Articles

Identity and Access Management and Compliance

By September 24, 2021 No Comments

*By Marcos Paulo de Freitas

What is Identity and Access Management?

Identity and Access Management (in English Identity and Access Management or IAM) is the security discipline that encompasses practices to help your company ensure the protection and privacy of your data. The main objective of this discipline is to ensure that users have minimum and adequate access to your company's resources (for example: systems, network directories and databases, etc.) to perform their activities, minimizing, among others, the risk access, alteration and improper sharing of information.

Challenges and Compliance:

Establishing a strategy and implementing Identity and Access Management controls is not a simple task. With the growth of cloud-based systems, the use of software as a service (SaaS) and the adoption of policies for BYOD (Bring Your Own Device) Users can access your company's resources from anywhere and using any device, which increases the complexity of controlling and managing access by the responsible team.

It is also important to mention that there are more and more regulations that bring in their practical requirements related to Identity and Access Management to be adopted by companies. It is understood, therefore, that this is a discipline that must be put into practice by your company not only for the protection of your data, but also as a way to ensure compliance with the regulations applicable to your business and to avoid possible sanctions or fines.

Regulations

We highlight below some regulations that bring requirements related to Identity and Access Management that may be applicable and need to be observed by your company:

Sarbanes-Oxley (SOX)

Law aimed at companies that provide financial services (for example, banks and insurance companies) or for any company that has shares registered with the SEC (Securities and Exchange Commission – United States Securities and Exchange Commission).

Section 404 of the Act specifically provides that adequate internal controls are in place, tested and documented by companies to prepare financial reports and to protect the integrity of the financial information contained in those reports.

Payment Card Industry Data Security Standard (PCI DSS)

Card Payment Industry Data Security Standard created in 2004.

The PCI DSS is comprised of a set of security requirements and procedures aimed at protecting cardholders' personal information and, therefore, reducing the risk of fraud or data theft.

General Data Protection Regulation (GDPR)

European law for the protection and privacy of personal data, in force since 2018, which brings requirements to be observed by any company that carries out activities for the processing of personal data of European citizens. For a better understanding, data processing consists of any and all actions carried out with data from a natural person that can identify or provide the identification of this person. That is, access, collection, use, transfer, processing, storage, modification, deletion, among other various operations, are considered personal data processing and need to be in compliance with the requirements of the Law.

GDPR requires companies to justify the need to request personal data from their users and customers, as well as demonstrate how the data is used and protected and, in case of violation, it provides for fines of up to 4% on the annual value of the turnover of the company or the value of 20 million euros.

General Data Protection Law (LGPD).

Brazilian legislation, inspired by the GDPR, which regulates the processing of personal data by companies throughout the country.

Like the GDPR, the LGPD provides fines and sanctions to companies in cases of violation. These can correspond to up to 2% of the billing with a limit of R$ 50 million reais, due to leakage and misuse of personal data.

Main Requirements:

Considering the aforementioned market regulations, we highlight the main requirements related to Identity and Access Management to be implemented to protect your company's information and ensure compliance:

  • Documented and well-structured process for granting, revoking and updating the access of your collaborators;
  • Access management based on employees' job roles and providing “minimum access privileges”;
  • Periodic review or critical analysis process of users' access to your company's resources;
  • Policies and controls that ensure the proper Segregation of Functions;
  • Robust contemplating password policies that support multi-factor authentication;
  • Controls that ensure the traceability of accesses (such as audit logs);

Other practices that can support your company in protecting your information and complying with regulations are systems with the functionality of Single Sign-On (SSO), password management systems, as well as awareness of users so that they do not share their login credentials.

How can we help?

SAFEWAY is an Information Security consulting company recognized by its clients for offering high added value solutions through projects that fully meet the needs of the business. We can support your company in the structuring and operationalization of the process (for example, in the mapping of profiles, development of a critical access risk matrix, construction and adequacy of an inventory of unnamed users, design and effectiveness tests) and Identity Management controls and Access, minimizing the risk of improper access, information leakage or non-compliance with regulatory requirements.

Additionally, we have several strategic partnerships, among them E-TRUST (The only Latin American company mentioned in the Gartner Magic Quadrant for Identity Governance and Administration since 2011) which has 20 years of experience in Identity Management support projects and provides automated solutions for Identity Management, Governance, Provisioning and Single Sign-on.

— Marcos Paulo is GRC and Information Security Manager at [SAFEWAY]

About Safeway:

THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions through projects in Information security that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.

Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!