8. Case-Study: Implementation of Identity and Access Management in an Organization
8.3. Special AD Account Creation Procedure
a. Current state of the process
The current state of the process involves the requester and implementer for creation of special AD account for user to access firm’s servers and data.
Process to create a new special AD account for the user:
When user needs a special AD account, requester contacts the implementer to generate special AD account.
Verifies the business justification only with the requester.
Select the single available special AD account for access to the firm’s servers.
The special AD account is created and will be synchronized with AD within 4 to 6 hours.
The special AD account is generated for the user.
When special AD account created, send an e-mail to the account owner asking the account owner to reset the default password.
Risk and Control matrices should capture all relevant information pertaining to a given business/IT process. Important control activity information needs to be captured in the matrix includes:
Identified Risks
Control Objectives
Missing Control Activities
Risk and Control Matrix:Special AD Account Creation Procedure Business Process &
Control Objectives
Risks Missing Control
activities S.no. Control Objectives Risks Impact Control activities 1 Controls provide reasonable
assurance that the special AD account are created by
authorized personal completely and accurately
Special AD account can be created with wrong permissions and will not be able to serve its business purpose
Extreme Proper segregation of duties for the
operational personal must be set with assigned roles and responsibilities 2 Controls provide reasonable
assurance that correct special AD account type is created as per the business needs
There are various types of special AD account and creation of wrong AD account will not serve the business
High Controls are such that business justification provide is verified accurately before creation of special AD
41
purpose account
3 Controls provide reasonable assurance that the special AD account is created with provided proper approvals
Special AD account can be created without any proper business justification and without any
approval/notification from the management
Extreme Proper process approval workflow should be maintained before creation of special AD account
4 Controls provide reasonable assurance that the user will not be able make unauthorized actions on the servers
Unauthorized logins and changes made in servers will
compromise the security and expose the firm’s information
Extreme Controls are such that access is granted after approval from firm’s manager and frequent reviews on server activity log to detect events of
unauthorized actions 5 Controls provide reasonable
assurance that the user will not be able to delete or copy firm’s data
Deleting or Copying of firm’s classified data will lead to potential financial loss
Extreme Controls are such that user is provided only with read only access or disable deletion option
Table 5: Risk and Control Matrix: Special AD Account Creation Procedure
b. Risk map/table with scenarios, probability, impact
Below table we will see the risk and analyse the risk scenario associated with the creation &
usage of special AD accounts in the organization before implementation of IAM controls.
Risk Scenario Category Impact (1-5)
Type of Special AD account
adoption/usage problems 4 3 12 9
Unable to monitor user activities
5 5 25 9
Third-party/supplier incidents
4 3 12 9
Noncompliance
3 5 15 9
User able to access data without
approval 5 5 25 9
42 User login multiple servers and
computers 5 5 25 9
User performing changes in data
5 3 15 9
User deleting firm’s data from
servers 5 4 20 9
User activity log traceability
5 4 20 9
Data & information management
4 4 16 9
Table 6: Risk Analysis of Special AD account before implementation of IAM control
c. Description of the suggested changes based on GDDB system with IAM controls
This chapter provides you with a step-by-step instruction describing how to create a special AD Account. Each GDDB generic record can be associated with only one special account.
Process to create a special AD Account:
Open a person record of the Digital Identity you want to create an AD Account for and click Add Account.
The Account Insert Screen opens prompting you to select an account type.
Figure 8: Creation of special AD account
To show the account types available, click.
A pop-up window opens listing the account types.
43
Figure 9: Selection of special AD account
Select the account type based on the information in the Request form.
The Insert Account Screen appears with the Container field where a default organization is filled in. The AD container is pre-populated.
Submit the pre-populated AD container by clicking Next.
The Insert Account Screen appears with a home directory specified in the Home Directory Template field. Click Next.
The AD account is created and will be synchronized with AD within 4 to 6 hours.
44
Figure 10: Created special AD account
When AD account created, send an e-mail to the Account Owner (Supervisor ID) asking the Account Owner to reset the default password.
Below are the listed advantages which will help to mitigate/reduce the risks after the implementation of IAM controls,
Manager approval required for creation of special AD account.
Special AD account can only be used to access firm’s servers.
Special AD account restricts user from deletion of firm’s data.
Special AD account restricts user from copying of firm’s data to local system.
Special AD account gives full traceability of user activities.
Different types of Special AD account are available according to the user’s requirement and role in firm.
d. Risk map/table with the same scenarios, probability, impact after the implementation of changes
Below table we will see the Risk analysis outcome how the implemented changes reduces the risk associated with the creation & usage of special AD account of the user in the
organization.
45 Risk Scenario Category Impact
(1-5)
Type of Special AD account
adoption/usage problems 1 3 3 9
Unable to monitor user activities
2 2 4 9
Third-party/supplier incidents
2 2 4 9
Noncompliance
1 1 1 9
User able to access data without
approval 2 2 4 9
User login multiple servers and
computers 1 3 3 9
User performing changes in data
3 1 3 9
User deleting firm’s data from
system 3 1 3 9
User activity log traceability
2 3 6 9
Data & information management
2 2 4 9
Table 7: Risk Analysis of special AD account after implementation of IAM control