https://sinetris.info/categories/iam/Recent content in IAM on Sinetris's viewpointsSine Die theme for Hugoenduilio@sinetris.info (Duilio Ruggiero)Mon, 17 Mar 2025 10:39:53 GMThttps://sinetris.info/topics/iam/grc/frameworks/Mon, 17 Mar 2025 10:39:53 GMThttps://sinetris.info/topics/iam/grc/frameworks/<h2 id="requirements-and-regulations">Requirements and Regulations</h2> <ul> <li> <a href="https://gdpr-info.eu/" rel="external">GDPR</a>: General Data Protection Regulation</li> <li> <a href="https://www.bafin.de/" rel="external">BaFin</a>: Bundesanstalt für Finanzdienstleistungsaufsicht <blockquote> <p>English translation: <a href="https://www.bafin.de/EN/" rel="external">Federal Financial Supervisory Authority</a></p> </blockquote> </li> <li> <a href="https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Rundschreiben/2023/rs_05_2023_MaRisk_BA.html" rel="external">MaRisk</a>: Mindestanforderungen an das Risikomanagement <blockquote> <p>English translation: <a href="https://www.bafin.de/SharedDocs/Downloads/EN/Rundschreiben/dl_rs_0523_marisk_ba_en.html" rel="external">Minimum Requirements for Risk Management</a></p> </blockquote> </li> <li> <a href="https://www.bafin.de/dok/10171052" rel="external">BAIT</a>: Bankaufsichtliche Anforderungen an die IT <blockquote> <p>English translation: <a href="https://www.bafin.de/SharedDocs/Downloads/EN/Rundschreiben/dl_rs_1710_ba_BAIT_en.html" rel="external">Supervisory Requirements for IT in Financial Institutions</a></p> </blockquote> </li> <li> <a href="https://www.iso.org/standard/27001" rel="external">ISO/IEC 27001</a>: Information security management systems - Requirements</li> <li> <a href="https://standards.iso.org/ittf/PubliclyAvailableStandards/c077582_ISO_IEC_24760-1_2019(E).zip" rel="external">ISO/IEC 24760</a>: IT Security and Privacy - A framework for identity management</li> <li> <a href="https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/Kritische-Infrastrukturen/kritis_node.html" rel="external">KRITIS</a>: Kritische Infrastrukturen <blockquote> <p>English translation: <a href="https://www.bsi.bund.de/EN/Themen/Regulierte-Wirtschaft/Kritische-Infrastrukturen/kritis_node.html" rel="external">Critical Infrastructures</a></p> </blockquote> </li> <li> <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114" rel="external">MiCA</a>: Markets in Crypto-Assets Regulation</li> <li> <a href="https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en" rel="external">DORA</a>: Digital Operational Resilience Act</li> </ul> <h2 id="good-reads-and-presentations">Good reads and presentations</h2> <ul> <li> <a href="https://www.kuppingercole.com/blog/reinwarth/bait-clearer-guidelines-as-a-basis-for-more-effective-implementation" rel="external">BAIT: Clearer Guidelines as a Basis for More Effective Implementation</a></li> </ul>https://sinetris.info/topics/iam/grc/Mon, 17 Mar 2025 10:37:00 GMThttps://sinetris.info/topics/iam/grc/Governance, Risk management and Compliancehttps://sinetris.info/topics/iam/iga/considerations/Sun, 16 Jul 2023 18:20:00 GMThttps://sinetris.info/topics/iam/iga/considerations/<h2 id="assets-and-people">Assets and people</h2> <p>Ensure to have proper Orphan Account Monitoring (for example, people leaving the company) and delegation (for example, people in sick or parental leave) for people assigned to managing assets (Asset Owners, Application Administrators, Infrastructure Administrators, etc). Take into consideration that people might be out of office because in vacation, out sick, at a conference, etc.</p>https://sinetris.info/topics/iam/iga/identity-lifecicle-management/Sun, 16 Jul 2023 18:20:00 GMThttps://sinetris.info/topics/iam/iga/identity-lifecicle-management/<h2 id="hr-driven-identity-lifecycle">HR-Driven Identity Lifecycle</h2> <p>The HR department is the one that knows who is joining, who is leaving, who is moving to another job within the company, who is on vacation, sick leave, parental leave, etc. Their system should expose for each employee at least the name that should be used for them within the company (might be different from their legal name, which is only required by HR to sign contracts), the start and end dates (if applicable) of the contract, department, role, line manager, and absences.</p><div>[Truncated]</div>https://sinetris.info/topics/iam/iga/identity-security/Sun, 16 Jul 2023 18:20:00 GMThttps://sinetris.info/topics/iam/iga/identity-security/<h2 id="orphan-account-monitoring">Orphan Account Monitoring</h2> <p>It’s important to find missing identity associations or assets assigned to wrong identities (for example off-boarded employees).</p> <p>Examples:</p> <ul> <li> <p>An account is associated to an asset but is not assigned to any identity</p> <ul> <li>All accounts should be associated with one (and only one ) identity.</li> <li>If the system allow only one account (for example only one admin), access to that account should happen trough a system that keep track of all actions (see PAM and Just-in-time credentials).</li> <li>If credentials to the account are shared it will be hard to know who performed an action.</li> </ul> </li> <li> <p>Asset role (for example Owner or Admistrator) assigned to an Identity that left the company</p> </li> <li> <p>Employee assigned to a line manager that transferred to a different department</p> </li> </ul> <h2 id="adaptive-authentication">Adaptive Authentication</h2> <p>Varying authentication methods based on runtime evaluation of risk factors.</p> <div>[Truncated]</div>