Magic fingerMagic finger
Magic fingerInteractive BI Diamond
 
Mindtree's expertise in corporate banking portals.
Mindtree's expertise in corporate banking portals.Mindtree's expertise in corporate banking portals.
Mindtree's expertise in corporate banking portals.Mindtree Ltd.
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...iCrossing
 
Enabling the Social Enterprise
Enabling the Social EnterpriseEnabling the Social Enterprise
Enabling the Social EnterpriseIMAGINE
 
Company Profile
Company ProfileCompany Profile
Company ProfileVision Effect Technosolutions (Pvt.) Ltd.
 
IDBI Intech Limited
IDBI Intech LimitedIDBI Intech Limited
IDBI Intech LimitedIDBI Intech
 
Brochure final
Brochure finalBrochure final
Brochure finalHappiest Minds Technologies
 
Information Management: Answering Today’s Enterprise Challenge
Information Management: Answering Today’s Enterprise ChallengeInformation Management: Answering Today’s Enterprise Challenge
Information Management: Answering Today’s Enterprise ChallengeBob Rhubart
 

More Related Content

What's hot

Northridge Webinar Share Point 2010 Public Web
Northridge Webinar Share Point 2010 Public WebNorthridge Webinar Share Point 2010 Public Web
Northridge Webinar Share Point 2010 Public Webjfarq
 
Girnar Soft Profile April 2011
Girnar Soft Profile April 2011Girnar Soft Profile April 2011
Girnar Soft Profile April 2011Girnarsoft Pvt Ltd
 
SAS Forum India: Building for Success: The Foundation for Achievable Master D...
SAS Forum India: Building for Success: The Foundation for Achievable Master D...SAS Forum India: Building for Success: The Foundation for Achievable Master D...
SAS Forum India: Building for Success: The Foundation for Achievable Master D...SAS Institute India Pvt. Ltd
 
Adam consulting corporate profile
Adam consulting corporate profileAdam consulting corporate profile
Adam consulting corporate profileShanavas Ameerkannu
 
Market Intelligence Solution, Knowledge Partnership
Market Intelligence Solution, Knowledge PartnershipMarket Intelligence Solution, Knowledge Partnership
Market Intelligence Solution, Knowledge PartnershipDeepak Pareek
 
Intro to yakpact fexco prizebond team slideshare
Intro to yakpact fexco prizebond team slideshareIntro to yakpact fexco prizebond team slideshare
Intro to yakpact fexco prizebond team slideshareCormac Murphy
 
Introduction to SOA &amp; its Open Source Framework
Introduction to SOA &amp; its Open Source FrameworkIntroduction to SOA &amp; its Open Source Framework
Introduction to SOA &amp; its Open Source FrameworkThanachart Numnonda
 
B13 Driving Business Intelligence John Robson
B13 Driving Business Intelligence John RobsonB13 Driving Business Intelligence John Robson
B13 Driving Business Intelligence John RobsonProvoke Solutions
 
Internet on business_print
Internet on business_printInternet on business_print
Internet on business_printFrancis George
 
Mindtree's expertise in corporate banking portals.
Mindtree's expertise in corporate banking portals.Mindtree's expertise in corporate banking portals.
Mindtree's expertise in corporate banking portals.Mindtree Ltd.
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyJayHicks
 
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...iCrossing
 
Enabling the Social Enterprise
Enabling the Social EnterpriseEnabling the Social Enterprise
Enabling the Social EnterpriseIMAGINE
 

What's hot (19)

Northridge Webinar Share Point 2010 Public Web
Northridge Webinar Share Point 2010 Public WebNorthridge Webinar Share Point 2010 Public Web
Northridge Webinar Share Point 2010 Public Web
 
Girnar Soft Profile April 2011
Girnar Soft Profile April 2011Girnar Soft Profile April 2011
Girnar Soft Profile April 2011
 
SAS Forum India: Building for Success: The Foundation for Achievable Master D...
SAS Forum India: Building for Success: The Foundation for Achievable Master D...SAS Forum India: Building for Success: The Foundation for Achievable Master D...
SAS Forum India: Building for Success: The Foundation for Achievable Master D...
 
