The periodic review of user access privileges in order to validate that access privileges align with a user’s job function and conform to policy guidelines. Access certifications are commonly used as an internal control to ensure compliance with Sarbanes-Oxley and other regulations.
The system controls and surrounding processes that grant or deny parties the capability and opportunity to access systems (i.e., gain knowledge of or to alter information or material on systems).
Systems or processes used to control authentication and authorization to resources within an organization, such as files, applications, systems, devices, etc. Access management is often based on a role and rule evaluation system to grant or deny access to an object in the organization.
The access rights that a user has to a system resource, such as the right to access, view, modify, create, or delete.
Systems or processes used to request new access, make changes to existing access, or remove access to resources within an organization.
A set of processes to manage authentication in connected systems. This primarily involves the creation and deletion of user accounts in the connected system.
A Microsoft application that provides authentication and authorization resources to Microsoft Windows and other Windows applications.
A means to monitor user actions (e.g., access to systems, modifications to data) using log data collected from systems or applications.
The collection and correlation of identity data from enterprise applications into a centralized identity data repository.
Application store or app store
A service that allows users to browse and download applications.
A business process that automates gathering approvals from authorized users for requested changes to identity artifacts such as user access rights or role definition.
A claim, such as to be a particular identity or a member of a group. Usually requires proof via a credential, i.e., a user ID and password pair.
Alternate term for access certification, the periodic review of user access privileges in order to validate that access privileges align with a user’s job function and conform to policy guidelines.
A single piece of information associated with a digital identity. Examples of attributes are name, phone number, and institution affiliation. Each piece of identifying information about a user can be thought of as an attribute of that user. Users have identity attributes, each of which may be stored on one […]
The independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
Auditor’s finding that an IT control is not effective. The term is commonly used in SOX audits to flag a control deficiency that could adversely affect the company’s ability to report external financial data reliably.
A log that captures a record of events that have occurred within a system or application. For example, an audit log may contain all logins made to the system, the name of the persons making the logins, the time the logins occurred, etc.
The process of establishing confidence in the validity of a claimant’s presented identifier, usually as a prerequisite for granting access to resources in an information system.
The system that contains the definitive online value for a particular identity attribute. In some cases, a system is authoritative because it creates the value (for example, employee ID number). In other cases, a system is authoritative because it is the place where a user must go to enter the […]
The process of granting or denying access to an information resource based on defined policy.
A set of banking regulations put forth by the Basel Committee on Bank Supervision, which regulates finance and banking internationally. Basel II attempts to integrate Basel capital standards with national regulations, by setting the minimum capital require- ments of financial institutions with the goal of mitigating financial and operational risks.
A physical trait or behavioral characteristic that can be used for the purposes of identification or verification. A good biometric should be unique to an individual, stable over time, quick and easy to present and verify, and not be easily duplicated by artificial means.
The successful defeat of security controls, which could result in an unauthorized penetration of a system or application; a violation of controls of a particular system such that information assets or system components are unduly exposed.
The advanced planning and preparation required to ensure that an organization can maintain essential operations in the event of a disaster, emergency, or other unexpected event that causes significant disruption.
Bring Your Own Application refers to the policy of permitting employees to access personal application accounts (e.g., Facebook, LinkedIn, TripIt) while in the workplace.
Bring Your Own Device refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications.
See Access Certifications
Computing service that is delivered over the Internet with three distinct characteristics: the service is sold on demand; the service is elastic — a user can have as much or as little of a service as they want at any given time; and the service is fully managed by the […]
Conforming to a specification or policy, standard or law that has been clearly defined. Policies can be derived from internal directives, procedures and requirements, or from external laws, regulations, standards and agreements. These laws can have criminal or civil penalties or can be regulations.
Using processes and tools to meet compliance requirements in an automated, consistent, and predictable manner, rather than treating compliance as a one-time event.
The process of combining identity data from disparate data sources into a common schema that represents an identity. Identities can be linked automatically to application accounts and access rights using correlation rules or manually using a tool to establish the correct links.
A means to authenticate a claimed identity, usually meaning the private part of a paired identity assertion (user ID is usually the public part). Credentials can change over time and may be revoked.
A comma separated values file is a data file used for the digital storage of data structured in a table of lists form, where each associated item (member) in a group is in association with others also separated by the commas of its set.
Any unauthorized access of computer systems, digital devices, or networks that explicitly intends to alter, block, control, delete, destroy, disable, disrupt, expose, manipulate, or steal data, applications, or other digital assets.
Occurs through compromised confidentiality or integrity of information or information technology and can result in financial losses, negative operational impacts, and damages to systems, organizations, governments, and people.
A term that covers the many tools, systems, practices, processes, and procedures that are combined to protect digital resources (e.g., hardware, software, networks, data) from external cyber threats and nuisances, malicious insiders, and careless users.
A reporting mechanism that aggregates and display metrics and key performance indicators (KPIs), enabling them to be examined at a glance by all manner of users before further exploration via additional business intelligence (BI), performance management (PM) and analytics tools.
