Choose your language:

France
Germany
Hong Kong
India
Ireland
Japan
Malaysia
Netherlands
New Zealand
Singapore
Sweden
United Kingdom
United States

Establishing a Mature Identity and Access Management Program for a Financial Services Provider

Financial Services | Network Infrastructure Services, Information Security



Download

A financial services provider partnered with TEKsystems to build a secure identity and access management (IAM) program to address regulatory audit findings and improve the end-user experience.

The client, recently designated as systemically important to the U.S. financial market, is the world’s leading equity derivatives clearing organization. The corporation clears a wide array of diverse and sophisticated products. Offering clearing and settlement services for transactions in futures and options, the client also clears transactions for security futures, over-the-counter and exchange-listed options.

Due to the highly sensitive nature of finance and its associated data and policies, the financial services industry is heavily regulated to protect consumer and institutional assets. Overarching regulations and industry mandates are constantly changing in response to evolving threats and industry needs; businesses must address emerging security issues or face severe consequences. Leaving security and access issues unresolved can result in audit-related fines, shaken investor confidence, a tarnished brand perception and heightened security risks.

In addition to managing security issues associated with external threats, organizations must protect their assets internally as well. It is important that organizations give internal and external identities—including contractors, vendors and business partners—the appropriate level of access to information, applications and networks needed to complete their responsibilities. However, privilege levels can vary widely depending on an identity’s job function, seniority or specific projects. Maintaining diverse access privileges for thousands of identities can be a daunting task as individuals are onboarded or offboarded on a regular basis. Organizations must have a scalable IAM program and IAM systems in place to ensure proper clearances or privileges can be quickly updated to reflect business and regulatory changes.

Organizations often rely on IAM programs backed by sound governance policies to ensure compliance and streamline user account management and maintenance via automated policies and processes. A robust IAM program can help establish and enforce repeatable business processes, and the underlying infrastructure service components needed to create and maintain accurate and timely user identities that dictate access privileges and restrictions. A secure program can also improve business efficiencies by minimizing the need for help desk support and allowing identities to be self-sufficient in resolving issues. Companies must find the right balance between restricting access to information necessary to safeguard the business while granting internal and external identities the appropriate access needed to be productive and profitable.

Identity governance and administration, Identity and access governance, User administration and provisioning

The client, a financial services provider, operates under direct oversight of the U.S. Securities and Exchange Commission (SEC) and U.S. Commodity Futures Trading Commission (CFTC). The client is regularly audited by these organizations to ensure it complies with the most recent regulatory and security mandates that govern the financial marketplace. During a recent audit, the client was found to be lacking in numerous IAM standards needed to help protect sensitive business assets and mitigate security risks for the organization and its end users. Among the findings were:

  • The presence of idle accounts. The client’s system contained numerous orphan accounts belonging to past or terminated identities, which meant timely account decommissioning was not consistently occurring.
  • Inadequate access verification. It was difficult for the auditors to confirm why certain accounts had the access they did within the system. The approval process to access applications and systems was inconsistently applied.
  • Inadequate access reviews. The client did not conduct periodic access reviews across all key applications/systems to ensure the appropriate levels of access were provided to the correct individuals as their roles or seniority changed.
  • Inadequate controls around privileged account management. The client lacked policies and procedures to manage super-user accounts (e.g., administrator, root and emergency identities).

Due to the highly regulated nature of the client’s business and the extensive regulatory audit findings that had been identified, a formal IAM program backed by a sophisticated IAM tool was needed for the client to remain in good standing with the SEC and CFTC, and most importantly, remain operational. A sound IAM program would help ensure the proper privileges and access credentials were associated with the correct internal/external personnel and business partners to help fortify the client’s operations and data management.

Previously, the client had relied on internal security analysts to oversee the manual creation, maintenance and decommissioning of user accounts within the computing environment, which left room for errors or oversights in regard to account maintenance and management. Additionally, while the client had a legacy IAM tool in place to aid in password synchronizations across internal directories, other functionalities had never been implemented, so the full benefits of the tool were never utilized.

The client sought a trusted IAM advisor to guide them in building and implementing a secure IAM program to address their IAM audit findings. The client also wanted a partner that could assist them in selecting an off-the-shelf IAM software product to replace the existing legacy tool responsible for password synchronization. A formalized IAM program backed by versatile IAM software would automate user account functions, help eliminate user maintenance errors, improve overall organizational efficiencies, and better protect the business from potential security threats and future audit issues.

Having previously partnered with TEKsystems Global Services® on a variety of projects, the client was aware of our dedicated Information Security Services practice and IAM expertise. The client’s director of security operations / security services met with practice leaders to discuss their IAM challenges and see how TEKsystems could help mitigate the challenges they faced. After hearing our proposed solution, and based on their confidence in our ability to deliver a mature IAM program, the client promptly selected TEKsystems without needing to consider alternate vendors.

Our solution consisted of three sequential components:

  1. Mapping Regulatory IAM Audit Findings
    To gain a better understanding of the client’s existing IAM processes and procedures, we would complete a thorough assessment of the regulatory audit findings. As part of this assessment, we would evaluate which findings could be addressed by an IAM tool and identify how an implemented tool would mitigate the security issues associated with each finding.
  2. Building the IAM Roadmap
    We would prepare a three-year IAM roadmap to establish and build a mature IAM program and to provide a framework to implement the selected IAM tool. The roadmap would detail future-state IAM projects, including centralizing access requests, enforcing consistent approval processes, automating manual access reviews and defining separation of duties (SoD) policy monitoring, which would aid in proactively avoiding audit violations and enhancing identity monitoring and maintenance.