Adam consulting corporate profile
Adam consulting corporate profileAdam consulting corporate profile
Adam consulting corporate profile
 
GirnarSoft Profile
GirnarSoft ProfileGirnarSoft Profile
GirnarSoft Profile
 
Market Intelligence Solution, Knowledge Partnership
Market Intelligence Solution, Knowledge PartnershipMarket Intelligence Solution, Knowledge Partnership
Market Intelligence Solution, Knowledge Partnership
 
Intro to yakpact fexco prizebond team slideshare
Intro to yakpact fexco prizebond team slideshareIntro to yakpact fexco prizebond team slideshare
Intro to yakpact fexco prizebond team slideshare
 
Introduction to SOA &amp; its Open Source Framework
Introduction to SOA &amp; its Open Source FrameworkIntroduction to SOA &amp; its Open Source Framework
Introduction to SOA &amp; its Open Source Framework
 
GirnarSoft Profile
GirnarSoft ProfileGirnarSoft Profile
GirnarSoft Profile
 
B13 Driving Business Intelligence John Robson
B13 Driving Business Intelligence John RobsonB13 Driving Business Intelligence John Robson
B13 Driving Business Intelligence John Robson
 
Internet on business_print
Internet on business_printInternet on business_print
Internet on business_print
 
E intelligence
E intelligenceE intelligence
E intelligence
 
Cleverlance Group
Cleverlance GroupCleverlance Group
Cleverlance Group
 
Magic finger
Magic fingerMagic finger
Magic finger
 
Mindtree's expertise in corporate banking portals.
Mindtree's expertise in corporate banking portals.Mindtree's expertise in corporate banking portals.
Mindtree's expertise in corporate banking portals.
 
Comodo Overview Presentation Read Only
Comodo Overview Presentation Read OnlyComodo Overview Presentation Read Only
Comodo Overview Presentation Read Only
 
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
How DMPs Make Connectedness More Personal - An iCrossing Webinar Featuring Fo...
 
Enabling the Social Enterprise
Enabling the Social EnterpriseEnabling the Social Enterprise
Enabling the Social Enterprise
 
Company Profile
Company ProfileCompany Profile
Company Profile
 

Similar to Identity Management and Sarbanes-Oxley Compliance

IDBI Intech Limited
IDBI Intech LimitedIDBI Intech Limited
IDBI Intech LimitedIDBI Intech
 
Information Management: Answering Today’s Enterprise Challenge
Information Management: Answering Today’s Enterprise ChallengeInformation Management: Answering Today’s Enterprise Challenge
Information Management: Answering Today’s Enterprise ChallengeBob Rhubart
 
2009 Intellinet Overview
2009 Intellinet Overview2009 Intellinet Overview
2009 Intellinet OverviewMark Seeley
 
Intellinet Overview 2009
Intellinet Overview 2009Intellinet Overview 2009
Intellinet Overview 2009mclevenger
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
Manthan biim services and solutions
Manthan biim services and solutionsManthan biim services and solutions
Manthan biim services and solutionsJaikumar Karuppannan
 
Da Vinci Performance Management 4 13 09
Da Vinci Performance Management 4 13 09Da Vinci Performance Management 4 13 09
Da Vinci Performance Management 4 13 09dougulrich
 
Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0John Bernhard
 
Fayol Principles Applied To TCS
Fayol Principles Applied To TCSFayol Principles Applied To TCS
Fayol Principles Applied To TCSdeepudost
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 

Similar to Identity Management and Sarbanes-Oxley Compliance (20)