A method of managing data throughout its existence, from collection to utilization to final disposition, in ways that support, benefit, and protect the ever-evolving enterprise.
A facility used to house computer systems and associated components, such as servers (e.g., web servers, application servers, database servers), switches, routers, data storage devices, load balancers, wire cages or closets, vaults, racks, and related equipment.
a process where a reviewer or approver can pass his decision authority to another user, either temporarily or permanently.
A procedure, possibly aided by automation, that is used to identify events (undesirable or desired), errors and other occurrences that an enterprise has determined to have a material effect on its business.
An individual’s digital version of their analog identity, consisting of multiple accounts, credentials, entitlements, behaviors, and usage patterns associated with an individual.
A shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects.
A specific value for an account attribute, most commonly a group membership or a permission. A security entitlement is a right granted to a user’s account on a given system to access some data or function.
An access control vulnerability that results from workers accruing access privileges over time through transfers, promotions, or simply through the normal course of business. When workers accrue entitlements beyond what they actually need to do their job, organizations become exposed to unnecessary business risks.
A mechanism for centrally defining the applications and services to which a user may be given authorization. It is the process of granting, resolving, enforcing, revoking and administering fine-grained access entitlements (also referred to as “authorizations,” “privileges,”“access rights,”“permissions” and/or “rules”).
a process to alert, notify, or delegate an action when a reviewer or approver fails to respond to a request after a defined period of time.
Extensible access control markup language (XACML)
an open standard XML-based language designed to express security policies and access rights to information for Web services, digital rights management (DRM), and enterprise security applications.
A solution that simplifies secure user access by combining several components, including authentication, authorization, access control, intrusion detection and prevention systems (IDPS), and service providers.
A set of agreements which allow an organization to trust the authentication provided by a separate organization and provide authorization based on that authentication result. The goal of federation is to allow users to access resources in multiple organizations in a seamless manner.
The system of rules, practices and processes by which an organization is directed, measured and controlled.
Gramm-Leach-Bliley Act (GLBA)
Federal legislation enacted in the United States to control the ways that financial institutions deal with the private information of individuals. GLBA requires financial institutions to give customers written privacy notices that explain information sharing practices.
A collection of users to simplify access control to computer systems. Traditionally, groups are static: one defines a group by individually selecting its members. In dynamic groups, however, all users which match specified search criteria will be considered a member of this dynamic group.
Hierarchical role model
In role-based access control, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the “employee” role. Above this may be roles “department manager” and “accountant,” which inherit all permissions of the “employee” role.
HIPAA (Health Insurance Portability and Accountability Act)
Federal legislation enacted in the United States to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. HIPAA mandates security mechanisms to ensure confidentiality and data integrity of any information that personally identifies an individual.
Results when someone fails to comply with the rules defined in the 1996 Federal Health Insurance Portability and Accountability Act (HIPAA); the rules focus on protecting patients’ protected health information (PHI).
Hybrid IT is an approach to enterprise computing in which an organization provides and manages some information technology (IT) resources on-premises (in the datacenter) but uses cloud-based services for others.
IAM software that is hosted in the cloud, delivered as a cloud service, and managed by a third-party service provider.
Identity and access management (IAM)
Software that automates the business processes required to manage electronic identities and their related access permissions. This ensures that access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited.
A multi-dimensional view of each identity and their associated access and attributes.
Identity management software that automates the rules, practices and processes to manage and control user access to critical applications and data. Identity governance allows organizations to improve accountability and transparency, meet compliance mandates and better manage risk.
A single value used (and usually generated) by an identity store to uniquely identify each identity.
Identity provider (IdP)
A system that creates, maintains, and manages identity information for principals (users, services, or systems) and provides principal authentication to other service providers (applications) within a federation or distributed network.
A system which maintains identity information. An identity store is often an authoritative source for some of the information it contains.
Technology that allows a user to communicate and use computer software and can include the display screen, keyboard, mouse, the appearance of the desktop, characters, colors, help messages, etc.
Processes designed to help organizations prevent and detect fraud and protect sensitive assets. Internal controls are usually a means by which an organization’s processes and IT resources are reviewed, monitored, and measured.
The process for implementing changes on target resources based on user lifecycle changes.
LDAP (Lightweight Directory Access Protocol)
Set of protocols for accessing information in directories. LDAP makes it possible for almost any application running on virtually any computer platform to obtain directory information.
A concept that seeks to restrict a user’s access (e.g., to data or applications) or type of access (e.g. read, write, execute, delete) to the minimum necessary to perform his or her duties.
A subset of artificial intelligence (AI) that allows systems to automatically identify features, classify information, find patterns in data, make determinations and predictions, and uncover insights.
Auditor’s finding that an IT control is severely deficient. The term is commonly used in SOX audits to indicate that a material misstatement of financials cannot be prevented or detected.
A network security practice that divides networks into smaller zones, or microsegments, by segmenting application workloads and securing them individually; a foundational element of a zero trust approach to security.
