CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture
-
Upload
cloudidsummit -
Category
Technology
-
view
454 -
download
1
description
Transcript of CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture
![Page 1: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/1.jpg)
FINANCIAL SERVICES CASE STUDY: Improving Compliance & Risk Posture With Next-gen IAM
Speaker: Jennifer Darwin, Manager of IAM, Corporate Information Security
CLOUD IDENTITY SUMMIT JULY 2013
![Page 2: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/2.jpg)
2
ABOUT SALLIE MAE
▶ The nation’s #1 financial services company specializing in education
▶ Over 10 million student and parent customers, more than 9,000 employees and 2,000 contractors
▶ Manages $207 billion in education loans & 529 college-savings plans
▶ The company’s saving programs, planning resources and financing options have helped more than 31 million people make the investment in higher education
![Page 3: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/3.jpg)
3
▶ Comply With Major Regulations – FISMA, SOX, GLBA, PCI and SAS-70’s (Sallie Mae) – FFIEC and State of Utah (Sallie Mae Bank ) – SEC, FINRA & FTC (Upromise Rewards and Investments )
▶ Enhance Efficiencies Through Automated Provisioning – Some relatively high turnover functions create demand for more rapid SLAs – Restructuring creates short-term demand – New business initiatives require rapid but controlled response
▶ Reduce Operational Risk – Eliminate redundant, sub-optimal processes and centralize controls in one place
across the enterprise – Prevent/detect fraud - manual processes and hand-offs make security policy
enforcement challenging
KEY BUSINESS DRIVERS
![Page 4: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/4.jpg)
4
▶ Increase efficiency through Automation
▶ Improve effectiveness through process Optimization
▶ Improve Quality of compliance activities
PROJECT STRATEGY
Ariba
ADP
Workday
Databases
Mainframe
Exchange
AD
App 1
App 2
App 3
Etc.
![Page 5: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/5.jpg)
5
PROJECT OVERVIEW
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
![Page 6: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/6.jpg)
6
PROJECT OVERVIEW: IMPLEMENT ROLE-BASED ACCESS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Enterprise Roles
![Page 7: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/7.jpg)
7
PROJECT OVERVIEW: STREAMLINE ACCESS CERTIFICATIONS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Automated Access
Certification
![Page 8: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/8.jpg)
8
PROJECT OVERVIEW: FOCUS ON ACCESS REQUEST FORMS
Compliance Management
Employee
Customer
Business Partner
HR & Other Authoritative Sources
Enterprise Roles
Access Management
Bus
ines
s E
vent
s Business Role
- IT Roles
- - Entitlements
User Provisioning
Apps &
Users
Copyright ©2010 by Deloitte
Application Access Request
Form
![Page 9: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/9.jpg)
9
RESULTS: CLEARLY DEFINED USER ROLES
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
250 25005000
60006500
# of Users with Enterprise Roles# of Users
![Page 10: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/10.jpg)
10
RESULTS: ENHANCED PROVISIONING
Original State
Current State
Future State
Request
Request
Request
Provision
Provision
Provision
Duration
Provisioning Efficiencies
33% Reduction
60% Reduction (est.)
![Page 11: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/11.jpg)
11
RESULTS: STREAMLINED ACCESS CERTIFICATION PROCESS
![Page 12: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/12.jpg)
12
RESULTS: 64% IMPROVEMENT ACHIEVED, EXCEEDING EXPECTATIONS!
Separate, manual spreadsheets Single repository, solution enabled
Before After
INTEGRATED 400
• 64% overlap removed • 400 Integrated Requirements • Common Framework using 16 Functional
Risk Areas • Full traceability to 160+ mandates • Includes FISMA, ICE, PCI DSS, GLBA, etc.
• Over 1100 Controls • Different frameworks; different risk
areas • Inconsistent traceability to mandates • Incomplete coverage of mandates
PCI 240
FISMA 200
ICE (for IT)
400
GLBA / FFIEC
250 FACTA
14
![Page 13: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/13.jpg)
13
▶ More than 700 applications on-boarded
▶ Over 6,500 users in a job role (approximately 75% of the company)
▶ Seven segregation of duty or monitoring processes implemented
▶ Access certification improvements institutionalized – This consists of over 20,000 user entitlements to
be reviewed this year
WHERE WE ARE NOW
![Page 14: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/14.jpg)
14
▶ Continue to expand current project scope – Goal is to have 90% of the company in enterprise roles – Goal is to have 24 certifications scheduled
▶ Continue expanding project scope to include even more SaaS and hosted apps – ADP, Ariba, Workday – Looking at externally hosted apps too (FIS, FNI, FDR)
▶ Moving to make Workday becoming our authoritative source – Corporate HR system moving to Workday – tentatively
scheduled for Q4 2014
WHERE WE WANT TO BE BY Q4 2013
![Page 15: CIS13: How IAM Improved Sallie Mae's Compliance and Risk Posture](https://reader033.fdocuments.in/reader033/viewer/2022052903/55759ff9d8b42aff598b4bb5/html5/thumbnails/15.jpg)
15
▶ Do Enterprise Roles First – Simplifies the implementation of
all IAM components and reduces future rework
– Team MUST include someone who has successfully deployed Enterprise Roles
▶ Well Defined Roadmap – Requires shared vision from
business and executives – Part of broader program
▶ Achieve Quick Wins – Showing results is critical to
keep momentum of multi-year program
LESSONS LEARNED/BEST PRACTICES
User Provisioning
Enterprise Roles
Access Requests
Access Certification
Can be leveraged across…