IDBI Intech Limited
IDBI Intech LimitedIDBI Intech Limited
IDBI Intech Limited
 
Brochure final
Brochure finalBrochure final
Brochure final
 
Information Management: Answering Today’s Enterprise Challenge
Information Management: Answering Today’s Enterprise ChallengeInformation Management: Answering Today’s Enterprise Challenge
Information Management: Answering Today’s Enterprise Challenge
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk Services
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk Services
 
E biz blueprint
E biz blueprintE biz blueprint
E biz blueprint
 
Enterprise Services Solutions
Enterprise Services SolutionsEnterprise Services Solutions
Enterprise Services Solutions
 
Bi risk services 2013
Bi risk services 2013Bi risk services 2013
Bi risk services 2013
 
Bi risk services 2013
Bi risk services 2013Bi risk services 2013
Bi risk services 2013
 
Bi risk services 2013
Bi risk services 2013Bi risk services 2013
Bi risk services 2013
 
2009 Intellinet Overview
2009 Intellinet Overview2009 Intellinet Overview
2009 Intellinet Overview
 
Bi risk services 2013
Bi risk services 2013Bi risk services 2013
Bi risk services 2013
 
Bi risk services 2013
Bi risk services 2013Bi risk services 2013
Bi risk services 2013
 
Intellinet Overview 2009
Intellinet Overview 2009Intellinet Overview 2009
Intellinet Overview 2009
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
 
Manthan biim services and solutions
Manthan biim services and solutionsManthan biim services and solutions
Manthan biim services and solutions
 
Da Vinci Performance Management 4 13 09
Da Vinci Performance Management 4 13 09Da Vinci Performance Management 4 13 09
Da Vinci Performance Management 4 13 09
 
Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0Id m what-why-how presentationv2.0
Id m what-why-how presentationv2.0
 
Fayol Principles Applied To TCS
Fayol Principles Applied To TCSFayol Principles Applied To TCS
Fayol Principles Applied To TCS
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 

