8. Case-Study: Implementation of Identity and Access Management in an Organization
8.4. Exchange Resource Creation (Room, Video Conference, Scanner)
a. Current state of the process
The current state of the process involves the requester and implementer for creation of Exchange Resource account for the firm’s Meeting room, Video Conference Equipment and Scanners.
46
Process to create a new Exchange Resource account for the user:
When user needs a resource ID, requester contacts the implementer to create Exchange Resource account.
Verifies the business justification only with the requester.
Enter the provided resource details (Name, Purpose, Usage limit) to merge with the account.
The Exchange Resource account is created and will be synchronized with AD within 4 to 6 hours.
The Exchange Resource account is generated for the user.
When Exchange Resource account created, send an e-mail to the Account Owner asking the Account Owner to reset the default password
Risk and Control matrices should capture all relevant information pertaining to a given business/IT process. Important control activity information needs to be captured in the matrix includes:
Identified Risks
Control Objectives
Missing Control Activities
Risk and Control Matrix:Exchange Resource Creation (Room, Video Conf., Scanner) Business Process &
Control Objectives
Risks Missing Control
activities S.no. Control Objectives Risks Impact Control activities 1 Controls provide reasonable
assurance that users can view the availability of the meeting rooms
The availability of the meeting rooms is not provided to users and will not be able to plan the meeting schedule
Extreme Controls are such that users can access the availability of the meeting rooms by using the resource ID 2 Controls provide reasonable
assurance that multiple users doesn’t book the meeting room on the same time interval
Multiple users can book same meeting room for different meetings in the same time-interval and causes delay or postponing of the meeting
Extreme Controls are such that reserved meeting rooms for selected time-interval cannot be booked by other users
3 Controls provide reasonable assurance that the management is able to track users details using firm’s scanner
There is possibility of over usage and personal usage of firm’s scanner by the users
High Controls are such that resources will store the digital identity of the users in activity log
4 Controls provide reasonable assurance that the
authentication is provided to
There is possibility of firm’s classified data being scanned by
Extreme Controls are such that the users will required to self-authenticate
47
use the scanners anonymous user before using the
firm’s resources 5 Controls provide reasonable
assurance that the resource accounts are created by
authorized personal completely and accurately
Resource account can be created with wrong permissions and will not be able to serve its business purpose
Extreme Proper segregation of duties for the
operational personal must be set with assigned roles and responsibilities
Table 8: Risk and Control Matrix: Exchange Resource Creation (Room, Video Conf., Scanner)
b. Risk map/table with scenarios, probability, impact
Below table we will see the risk and analyse the risk scenario associated with the creation and usage of meeting rooms, scanners in the organization before implementation of IAM controls.
Risk Scenario Category Impact (1-5)
Likelihood (1-5)
Risk
Rating Baseline Multiple users booking the meeting
room for same time period 3 5 15 9
Unable to authenticate access to
scanners 5 5 25 9
Authentication of meeting room
usage 5 5 25 9
User logs of the meeting rooms
5 5 25 9
Unable to pre-book the meeting
rooms 5 3 15 9
Unable to view the availability of the 5 4 20 9
48 meeting rooms
Unable to track users details using
firm’s scanner 5 4 20 9
Data & information management
4 4 16 9
Table 9: Risk Analysis of Exchange Resource account before implementation of IAM control
c. Description of the suggested changes based on GDDB system with IAM controls
This chapter describes how to create a new resource record in GDDB and how to create an associated AD account and Mailbox. Resource records are Digital Identities assigned to each and individual Rooms, VC, Presentation Halls, Scanner available in the firm, so that the users can book them to use and increases the visibility of who is using the firm’s resources and how they are used.
Procedure:
New request received for creation of resource record with a relevant Request form attached.
Verify all the fields in the Request form are filled in correctly.
If the form is incorrectly filled out, leave a comment in the request ticket describing the missing information and close the request ticket.
If all fields are filled in correctly, continue to the next step.
Create a GDDB generic record, and then continue to the next step.
Create an appropriate AD account for the resource.
Once an AD account is created, create a mailbox
After the mailbox is created, update the request form with the new 5-2-1 and add it to the request.
AD Account creation for a resource:
The following are the steps to manually create an AD account for a new resource.
To create an AD account for a new resource,
49
Open a generic record of the Digital Identity you want to create an AD Account for and click Add Account.
The Account Insert Screen opens prompting you to select an account type.
Figure 11: Creation of exchange resource account
To show the account types available, click. A pop-up window opens listing the account types.
Figure 12: Selection of exchange resource account
50
Choose AD Special Resource User, click next.
The Insert Account Screen appears with the Container field where a default organization is filled in. The AD container is pre-populated.
Submit the pre-populated AD container by clicking next.
The Insert Account Screen appears with the Home Directory Template field where a default home directory path is filled in. The Home Directory Template value is also pre-defined.
Submit the pre-populated Home Directory Template container by clicking next.
The AD account is created and will be synchronized with AD within 4 to 6 hours.
When the AD account is created, proceed with creation of a mailbox.
Mailbox creation for a resource,
The following are the steps to manually create a mailbox for a new resource.
To create a mailbox for a new resource:
Open a generic record of the Digital Identity you want to create a mailbox for and click Add E-mail.
The E-mail Address Insert Screen opens prompting you to select a postoffice.
Figure 13: Creation of exchange resource mailbox
In the pop-up window, for the primary mailbox select the ExchangeRes BPOS post office.
Click Insert to create a mailbox.
51
In the E-mail Address Update Screen, fill in the following parameters:
Resource type, based on the resource type, ex. CONF for conference or SCAN for a scanner.
Mailbox Type – based on whether the resource is a room (ROOMRBA) or equipment (EQUIPRBA).
Capacity – capacity of the room specified in the Request form.
Building – name of the building where the room is, taken from the Request form.
Floor – floor where the resource is in the building, taken from the Request form.
Figure 14: Created final exchange resource mailbox
After the mailbox is created, inform the user via email.
Below are the listed advantages which will help to mitigate/reduce the risks after the implementation of IAM controls,
Users of the firm can book the rooms using resource ID
Users cannot book “reserved” meeting rooms using the resource ID
User’s self-authentication is required to access scanners using user ID
Digital identity for the rooms will store activity logs
Users of the firm can search and see availability the rooms using digital ID
Resource identity of the scanners will store activity logs
52
d. Risk map/table with the same scenarios, probability, impact after the implementation of changes
Below table we will see the Risk analysis outcome how the implemented changes reduces the risk associated with the creation & usage of exchange resources in the organization.
Risk Scenario Category Impact (1-5)
Likelihood (1-5)
Risk
Rating Baseline Multiple users booking the meeting
room for same time period 2 2 4 9
Unable to authenticate access to
scanners 2 2 4 9
Authentication of meeting room
usage 2 2 4 9
User logs of the meeting rooms
2 2 4 9
Unable to pre-book the meeting
rooms 3 1 3 9
Unable to view the availability of the
meeting rooms 2 1 2 9
Unable to track users details using
firm’s scanner 2 3 6 9
Data & information management
2 2 4 9
Table 10: Risk Analysis of Exchange Resource account after implementation of IAM control
53