IN THIS ISSUE
Tech Practices Update
Here is the latest technology news from The Institute of Internal Auditors (The IIA):
The Institute Releases New Guide on Identity and Access Management
Properly identifying who has access to what information over a period of time is an important aspect of an organization's day-to-day work. Known as identity and access management (IAM), this process touches every part of the organization — from accessing a facility's front door to retrieving corporate financial data. To help chief audit executives (CAEs) and internal auditors understand an organization's IAM activities, The IIA recently released Identity and Access Management as part of its Global Technology Audit Guide (GTAG) series. Written in straightforward business language, each GTAG serves as a ready resource for CAEs and internal auditors on different technology-associated risks related to IT management, control, and security.
"Because identity access and management affects every business unit, internal auditors should understand ways that organizations can control access more effectively," says Sajay Rai, CISSP, CISM, partner in Ernst & Young LLP's Risk Advisory Services Practice and leader of the team who wrote the guide. "The purpose of this GTAG is to provide insight into what identity and access management means to an organization and to suggest internal audit areas for investigation."
As the guide explains, IAM processes are used to initiate, capture, record, and manage the user identities and related access permissions to a company's proprietary information. Therefore, as part of their work, auditors need to play an important role in helping organizations develop effective IAM processes and monitor their implementation. For instance, prior to conducting an IAM audit, auditors need to understand the organization's existing IAM structure, such as the company's business architecture and IAM policies, as well as the laws, regulations, and mandates for which compliance is necessary. When conducting the audit, internal auditors need to document the organization's identity and entitlement process and evaluate existing IAM activity controls.
Besides describing how to go about auditing IAM activities, the guide provides an IAM review checklist auditors can use during the audit. The guide also defines key IAM concepts and activities, such as:
"As an organization changes, so too should its use of identity and access management activities," Rai comments. "Therefore, as changes take place, management should be cautious that the process does not become too unwieldy and unmanageable or expose the organization to undue risk due to improper use of IT assets. As part of their work, internal auditors need to ask business and IT management what identity and access management processes are currently in place and how they are being administered."
To read or download Identity and Access Management, visit The IIA's GTAG page.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.