Identity Management and Sarbanes-Oxley Compliance

  • 1. 1 WE CAN HELP YOU SECURELY MANAGE YOUR RELATIONSHIPS WITH YOUR MOST VALUEABLE ASSETS… IDENTITY MANAGEMENT & SARBANES-OXLEY October 4, 2004 Ehab Dawoud Director, Advisory Practice !"#
  • 2. 2 Table of Contents • Identity Management • Value of Identity Management • Sarbanes Oxley $ Overview $ Section 302 $ Section 404 • Control Objectives of Sarbanes Oxley • The Issue • The Recommended Solution 2 !"# !"#
  • 3. 3 IdM Identity Management is not a turnkey solution – it is a business strategy manifested in a comprehensive and evolving solution deployment that must ultimately involve the entire enterprise. IdM is a convergence of technologies and business processes. There is no single approach to IdM because the strategy must reflect specific requirements within the business and technology context of each organization. 3 !"# !"#
  • 4. 4 Identity Management (IdM), its a business strategy affecting the entire organization. The Solution Key Drivers Cost Reduction Increased Security Increased Compliance Enhanced User Experience Centralised Policies Identity Management (IdM), from Delegated Administration %"& 4 !"# !"#
  • 5. 5 How do I manage all of the corporate Timeline - 2001 user’s identity and credentials across the enterprise application landscape? b2c e-business e-services HR extranet Intranet b2b e-market e-services EMPLOYEE portals places SUPPLIERS knowledge ERP e-services ERP sharing SCM SCM Portal extranet e-market places ERP Knowledge extranet b2c sharing CUSTOMERS BUSINESS e-services PARTNERS b2b e-services e-business e-business knowledge sharing 5 !"# !"#
  • 6. 6 Enterprise Security Enterprise Security ' The strategy for securing information and enabling resources ' The security delivery model for the company ' The security framework that serves the extended enterprise ' Provides a common security services component framework Identity Management ' The source of timely and trustworthy user management ' The place where user information is secured ' The vehicle for user enablement across the enterprise ' The focal point of securing the enterprise information ' The solution to effectively and efficiently be Sarbanes Oxley compliant 6 !"# !"#
  • 7. What is the IdM value? 7 Key IdM Business Drivers and Objectives – Gartner/PwC Market Study Security $ Secure data and network access $ Increase ability to manage enterprise assets $ Assure authentication across platforms Strategic Regulatory $ Centrally managed environment Operations Management Initiatives Requirements $ Decrease administrative/help desk overhead $ Reduce number of logins/passwords $ Efficiently and effectively support high-turnover, high- Operations growth environments Increased Compliance Security Management $ Sarbanes Oxley $ HIPAA $ FDIC $ Gramm-Leach-Bliley $ Sarbanes-Oxley Business Initiatives $ Support CRM, Portals, SCM, ERP, etc. 7 !"# !"#
  • 8. What is the IdM value? 8 Key IdM Business Drivers from a Sarbanes Oxley Point of View Short Term $ User access control $ Enterprise role definition $ Segregation of duties $ Delegation of authority $ Adequate methods of de-provisioning user accounts $ Audit trail for system access. Long Term $ Develop consistent, sustainable, reusable method of managing user access controls including: $ Addressing open audit issues $ Internal/external employees, non-employees, contractors, consultants, partners, and vendors $ The entire lifecycle from submission of an application to termination of employment or contract including job transfers 8 !"# !"#
  • 9. What is the IdM value? 9 According to the Gartner/PwC market study, organizations are targeting identity management for compliance, cost savings, productivity improvement, increased security and increased user satisfaction. Productivity Improvement Lower user administration costs through centralized administrative Cost Savings and functions for multiple platforms: “saved 40 percent in less than one year” Gartner/PwC Market Study Breadth/Depth of IdM 9 !"# !"#
  • 10. 10 Sarbanes-Oxley Act of 2002: Overview Basic requirements of the Act • Management of “publicly traded companies” are required to make an assertion regarding the effectiveness of their internal controls over financial reporting. • The internal controls must be documented and management must be in a position to demonstrate to its auditors and regulators its support for its assertion. • An external auditor will have to attest to management’s assertion and include a report in public filings the results of the attestation. • Management must utilize a framework such as COSO for assessing its controls and making its assertion. Potential Ramifications of Non-Compliance • Violation of Federal law and regulations. • Civil and criminal liability exposure. • Damage to reputation, brand, and/or regulatory relationships. • Diminution in value of the company. 10 !"# !"#
  • 11. 11 Section 302 of Sarbanes Oxley Who • A company’s management, with the participation of the principal executive and financial officer (the certifying officers) What • Certifying officers are responsible for establishing and maintaining internal control over financial reporting. • Certifying officers have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. 11 !"# !"#
