Identity and Access Management (IAM) Risk Assessment

Did you know that the majority of information security incidents are initiated by compromised accounts? With the increasing use of cloud solutions, home office, and personal IT equipment, identifying and assessing risks is increasingly complex. Identity and Access Management (IAM) is fundamental to protect enterprises from commercial impact as well as other safety-critical incidents. Together with Cloudworks, a leading provider of Identity Governance services, ORS delivers IAM Risk Assessment.

What is Identity and Access Management Risk Assessment?

Identity Governance provides a structured framework for IAM. A lack of focus on Identity Governance makes companies vulnerable to unauthorized access or loss of sensitive information. In particular, with extensive use of cloud-based services, personal IT equipment, home office as well as social media. Sophisticated security measures and robust firewalls are not sufficient to protect against information security threats in a digitalized world, as identity has become one of the key barriers.

Most companies have multiple applications with remote login possibilities. With poor identity management, former employees or other stakeholders may still have access to sensitive information and intellectual property. In addition, poor Access Management and weak authentication methods increase the risk significantly. Also, giving access to more information than required increases vulnerability for unauthorized access or loss of business-critical data. This may result in significant commercial impact, in the worst-case safety-related consequences.

Together with Cloudworks, ORS Consulting provides IAM Risk Assessments. The IAM Risk Assessment is an integral part of Information Security processes. It provides input to enterprise risk management, regardless of business size and complexity. It is also part of regulatory compliance processes. Such as the protection of personal sensitive data by General Data Protection Regulation (GDPR) Article 32. Or as an integral part of ISO 27001 Information Security Management Activities.

The IAM Risk Assessment is conducted through the following key steps as illustrated below:

• Establish an overview of IT and physical systems that are business critical and/or contain information classified as confidential. In addition, mapping of user groups, roles, and Joiner, Mover, and Leaver (JML) processes;
  

• Risk assessment workshop with key stakeholders. A guideword-based methodology is used to identify threats, evaluate consequences, identify safeguards and risk determination;
  

• Establish an overview of the overall risk picture. Including mapping of risks as acceptable, ALARP, and unacceptable based on the corporate business risk acceptance criteria;
  

• Provide risk reducing measures to eliminate unacceptable risk and reduce overall risk as much as reasonably practicable. This will cover the provision of risk reduction measures. Grouped after criticality and subject areas such as orphaned accounts, abandoned accounts, privileged accounts, unnecessary entitlements, etc.

Please contact us if your organization is interested in support with Identity and Access Management Risk Assessments.