The Assessment Strategy Is Customized to an Agency’s Specifications
The Rapid IAM Strategy Assessment is customized to specific needs, selecting from a number of IAM risk areas. The assessment can also align with ISACA’s IT Assurance Framework (ITAF), COBIT 5.0, ISO 27001/27002, ITIL v3, or the NIST standards.
Agencies that receive the assessment can customize their assessment scope based on need. The assessment can cover:
- Shadow IT
- Separation of Duties policies and toxic combinations
- Unique identifiers
- Role-based access controls
- Strong authentication/multifactor authentication
- User provisioning, termination and transfer
- Employee or customer user repository
- Privileged account management
- Generic, system and non-human account management
How Focal Point Works with Your Team
A major component to this assessment is the interview process, where Focal Point gathers information on current state processes, the status of technical debt and what systems look for to manage identities.
Ultimately, the interviews aim to gather what your agency wants to achieve going forward. Focal Point speaks with vast numbers of people to get this information, including human resources experts, security teams, application stakeholders and business management teams.
Interviews are also meant to help agencies identify gaps in their identity management solutions that pose security risks. To this end, Focal Point may also interview stakeholders in this realm, such as risk managers.
Rapid Assessments Provide Security Benefits
After interviews come assessment results, where Focal Point provides feedback to clients on the maturity of the IAM system in its entirety, and what Focal Point’s observations and recommendations are relative to the business outcomes that the organization identified. With these points in mind, Focal Point then provides a two-year roadmap for your team.
With Focal Point being a third party, your agency receives an objective evaluation of your IAM, and with the ability to select the scope of the assessment, you can maximize its value. The assessment also measures your IAM against best practices, meaning you can future-proof your program by incorporating those practices.
Focal Point will also work with you to incorporate compliance mandates to meet the standards that align with the Sarbanes-Oxley Act, the European General Data Protection Regulation and the Health Information Portability and Accountability Act (HIPAA).
There has been an effort to interpret and plan around several directives, including:
- Executive Order 14028 – Improving the Nation’s Cybersecurity
- Department of Defense Zero Trust Reference Architecture
- NIST Zero Trust Architecture
- CISA’s Zero Trust Maturity Model
- The Presidential Office of Management and Budget’s Memorandum M-22-09
Given the high focus that M-22-09 places on identity management, agencies are working to understand how investments in customer data management will translate to compliance with the Federal priorities for Zero Trust. According to OMB’s memorandum, those priorities envision a Federal Government where:
- Federal staff have enterprise-managed accounts, allowing access everything they need to do their job while remaining reliably protected from targeted, sophisticated phishing attacks.
- The devices that Federal staff use are consistently tracked and monitored, and the security posture of those devices is considered when granting access to internal resources.
- Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
- Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
- Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
The memorandum notes that this strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication.
Identity management is a key part of a zero-trust security posture, something that more and more organizations are embracing with the rapid adoption of cloud computing. In an age of remote work and dispersed teams, having a strong IAM is imperative.
The reality is that with a distributed workforce and the distributed nature of the data, a lot of it moves out to the cloud. The normal historical boundaries no longer make sense, and agencies must adapt.