  • 12. 12 Section 302 of Sarbanes Oxley • Any changes in the company’s internal control over financial reporting that have occurred during the most recent fiscal quarter and have materially affected, or are reasonably likely to materially affect, the company’s internal control over financial reporting are disclosed. • When the reason for a change in internal control over financial reporting is the correction of a material weakness, management has a responsibility to determine whether the reason for the change and the circumstances surrounding that change are material information necessary to make the disclosure about the change not misleading. When • Already in effect as of July 2002 12 !"# !"#
  • 13. 13 Section 404 of Sarbanes Oxley Who • Corporate management, executives and participation of the principal executive and financial officer (“management” has not been defined by the PCAOB—Public Company Accounting Oversight Board.) What • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company • A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting • An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether internal control over financial reporting is effective 13 !"# !"#
  • 14. 14 Section 404 of Sarbanes Oxley – Cont’d • A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting • A written conclusion by management about the effectiveness of the company’s internal control over financial reporting. • Management is precluded from concluding that the company’s internal control over financial reporting is effective if there are one or more material weaknesses. In addition, management is required to disclose all material weaknesses that exist as of the end of the most recent fiscal year. When • Year-ends beginning on or after 15 November 2004** **Non-accelerated filers (<US $75 million market capitalization) can defer to15 July 2005 14 !"# !"#
  • 15. 15 Control Objectives of Sarbanes Oxley that Identity Management can address 'Procedures exist and are followed to authenticate all users to the system to support the validity of transactions. - Authentication/Authorization 'Procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms - Authentication/Authorization (e.g., regular password changes). 'Procedures exist and are followed to ensure timely action - User Provisioning/De-provisioning relating to requesting, establishing, issuing, suspending and user accounts. 'A control process exists and is followed to periodically review and confirm access rights. - Monitoring of User Access 'Where appropriate, controls exist to ensure that neither party can deny transactions and controls are implemented to - Workflow and monitoring of workflows provide transaction initiation and approval. 15 !"# !"#
  • 16. 16 Control Objectives of Sarbanes Oxley that Identity Management can address 'Controls relating to appropriate segregation of duties over - User Provisioning/Work Flow requesting and granting access to systems and data exist and are followed. 'Access to user-developed systems is restricted to a limited - Authentication/Authorization number of users. 16 !"# !"#
  • 17. 17 How is Sarbanes affecting a company’s technology infrastructure and capabilities • Many companies are putting manual processes & “solutions” in place for first year compliance, which is acceptable. However, automating those processes & solutions for long term effectiveness is “critical”. • Key technology areas impacted within a company include: $ ERP systems $ Network infrastructure $ Directories, Identity provisioning, and access management systems $ Documentation control & monitoring $ Data quality & governance • Understanding the relationship between the Sarbanes-Oxley requirements and the tactical and strategic technology enablers is “critical” for the C suite of these companies. 17 !"# !"#
  • 18. 18 The Issue A potential for a control deficiency to be identified concerning conflicts in segregation of duties within the key applications, and potentially across other financial applications. The lack of user access controls over one or more of these applications can have a pervasive impact over financial processes that lead to a significant deficiency and/or material weakness if not remediated. 18 !"# !"#
  • 19. 19 Root Cause • User retains old Roles and privileges from previous positions • User may inherit Roles from others through delegation of authority • Roles are designed • Users may gain additional access Role specific to applications privileges due to dynamic Roles/groups Role SAP Role • Each application • No global view of user access rights maintains its own list of • Unauthorized sharing of passwords Roles and Access Role Control List Role Seibel Delegation Role • Segregation of duties are implemented on each application Role P individually P Billing P: Permission / Privilege P • Lack of centralized Inheritance Access Control systems Dynamic to enforce security P policies Roles/Groups Role P P Payroll Results Results $ Lack of check for segregation of duties across the enterprise $ Lack of check for segregation of duties across the enterprise $ Lack of enterprise user access control model $ Lack of enterprise user access control model 19 !"# !"#
