Level up your security: Optimizing your IAM GOvernance
OgundapoAyokunmi
45 views
15 slides
Oct 02, 2024
Slide 1 of 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
About This Presentation
Improving governance of Identity and Access Management
Slide Content
LEVEL UP YOUR SECURITY: OPTIMIZING IAM GOVERNANCE
SPEAKER’S BIO Ayokunmi Ogundapo Cybersecurity Consultant IAM Experts Ltd
Identity and Access Management Managing the relationship, the security risks and productivity.
Identity Lifecycle & Security Implications Bots/Service Accounts Auditors Employees Contractors Third-party Staff IDENTITIES
Identity and Access Management
Today’s Attacks and What we have learnt Credential Theft & Misuse Verizon DBIR Report 2022: ~50% 2023: ~52% 2024: ~48% Process Breakdown Statista Human Error Too many permissions Crisis of Priority Emphasis on new project rather than optimization Focus on new technology rather than process
Why IAM maturity matters. “Everyone has a plan…until they get punched in the face”
Medibank 2022 Cyber Incident The real cause, the damage, and implications https:// www.upguard.com /breaches/ medibank -data-leak
Could these have been prevented? Yes!
CAPABILITY MATURITY MODEL INTEGRATION (CMMI) MEASURING GROWTH AGAINST BENCHMARK
Maturity Level 1 – Initials Maturity Level 5 – Optimizing Maturity Level 4 – Quantitatively Managed Maturity Level 3 – Defined Maturity Level 2 – Managed Program Effectiveness Repeatability & Sustenance IAM vision, processes, strategy, architecture and governance optimized for maximum business value IAM architecture refined, processes integrated and contribution to business imperatives is high IAM vision and strategy defined and aligned with business, formal processes and governance established Certain business drivers identified, and tactical priorities set with informal roles and processes Ad hoc processes with little awareness or value
Pillars Description Vision & Strategy : Is there a clearly defined, enterprisewide vision and strategy for IAM? Are formal planning mechanisms in place? Organization Is there a program management office (PMO) with a charter to manage the IAM program and its portfolio of projects, applications and products? Are the roles of different constituents (people and organizational functions) well defined and documented, typically in a responsible, accountable, consulted and informed (RACI) matrix ? Is there a personal development program in place to ensure that participants' skills meet program needs? Governance Does IAM have executive sponsorship? Is a formal governance structure in place? Processes What is the formalization, integration, organizational alignment, and so on of the IAM processes? Architecture & Infrastructure Design Is there an IAM architecture and overall infrastructure design? To what degree is this aligned with or embedded within enterprise architecture (EA) Business Value How — and to what degree — does IAM contribute to security efficiency, security effectiveness (including governance, risk and compliance [GRC] management) and business enablement (direct business value)?
BU: business unit; IAM: identity and access management; PMO: program management office; EA: enterprise architecture; RACI: responsible-accountable-consulted-informed; GRC: governance, risk and compliance Developing Optimized Initial Defined Managed 2 5 1 3 4 IAM Program Maturity Level Business Value Architecture and Infrastructure Design Processes Vision and Strategy Organization Conceptual awareness at best Certain business drivers identified; tactical priorities set Business-aligned vision defined; strategic priorities set IAM vision and strategy continually reviewed to track business strategy Periodic optimization of vision and strategy Informal, basic roles, responsibilities decentralized Technical projects sponsored by BUs and CISO; informal inventory of IAM skills IAM PMO established, IAM roles and training needs defined IAM PMO active, RACI matrix defined; proactive skill development Optimal integration with business; skills optimized Ad hoc, informal Semiformal BU-specific and target-specific processes Formal processes defined, consistent across BUs and target systems Formal processes integrated and refined; aligned with business processes Process optimization Possible use of target-specific productivity tools Disjoint technical projects; technology redundancy likely Discrete IAM architecture defined; rationalization and consolidation in hand IAM architecture refined and aligned with EA IAM architecture embedded within EA; optimization None measurable Tactical efficiency and (maybe) effectiveness improvements; low direct value Sustained, quantifiable improvements tied to GRC imperative; moderate direct value Sustained, quantifiable contribution to all key business imperatives; high direct value Business value optimization; transformational direct value Blissful Ignorance Awareness Corrective Operational Excellence Legacy Program Maturity Level Governance Ad hoc, informal Subsumed within InfoSec (and InfoSec governance structures) IAM governance structure defined and accepted IAM governance structure fulfilled and refined IAM governance optimization The Gartner IAM Program Maturity Model
Questions?
Thank you
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 45
- Slides 15
- Age 424 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
28 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views