IAM on Sinetris's viewpoints

Frameworks

2025-03-17T10:39:53+00:00

2025-03-17T10:39:53+00:002025-03-17T10:39:53Zhttps://sinetris.info/topics/iam/grc/frameworks/#atom

Requirements and Regulations

GDPR: General Data Protection Regulation
BaFin: Bundesanstalt für Finanzdienstleistungsaufsicht

English translation: Federal Financial Supervisory Authority
MaRisk: Mindestanforderungen an das Risikomanagement

English translation: Minimum Requirements for Risk Management
BAIT: Bankaufsichtliche Anforderungen an die IT

English translation: Supervisory Requirements for IT in Financial Institutions
ISO/IEC 27001: Information security management systems - Requirements
ISO/IEC 24760: IT Security and Privacy - A framework for identity management
KRITIS: Kritische Infrastrukturen

English translation: Critical Infrastructures
MiCA: Markets in Crypto-Assets Regulation
DORA: Digital Operational Resilience Act

Good reads and presentations

BAIT: Clearer Guidelines as a Basis for More Effective Implementation

GRC

2025-03-17T10:37:00+00:00

2025-03-17T10:37:00+00:002025-03-17T10:37:00Zhttps://sinetris.info/topics/iam/grc/#atom

Governance, Risk management and Compliance

Advices

2023-07-16T18:20:00+00:00

2023-07-16T18:20:00+00:002023-07-16T18:20:00Zhttps://sinetris.info/topics/iam/iga/considerations/#atom

Assets and people

Ensure to have proper Orphan Account Monitoring (for example, people leaving the company) and delegation (for example, people in sick or parental leave) for people assigned to managing assets (Asset Owners, Application Administrators, Infrastructure Administrators, etc). Take into consideration that people might be out of office because in vacation, out sick, at a conference, etc.

Identity Lifecicle Management

2023-07-16T18:20:00+00:00

2023-07-16T18:20:00+00:002023-07-16T18:20:00Zhttps://sinetris.info/topics/iam/iga/identity-lifecicle-management/#atom

HR-Driven Identity Lifecycle

The HR department is the one that knows who is joining, who is leaving, who is moving to another job within the company, who is on vacation, sick leave, parental leave, etc. Their system should expose for each employee at least the name that should be used for them within the company (might be diﬀerent from their legal name, which is only required by HR to sign contracts), the start and end dates (if applicable) of the contract, department, role, line manager, and absences.

Identity Security

2023-07-16T18:20:00+00:00

2023-07-16T18:20:00+00:002023-07-16T18:20:00Zhttps://sinetris.info/topics/iam/iga/identity-security/#atom

Orphan Account Monitoring

It’s important to find missing identity associations or assets assigned to wrong identities (for example off-boarded employees).

Examples:

An account is associated to an asset but is not assigned to any identity
- All accounts should be associated with one (and only one ) identity.
- If the system allow only one account (for example only one admin), access to that account should happen trough a system that keep track of all actions (see PAM and Just-in-time credentials).
- If credentials to the account are shared it will be hard to know who performed an action.
Asset role (for example Owner or Admistrator) assigned to an Identity that left the company
Employee assigned to a line manager that transferred to a different department

Adaptive Authentication

Varying authentication methods based on runtime evaluation of risk factors.