  • 20. 20 Recommended Solution Design a user access control model and framework that supports key security principles: • Least Privilege: users to operate with minimum set of privileges necessary to do their jobs • Segregation of duties: for particular set of transactions, no single individual be allowed to execute all transaction within the set. • Data Abstraction: • Security policies be independent from data and system specific resources and • Adaptable across various systems Develop a reference architecture for the user access control systems to enforce the defined model Solution = Role Engineering + IdM Infrastructure Solution = Role Engineering + IdM Infrastructure 20 !"# !"#
  • 21. 21 Role Proliferation Many-to-one vs. many-to-many ' Many-to-many relationship: ' Many-to-one relationship: ' Role Permutation of five permissions: (5!) ' Role Permutation: Max of 5 Roles 5x4x3x2x1 = up to 120 unique roles to manage Role Role Role Role Role Role Role Role Role Role P1 P2 P3 P4 P5 P1 P2 P3 P4 P5 5 System permissions 5 System permissions 21 !"# !"#
  • 22. 22 Role Engineering Concepts ' Background information: 1000 end users, 500 permissions ' Issue: How many roles are needed? 1000 End Users Responsibility Oriented Design Factors Process Oriented Roles Roles Responsibility Role Oriented Function of ( Desire for less ( Need for more granular Role administration access Risk ( Responsibility oriented ( Process oriented roles roles ( Results in more roles ( Results in few roles Role: #??? Oriented Process Maintenance ( Lower number of roles ( Higher number of roles Maint. Implication ( Reduced administrative ( Increased administrative maintenance maintenance Risk ( Increased risk, through less ( Decreased risk, through Implication granular permission more granular permission groupings groupings Role Role Role Role Content of ( 10 roles ( 50 roles Role ( Each role has average of ( Each role has average of 10 Actions Resources 50 permissions permissions 22 500 Permissions !"# !"#
  • 23. 23 Solution Concepts •Profile represents a global view of user access rights Map user to profile Map profile to Roles Map Roles to Permissions •Each user can assume one profile at any given session Access Control Model Role P P Access Control System SAP •Each profile can map to Static segregation Role P P of duties multiple Roles •There is a centralized P access control system to Role Role P Seibel enforce security policies Profile P P •Access control systems that monitor segregation of Session Roles Role P P Role Billing duties to include: P P $Static Roles $Dynamic Roles Session $Delegation of P P Role authority Role P Payroll P Dynamic segregation of duties 23 !"# !"#
  • 24. 24 Enterprise Level and System Level View 24 !"# !"#
  • 25. 25 Reference Architecture User Provisioning and Workflow Process Flow Identity Approvers Application Landscape Authorative Portal Source(s) RBAC Security Workflow RBAC Roles Connectors Policy User Relational Users Store Store Database 25 !"# !"#
  • 26. 26 Key Deliverable - Organizational Access Matrix •The Organizational Access Matrix is composed of multiple relationships and provides a central repository for the RBAC design specifications. • User to Process Responsibility • Process to System • User to Profile Organizational Access Matrix • Profile to Role • Process to Task • Task to Permission • Permission to Role 26 !"# !"#
  • 27. 27 Key Task – Role to Profile Mapping Profile to Role Mapping - This sample matrix represents the E P 10 E P 11 E P 12 E P 13 E P 14 E P 15 E P 16 E P 17 E P 18 E P 19 E P 20 E P 21 E P 22 E P 23 E P 24 E P 25 E P 26 E P 27 E P 28 E P 29 EP1 EP2 EP3 EP4 EP5 EP6 EP7 EP8 EP9 alignment of the Role1 Role2 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X previously created Role3 Role4 X X X X X X X X X X X X X X X X X X X X X X Profiles and Roles. Role5 Role6 X X X X X X X X X X X X X X X X X X X X X X - This relationship Role7 Role8 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X defines the underlying Role9 Role10 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X roles that a user will Role11 Role12 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X inherit when assigned Role13 Role14 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X a Profile. Role15 Role16 X X X X X X X X X X X X X X X X X X X X X X X X X X Role17 X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Role18 X X X X X X X X X X X X X X Role19 X X X X X X X X X X X X X X Role20 Role21 X X X X X X X X X X X X X X Role22 Role23 X X X X X X X X X X X X X X 27 !"# !"#
  • 28. 28 Conclusion • IdM is an enabling tool to implement a sustained-automated process for: - User Access Control - Segregation of Duties - Delegation of Authority • Most companies have 60-70% of their enterprise role already defined • Limit the number of key application list to 6-8 apps. • Validate and prototype the model for a subset of users. This group of users should include those who are involved with financial transactions. 28 !"# !"#
  • 29. 29 Ehab Dawoud Gretchen Lott edawoud @us.pwc.com Gretchen.l.lott@us.pwc.com 415-498-7333 415-281-4749 Your Worlds Our People 29 !"# © 2002, PricewaterhouseCoopers LLP. All rights reserved. !"# PricewaterhouseCoopers refers to the US firm of PricewaterhouseCoopers LLP and other member firms of the worldwide PricewaterhouseCoopers organization.