    The roadmap would also outline initiatives to help improve the user experience. For example, we recommended that numerous and disparate access request portals be centralized in one system to minimize user confusion. In addition, implementing self-service capabilities would provide strategic business value to not only the client’s business but its end users. We would also review, define and update organizational policies and procedures to build a new identity governance foundation to guide all future IAM projects.

  3. Selecting an IAM Tool
    We would evaluate the functionality and features of commercially available IAM software solutions to determine the best identity governance and administration product for the client. The new IAM tool would replace manual, error-prone tasks associated with creating and maintaining user accounts. It also would replace the client’s existing legacy tool responsible for synchronizing passwords between internal directories.

Based on our assessment of the SEC’s and CFTC’s audit findings, we designed a comprehensive roadmap to guide the client in building a secure and robust IAM program. The custom, multiphased roadmap outlined ways to address and correct audit findings, including issues with access requests and access reviews, the cleanup of idle accounts and password management. Additionally, the roadmap provided ways to enhance the user experience and streamline IAM processes and procedures outside of issues noted in the audit findings.

Choosing a new IAM software suite to support roadmap initiatives and address audit findings was a critical component of our IAM solution. We outlined governance parameters under which the new IAM tool would operate—specifically defining and reviewing associated IAM business requirements and functionalities. We then identified key components and features an ideal IAM tool would have, and researched relevant identity governance and administration products available in the market. We assisted the client in meeting with software vendors to review products and compare functionality against our identified requirements. Based on these meetings, the client selected a new, robust tool.

Phase two of our solution involved implementing the new IAM tool. We assisted the client with defining business requirements and oversaw the installation and configuration of the tool as the client’s IAM subject matter expert. We then thoroughly tested the solution to ensure it complied with the client’s stated business requirements. The new IAM tool had a wide array of modules to centralize disparate IAM functions, including modules to govern access reviews and access requests, policy monitoring, and role management, among other core IAM functionalities. After the software was installed, configured and thoroughly tested, the client was able to utilize the tool to perform password synchronization and decommission their previous IAM tool.

The next phases of our solution will be implemented over the next several years in accordance with IAM initiatives outlined in the roadmap. While the original roadmap we prepared was based on three years, the nature of the client’s business dictated that numerous stakeholders were involved in key business decisions, which lengthened the time it took to implement major organizational changes. To accommodate this reality, we adjusted the timeline to more accurately align with the client’s pace of implementation. The revised roadmap will be rolled out over the next three to five years.

A key priority addressed in our roadmap was improving the client’s access review process. We recommended using the IAM tool to automate and streamline the process, incorporating business-friendly entitlement descriptions, so the appropriate certifiers would be alerted via email and given the ability to evaluate access from a centralized Web portal.

In addition to strengthening the access review process, we delivered a plan to establish sophisticated policy monitoring to better coordinate the decommissioning of user accounts and proactively reduce risks for future audits. Previously, changes to user accounts were sporadically reviewed, and generally inconsistencies or errors were only caught during an audit. Under the new module, policy violations will be flagged within the system in real time so any changes to user accounts can be implemented within days as opposed to months.

To help enhance the overall user experience, we recommended implementing several self-service features, including self-service password reset. The new module will give users the ability to answer security questions to independently reset their passwords / unlock their accounts. This functionality would help reduce the number of password-related calls to the help desk and improve end-user satisfaction.

We also recommended the client begin tracking IAM baselines so that as each new tool module is implemented, the director of security operations / security services would have evidence to show executive management a decrease in IAM audit findings, process improvements and cost reductions to justify the continued spend on the IAM program.

TEKsystems will support the client’s IAM program development over the next several years. Future roadmap components will continue to address existing audit findings, proactively avoid future IAM issues, mature the client’s IAM program and strengthen the overall security of the business.

IAM expertise

With a dedicated Information Security Services practice, we were able to provide the client with a comprehensive roadmap specific to their unique needs. Our seasoned practice professionals have more than a decade of experience in their field, which allowed them to draw on a wide breadth of past experiences and know which strategies really work. We made suggestions on ways to improve efficiencies, address audit findings and centralize many of the previously disparate IAM functionalities within the organization.

Flexibility

Aside from being a highly regulated financial services provider, the client is a private, nonprofit organization, which meant making weighty organizational decisions could be a lengthy process. Though our roadmap was originally positioned to take three years to implement, we evolved our solution to fit a more realistic timeline of five years given the conditions within the client. We also were flexible in working within the client’s timeline and coordinating the new IAM tool’s implementation in conjunction with the third-party software vendor.

Trusting relationship

The client’s preexisting relationship with TEKsystems helped solidify this engagement. The client was confident in our abilities based on past TEKsystems Global Services projects, including in areas of applications management outsourcing and quality assurance and testing. Based on this relationship, the client felt they didn’t need to go through a formal RFP process prior to selecting TEKsystems to drive the formation of their IAM program.