Requirements
An International Assurance based in UK decides to implement an Identity and Access Management solutions to meet clearly defined business requirements and improve control capability.
Objectives
- Using the ISO/IEC 27002 Best Practice (Access Control and Operations Security Domain), design strategies and supporting processes for the management of Privileged, Shared and Generic Accounts
- Assess, review and prioritise candidate applications for integration with CyberArk to manage password assignment and revocation for privileged/shared accounts and monitor privileged sessions.
- Compliance with Company IR&P security policy driving remediation plans to close audit control failures where necessary
- Work with Business system owners, IT support owners, SMEs and User Access Owners
Assessment Steps
- Meeting with Application Manager to fill Questionnaire (general questions about the application not related to specific security policy objectives, such as ownership, criticality of data and systems and the technology used).
- Description of the Business requirements
- Application Context and component decription
- Technology used
- Access Control
- Authentication
- Authorization
- Type of Privileged users
- Document for the assessment contening:
- Questionnaire results
- List of Potential risks
- List of Privileged users (IT Support, Administrators, Security Manager)
- Second interview with Application Manager:
- Discuss results
- Propose countermeasures and discuss about cost implementation
- Implement Separation of Duties for Privileged Users
List of deliverables
- Questionnaires focused on Access Control, Data Privacy, Entitlements, Separation of Duties and Password Control.
- Assessment results with list of Privileged Accounts and Roles
- Analysis of the vulnerabilities, risks and list of recommandations. Estimation of the costs/effort.