A Key Driver for
IAM Initiatives

Regulatory Compliance

Regulatory Compliance

A key driver for IAM initiatives is regulatory compliance. The reason is simple. The available IAM technologies are excellent at tackling these controls and in many cases, these tools were developed with that specific intent.

Identity Manager (IDM)

Business Outcome:
Automated management of identity lifecycle processes (i.e. new hires and terminations).
  • Activate credentials on the start date
  • Deactivate credentials on the termination date
  • Workflows to manage immediate terminations
Business Outcome:
Application access management
  • Role-based access assignments
  • Request-based access assignments with approvals
  • Complete audit trail of access requests and approvals
  • Automated removal of access on terminations

HITRUST Control – 01.b User Registration – There shall be a formal documented and implemented user registration and de-registration procedure for granting and revoking access.

Other Frameworks Related Controls: CMSR (HIGH v2 IA-2(1), IRS Pub 1075 v2014, MARS-E v1 IA-2(1), NIST SP 800-53 R4 IA-2(1)

Web Access Management (WAM)

Business Outcome:
Controlled access to internal and external network services.
  • Secure authentication mechanisms
  • Separate authentication mechanisms based
    on access sensitivity
  • Reduced use of passwords
  • Internal and external authentication and access management
Business Outcome:
Password management
  • Formal management process for passwords
  • Request-based access assignments with approvals
  • Simplified end-user password management
HITRUST Control – 01.i Policy on the Use of Network Services
Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment.

HITRUST Control – 01.r Password Management System
Systems for managing passwords shall be interactive and shall ensure quality passwords.

Other Frameworks Related Controls:
CMSR (HIGH) v2 IA-2(1), IRS Pub 1075 v2014, MARS-E v1 IA-2(1), NIST SP 800-53 R4 IA-2(1)

 Identity Governance (IG)

Business Outcome:
Least privileged access rights.
  • Manager based access reviews
  • Decision audit trail
  • Automated remediation
Business Outcome:
Event-based access reviews
  • Automated access reviews for job transfers
  • Custom triggers for access reviews

HITRUST Control – 01.e Review of User Access Rights  – All access rights shall be regularly reviewed by management via a formal documented process.

Other Frameworks Related Controls: CMSR (HIGH) v2 IA-5(1), IRS Pub 1075 v2014, ISO/IEC 27002-2005 11.02.03, MARS-E v1 IA-5, NRS 603A-215.1

 Data Access Governance

Business Outcome:
Access management for data (file systems, databases, etc.)
  • Automated scanning for sensitive data
  • Automated workflow for detected sensitive data
  • Access reviews of access to unstructured data

HITRUST Control – 01.e Review of User Access Rights  – To prevent unauthorized access to information held in application systems.

Other Frameworks Related Controls: ISO/IEC 27002:2005 11.05.06

Privileged Access Management (PAM)

Business Outcome:
Enhanced security for your most sensitive accounts
  • Limited access to privileged accounts
  • Elimination of shared passwords
  • Secure vault for sensitive passwords with automated password rolling

HITRUST Control – 01.c Privilege Management 
The allocation and use of privileges to information systems and services shall be restricted and controlled. Special attention shall be given to the allocation of privileged access rights, which allow users to override system controls.

Other Frameworks Related Controls
CMSR (HIGH) v2 AC-2(13), MARS-E v1 AC -2(2), NIST SP 800-53 R4 AC-2(1)

Stay Compliant with GCA

At GCA, we offer free workshop services to dig into the regulatory compliance controls your organization needs to meet. Schedule a 15-minute initial call to discuss how GCA can assist in meeting your controls today.