Exchange Resource Creation (Room, Video Conference, Scanner)

a. Current state of the process

The current state of the process involves the requester and implementer for creation of Exchange Resource account for the firm’s Meeting room, Video Conference Equipment and Scanners.

46

Process to create a new Exchange Resource account for the user:

 When user needs a resource ID, requester contacts the implementer to create Exchange Resource account.

 Verifies the business justification only with the requester.

 Enter the provided resource details (Name, Purpose, Usage limit) to merge with the account.

 The Exchange Resource account is created and will be synchronized with AD within 4 to 6 hours.

 The Exchange Resource account is generated for the user.

 When Exchange Resource account created, send an e-mail to the Account Owner asking the Account Owner to reset the default password

Risk and Control matrices should capture all relevant information pertaining to a given business/IT process. Important control activity information needs to be captured in the matrix includes:

 Identified Risks

 Control Objectives

 Missing Control Activities

Risk and Control Matrix:Exchange Resource Creation (Room, Video Conf., Scanner) Business Process &

Control Objectives

Risks Missing Control

activities S.no. Control Objectives Risks Impact Control activities 1 Controls provide reasonable

assurance that users can view the availability of the meeting rooms

The availability of the meeting rooms is not provided to users and will not be able to plan the meeting schedule

Extreme Controls are such that users can access the availability of the meeting rooms by using the resource ID 2 Controls provide reasonable

assurance that multiple users doesn’t book the meeting room on the same time interval

Multiple users can book same meeting room for different meetings in the same time-interval and causes delay or postponing of the meeting

Extreme Controls are such that reserved meeting rooms for selected time-interval cannot be booked by other users

3 Controls provide reasonable assurance that the management is able to track users details using firm’s scanner

There is possibility of over usage and personal usage of firm’s scanner by the users

High Controls are such that resources will store the digital identity of the users in activity log

4 Controls provide reasonable assurance that the

authentication is provided to

There is possibility of firm’s classified data being scanned by

Extreme Controls are such that the users will required to self-authenticate

47

use the scanners anonymous user before using the

firm’s resources 5 Controls provide reasonable

assurance that the resource accounts are created by

authorized personal completely and accurately

Resource account can be created with wrong permissions and will not be able to serve its business purpose

Extreme Proper segregation of duties for the

operational personal must be set with assigned roles and responsibilities

Table 8: Risk and Control Matrix: Exchange Resource Creation (Room, Video Conf., Scanner)

b. Risk map/table with scenarios, probability, impact

Below table we will see the risk and analyse the risk scenario associated with the creation and usage of meeting rooms, scanners in the organization before implementation of IAM controls.

Risk Scenario Category Impact (1-5)

Likelihood (1-5)

Risk

Rating Baseline Multiple users booking the meeting

room for same time period 3 5 15 9

Unable to authenticate access to

scanners 5 5 25 9

Authentication of meeting room

usage 5 5 25 9

User logs of the meeting rooms

5 5 25 9

Unable to pre-book the meeting

rooms 5 3 15 9

Unable to view the availability of the 5 4 20 9

48 meeting rooms

Unable to track users details using

firm’s scanner 5 4 20 9

Data & information management

4 4 16 9

Table 9: Risk Analysis of Exchange Resource account before implementation of IAM control

c. Description of the suggested changes based on GDDB system with IAM controls

This chapter describes how to create a new resource record in GDDB and how to create an associated AD account and Mailbox. Resource records are Digital Identities assigned to each and individual Rooms, VC, Presentation Halls, Scanner available in the firm, so that the users can book them to use and increases the visibility of who is using the firm’s resources and how they are used.

Procedure:

 New request received for creation of resource record with a relevant Request form attached.

 Verify all the fields in the Request form are filled in correctly.

 If the form is incorrectly filled out, leave a comment in the request ticket describing the missing information and close the request ticket.

 If all fields are filled in correctly, continue to the next step.

 Create a GDDB generic record, and then continue to the next step.

 Create an appropriate AD account for the resource.

 Once an AD account is created, create a mailbox

 After the mailbox is created, update the request form with the new 5-2-1 and add it to the request.

AD Account creation for a resource:

The following are the steps to manually create an AD account for a new resource.

To create an AD account for a new resource,

49

 Open a generic record of the Digital Identity you want to create an AD Account for and click Add Account.

 The Account Insert Screen opens prompting you to select an account type.

Figure 11: Creation of exchange resource account

 To show the account types available, click. A pop-up window opens listing the account types.

Figure 12: Selection of exchange resource account

50

 Choose AD Special Resource User, click next.

 The Insert Account Screen appears with the Container field where a default organization is filled in. The AD container is pre-populated.

 Submit the pre-populated AD container by clicking next.

 The Insert Account Screen appears with the Home Directory Template field where a default home directory path is filled in. The Home Directory Template value is also pre-defined.

 Submit the pre-populated Home Directory Template container by clicking next.

 The AD account is created and will be synchronized with AD within 4 to 6 hours.

 When the AD account is created, proceed with creation of a mailbox.

Mailbox creation for a resource,

The following are the steps to manually create a mailbox for a new resource.

To create a mailbox for a new resource:

 Open a generic record of the Digital Identity you want to create a mailbox for and click Add E-mail.

 The E-mail Address Insert Screen opens prompting you to select a postoffice.

Figure 13: Creation of exchange resource mailbox

 In the pop-up window, for the primary mailbox select the ExchangeRes BPOS post office.

 Click Insert to create a mailbox.

51

 In the E-mail Address Update Screen, fill in the following parameters:

Resource type, based on the resource type, ex. CONF for conference or SCAN for a scanner.

Mailbox Type – based on whether the resource is a room (ROOMRBA) or equipment (EQUIPRBA).

Capacity – capacity of the room specified in the Request form.

Building – name of the building where the room is, taken from the Request form.

Floor – floor where the resource is in the building, taken from the Request form.

Figure 14: Created final exchange resource mailbox

 After the mailbox is created, inform the user via email.

Below are the listed advantages which will help to mitigate/reduce the risks after the implementation of IAM controls,

 Users of the firm can book the rooms using resource ID

 Users cannot book “reserved” meeting rooms using the resource ID

 User’s self-authentication is required to access scanners using user ID

 Digital identity for the rooms will store activity logs

 Users of the firm can search and see availability the rooms using digital ID

 Resource identity of the scanners will store activity logs

52

d. Risk map/table with the same scenarios, probability, impact after the implementation of changes

Below table we will see the Risk analysis outcome how the implemented changes reduces the risk associated with the creation & usage of exchange resources in the organization.

Risk Scenario Category Impact (1-5)

Likelihood (1-5)

Risk

Rating Baseline Multiple users booking the meeting

room for same time period 2 2 4 9

Unable to authenticate access to

scanners 2 2 4 9

Authentication of meeting room

usage 2 2 4 9

User logs of the meeting rooms

2 2 4 9

Unable to pre-book the meeting

rooms 3 1 3 9

Unable to view the availability of the

meeting rooms 2 1 2 9

Unable to track users details using

firm’s scanner 2 3 6 9

Data & information management

2 2 4 9

Table 10: Risk Analysis of Exchange Resource account after implementation of IAM control

53

In document Hlavní práce70735_ezhg00.pdf, 1.6 MB Stáhnout (Stránka 45-53)