8. Case-Study: Implementation of Identity and Access Management in an Organization
8.2. Creation of Digital Identity for User
a. Current state of the process
The current state of the process involves the requester and implementer for creation of digital identity for user and a created single account for the user will provide access to entire firm’s resources.
Process to create a new digital identity:
When user needs a digital identity, requester contacts the implementer to generate digital identity.
Implementer verifies the business justification only with the requester.
Provides only First Name, Last Name and Gender details to the system to generate user ID.
The user ID is generated for the user.
User is informed via email with the creation of ID and provided with access details.
Risk and Control matrices should capture all relevant information pertaining to a given business/IT process. Important control activity information needs to be captured in the matrix includes:
Identified Risks
Control Objectives
Missing Control Activities
Risk and Control Matrix:Creation of Digital Identity for User Business Process &
Control Objectives
Risks Missing Control
activities S.no. Control Objectives Risks Impact Control activities 1 Controls provide reasonable
assurance that the user activities are monitored while using the digital identity
User’s
changes/deletion of data in the firm’s system is not recorded and can go unnoticed.
Extreme Controls are such that the user changes in data and access to system are recorded in activity log of the digital identity.
2 Controls provide reasonable assurance that the user will not be able to login multiple computers with the digital identity
User will be able to access firm’s data out of his role and scope.
Extreme Controls are such that the user will be restricted to login &
usage of only assigned computers 3 Controls provide reasonable
assurance that the user will not be able make unauthorized actions on the firm’s
Unauthorized logins and changes made in servers will
compromise the
Extreme Controls are such that access is granted after approval from firm’s manager and frequent
35 computers, resources and
SharePoint
security and expose the firm’s information
reviews on server activity log to detect events of
unauthorized actions 4 Controls provide reasonable
assurance that duplicate identity is not created for the user
User will be entitled to multiple digital identity and will be a security threat to firm
High Proper control checks to ensure no old identity exists for the user before creation of the new identity 5 Controls provide reasonable
assurance that the digital identity is created with provided proper approvals
Digital Identity can be created without any approval/notification from the users manager which reduces
transparency
Extreme Proper process approval workflow should be maintained before creation of digital identity
Table 1: Risk and Control Matrix: Creation of Digital Identity for User
b. Risk map/table with scenarios, probability, impact
Below table we will see the risk and analyse the risk scenario associated with the creation &
usage digital identity of the user in the organization before implementation of IAM controls.
Risk Scenario Category Impact (1-5)
Unable to monitor user activities
5 5 25 9
Third-party/supplier incidents
4 3 12 9
Noncompliance
3 5 15 9
User able to access restricted firm’s
data 5 5 25 9
User login multiple servers and
computers 5 5 25 9
Duplicate User ID
5 3 15 9
User deleting firm’s data from
system 5 4 20 9
36 Mishandling User Personal
Information 5 4 20 9
Data & information management
4 4 16 9
Table 2: Risk Analysis of digital identity before implementation of IAM control
c. Description of the suggested changes based on GDDB system with IAM controls
Process narratives are technique available to document business process transactions with their associated applications as shown below. These narratives are best used documentation tool for IT environments.
Process to create a new digital identity:
Verifies the business justification with the manager of the requester.
In GDDB System used by the firm, click Insert Person.
The Search for Duplicates screen appears.
Figure 4: Creation of Personal Digital Identity
If that particular person record does not exist in ERP system yet, click Insert Person.
In the Insert Person screen, fill in the mandatory fields listed in the table below.
Mandatory Field Person Record
Last name First name of the user.
First Name Family name of the user.
Organization Organization Name.
Gender For persons use M for male or F for
female.
37
Category Internal or external employee.
Supervisor ID Company Manager or Owner of Identity.
Table 3: Mandatory Field details
To finish creating a new person record, click Insert. At this point GDDB System generates a Unique ID. A pop-up message appears prompting you to specify the exception.
Figure 5: Created Final Personal Digital Identity
Once a person record is created in System; Active Directory account, mailbox and skype can be created.
To create an AD Account for the created Digital Identity:
Open a generic record of the Digital Identity you want to create an AD Account for and click Add Account.
The Account Insert Screen opens prompting you to select an account type. A pop-up window opens listing the account types.
Choose the required AD account for the user and click next.
The Active Directory account is created and will be synchronized with AD within 4 to 6 hours.
38
Figure 6: Selection of Active Directory account
Figure 7: Created final AD account
Below are the listed advantages which will help to mitigate/reduce the risks after the implementation of IAM controls,
Manager approval required for creation of digital identity
No duplicate ID will be created.
User provided personal data are verified and recorded till deletion of ID.
39
User will have individual digital identity for activity monitoring.
d. Risk map/table with the same scenarios, probability, impact after the implementation of changes
Below table we will see the Risk analysis outcome how the implemented changes reduces the risk associated with the creation & usage digital identity of the user in the organization.
Risk Scenario Category Impact (1-5)
Unable to monitor user activities
2 2 4 9
Third-party/supplier incidents
2 2 4 9
Noncompliance
1 1 1 9
User able to access restricted firm’s
data 2 2 4 9
User login multiple servers and
computers 1 3 3 9
Duplicate User ID
3 1 3 9
User deleting firm’s data from
system 3 1 3 9
Mishandling User Personal
Information 2 2 4 9
Data & information management
2 2 4 9
Table 4: Risk Analysis of digital identity after implementation of IAM control
40