Identity Crisis: Risk Across the Enterprise
Chris Hills MBA, CPP, CISM
ACE Program Manager, North America at Bosch | Author | Board Certified in Security Management | Former ASIS Regional VP | ASIS, Security Architecture & Engineering Council (SAEC) | Army Combat Veteran
Recently I presented on a topic called “Identity Crisis: Risk Across the Enterprise” to a couple of ASIS Chapters in the Northwest. The presentations have been well received and I thought I should post an article on the subject.
At its simplest, identity provides the basis for physical and logical access control decisions, and as such, the enterprise security architecture should reflect the quality of identity information on which it acts. Accountability for enterprise risk is engrained in the business risk management process, however multiple identities housed in multiple disparate systems can be overlooked when evaluating risk. Yet, this may be a huge risk, looming like an iceberg waiting to cause havoc in your organizations future. As I presented the subject of Identity and Access Management (IAM). I came across a great IAM Maturity Model (Image above) developed by Gartner. The thing that stands out in my mind is the block I have circled in red, as this is where most companies find themselves in the IAM implementation process.
So, what exactly is Identity Access Management? IAM is the security discipline that enables the right individuals to access the right resources/areas at the right times for the right reasons.
Most organizations don’t even know they have a problem. “Out of sight out of mind” is certainly a simplification, though I can’t think of another way to frame the risk picture. Every day I work with companies to bridge their logical and physical access control, encapsulating the whole corporate ecosystem from a security and risk management perspective.
As a security executive, you have three main choices, similar to the risk decision matrix, either someone else in your organization will implement some form of limited IAM, you will implement Physical Identity and Access Management (PIAM) or your organization will do nothing and except the risk.
Innovative enterprise solution/security architect/DORA /CRA /Digital Compliance Strategy/ Ensure successful innovation projects in less time with more value
7 年IAM Maturity Model (Image above) developed by Gartner no they adapted the TOGAF maturity TRM developed by The Software Engineering Institute (SEI),1 a federally funded research and development center sponsored by the US Department of Defense and operated by Carnegie Mellon University, developed the original capability maturity model - SW-CMM, Capability Maturity Model for Software - in the early 1990s, which is still widely used today . 27 years later we seem to forget more , don't reinvent the wheel https://pubs.opengroup.org/architecture/togaf8-doc/arch/chap27.html
The CISO Coach | Hall of Fame | Forrester, HBI, Datos | Speaker | Follow for posts about business, leadership & self-mastery | Coaching The Leadership Excellence Accelerator
7 年Seeking maturity and continual improvement are keys to effective security management
IDCUBE Rainmaker
7 年Great information Chris Hills CPP, CRMP, " I came across a great IAM Maturity Model (Image above) developed by Gartner. The thing that stands out in my mind is the block I have circled in red, as this is where most companies find themselves in the IAM implementation process."