Roles:
Requester Approver Implementer
Process Steps:
1. Creation of Digital Identity for User C, I A R
2. Creation of Special AD Account C,I A R
3. Exchange Resource Creation C,I A R
4. Creation of shared generic mailbox - A, C,
I R
Table 15: RACI-Matrix
A= Accountable, R= Responsible, C= Contribute, I= Informed
9. Findings from Industry Expert interview to analysis IAM controls
Within the case study in this part of the research, we are going to focus on the analysis of the secondary data collected from an interview held with the Medobal Company’s Risk Manager.
The conversation with the manager was held by ‘Zoom Meeting’ and lasted for
approximately an hour. The interview was partially-structured. The interview was focused on to identify the different findings form the guest based on the processes after the
63
implementation of IAM controls. Its questions were developed by the thesis author in line with the goals of this part of the research. The structure of the interview can be found in Annex 1 to this thesis. we tried to reveal the main types of threats incurred by the company in access management, and to identify those protection measures, mechanisms and controls which the firm uses in order to minimize their risk impact of Medobal, a Sri Lankan medical institution in the tourism sector with Headquarters in Chennai, India which acts only as connecting services and has lately been involved in the development of specific
functionalities for healthcare. As the company mostly operates in the online environment, the threat of mishandling the company’s information is a possible risk involved with the access management system used by the company for continues processing of the functionalities and how the IAM controls is incorporated accordingly to the information security of the firm.
The interview is set up in way to derive more information from the expert on the process scenarios shown above after the implementation of the IAM controls.
Below, we are going to highlight the main findings derived from the interview.
Defining Risk for Firm
Risks were dealt with utilizing a formal and deliberate methodology. A risk library was made with risks being positioned numerically dependent on the likelihood of a risk occurring and its potential impact. The senior management would then meet routinely each month.
IAM Controls in Access Management
As the company used GDDB system with implemented IAM control for the access management and hence the reliability increased as two-way authentication is in place and data transfers are monitored and reported. The access is granted accordingly with privileges and restriction which reduces the risk of full exposure of information. Special accounts are provided for privileged access for different usages such as accessing servers, accessing shared workstations, super access to override systems. The IAM controls are implemented and all these accounts require a pre-approval from the application manager regarding the special accounts for access. The role and responsibilities of the IAM team members are clearly addresses and the segregation of duties are defined which includes the workflow of
64
required approvals before creation of identities. Hence, the risk in creation of inaccurate and false identities is reduced to minimum.
Insufficient Support of Senior Management
Despite the fact that this was never a risk, there was a coordinated exertion to keep the senior management connected by guaranteeing that they stayed educated and associated with the continuous risks encompassing the execution. This procedure was enforced in week after week meetings where all individuals from the meet would discuss to analyses, how the task was proceeding to manage issues as they emerged.
Usage of firm’s resources
We have ensured full access on the usage of firm’s resources for the users and made in easy and efficient. IAM controls are placed in order for full traceability and visibility of the usage of the firm’s resources every meeting room, scanner, printer available in the firm is entitled to an digital ID and users and book and use the resources after self-authorization. As a result of this process the users are seamlessly using the firm’s resources and potential risks are
eliminated.
Broadcast Communication in firms
During sending out broadcast messages across the organization to every user regarding leadership updates, emergency information, organization goals and achievements we use a shared mailbox with generic name to send out the information as the communication stands authentic and easily recognizable for the users to understand the email and not to push them to spam.
The mailbox permission and access is kept secure with the mailbox owner and he will manage the mailbox permissions and ensure the security of the mailbox. This helps the mailbox owner to monitor the activity of the mailbox and provide\revoke access to other users who wants to access the mailbox.
65
Failure to blend internal and external expertise effectively
With the commitment of outer aptitude, the risks related with blending outside in with interior assets got principal. While the help was required on this task, future activities directed that there was a business need to enable those dealing with the venture to up-aptitude, permitting future undertakings to prevail with lower levels of outer help. As the external users are exposed to more information about the firm as there is always an potential threat possessed by the external users. Innovations are required to address this issue to increase efficiency and at the same time to secure firm’s information.
Lack of trainings to our clients for access management
While issues identified with client preparing were lightened in consequent usage by the firm’s capacity to utilize other effective executions as reference focuses "They don't really need to hold up until they go live before they can do preparing they simply go to another office." the underlying establishment presented issues because of the significant level of business and mechanical changes required internal the business.
Lack of responsibility of external users in project accessing to system
In spite of the fact that the undertaking was of fundamental significance to the business and was delineated by the degrees of senior administration responsibility, the everyday running of the business despite everything required consideration and empowering staffs the capacity to devote their opportunity to the task was a hard as the potential risk of information exposure is high and if the access not provided the job remains unfinished and impacts business.
In summary the obtained information from the interview, we can see that the implemented controls on the GDDB system helps the firm to reduce the risks associated with the identity and access management but still it gives path of new type of risks to arise and the only way to manage the continues evolving scenarios of risk is periodic risk analysis of the IAM controls and processes for identification and mitigation of the risks. Educating the users with the good practices on how to use the digital identity and importance of access management will help to reduce the risks, this can be obtained by creating mandatory training sessions for the users on
66
the listed topics: good practice on usage of digital identity, good practice on usage of firm’s resources and protection of firm’s classified data to cyber-attacks.