Model audit rule (MAR)
A mandate effective January 1, 2010 that requires non-public insurers in the United States to prove that they have effective controls over the integrity of financial systems and data. Similar to Sarbanes-Oxley, MAR requires more transparency, tighter adherence to internal controls and better corporate governance.
An authentication process that requires multiple elements. The elements are usually grouped into three categories: Something you know (a password, pass phrase, or PIN); something you have (a token or smart card); or, something you “are” (a fingerprint, voice print, or retina scan).
The second version of the NIS Directive, the European Union’s first cybersecurity directive; includes more sectors as well as guidelines for its uniform implementation across EU member states.
NIST Cybersecurity Framework
The National Institute of Standards and Technology, usually called NIST, is an agency that is part of the U.S. Department of Commerce. The NIST Cybersecurity Framework was created to improve the security of U.S. critical infrastructures, defined as the assets, systems, and functions deemed vital.
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
A framework developed to protect the ongoing reliability of the North American bulk power system that was approved in early 2008. The CIP standards require utilities to identify and secure their critical cyber assets.
An open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end user). It also provides a process for end users to authorize third-party access to their server resources without sharing their credentials […]
A process for removing access when users, such as employees, contractors, partners, or customers, leave an organization.
On-premises or “on-prem”
Software that is installed and run on computers in the facility (building) of the person or organization using the software, rather than at a remote facility, such as a cloud service provider.
A process for granting access when users, such as new employees, contractors, partners, or customers, join an organization.
One-time password (OTP)
a password that is valid for only one login session or transaction, generated by an algorithm when a user needs to authenticate. The OTP is commonly sent to the user’s mobile device or security token.
An open standard that describes how users can be authenticated using a third-party service (known as Relying Parties or RP), obviating the need for organizations to provide their own authentication systems and allowing users to consolidate their digital identities.
An open standard that performs many of the same tasks as OpenID, but does so in a way that is API-friendly and usable by native and mobile applications. The standard is a simple identity layer on top of the OAuth 2.0 protocol and allows clients to verify the identity of […]
An account belonging to a user who has since left the organization. Orphan accounts are a direct result of failure to remove access privileges when workers terminate or transfer jobs and are a frequent focus for IT auditors looking for security risks.
A form of secret authentication data that is used to control access to system services. It enables the holder of an electronic identifier to confirm that he or she is the person to whom the identifier was issued. A credential, something only the user knows and that the authenticator can […]
A set of requirements regarding password creation, storage, and usage. These requirements often constrain several characteristics of passwords.
A process or technology that allows users who have either forgotten their password or triggered a lockout to authenticate with an alternate factor and then define a new password.
A solution that takes a password from a user and changes the passwords on other resources to be the same as that password.
Payment Card Industry (PCI) Data Security Standard (DSS)
A standard developed by the PCI Standards Council to enhance payment account data security. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.
An authoritative, prescribed set of rules for conducting business that may be defined by an organization or by the outcome of regulatory mandates.
The set of preventive and detective controls that automatically ensure that defined policy is followed by the organization.
Rules that automatically enforce policy by checking an operation for policy violations before granting it.
An internal control that is used to prevent undesirable events, errors and other occurrences than an organization has determined could have a negative material effect on its business.
A form of cloud computing that is used by only one organization or ensures that an organization’s cloud is completely isolated from others. When a service provider uses public cloud resources to create a private cloud, the result is called a virtual private cloud.
A privileged account is a login ID on a system or application which grants more powerful access rights than a normal user. Privileged accounts are typically used by system administrators to manage systems, or to run services on systems, or by one application to connect programmatically to another.
The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity. Automated user provisioning is intended to speed and simplify the administration of users and their access privileges. This is done by automating and codifying business processes such as onboarding and […]
A cloud computing environment that is open to the general public and delivered via the Internet, outside of any enterprise firewall. Public cloud computing uses cloud computing technologies to support customers that are external to the provider’s organization. Using public cloud services generates the types of economies of scale and […]
An action that transfers responsibility for a performing an operation to a different person.
a process that periodically compares identity data in an Identity Management solution with the data actually present on managed resources. Reconciliation correlates account data and highlights differences and can invoke workflow to alert or make changes to the data.
The act or process of remedying a compliance problem or issue, such as a policy violation.
A system, application, database, or other object under management by an identity management system.
software that provides a single point of authentication to web servers on an internal network. The reverse proxy architecture has the advantage of not requiring software to be installed on each web application.
The act of removing a specified role or entitlement from a user based on a decision made by a reviewer during a certification.
The probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and the resulting impact if this should occur.
The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact.
Risk management strategy
A risk management strategy is a framework for addressing how an organization plans to assess risks, respond to identified risks, continually watch for new risks, and monitor known risks.
A process to reduce either the probability or the consequences of a threat. Risk mitigation options can include eliminating vulnerabilities; strengthening internal controls; or reducing the magnitude of adverse impacts.
A method of applying varying levels of stringency to authentication processes based on the likelihood that access to a given system could result in its being compromised. As the level of risk increases, the authentication process becomes more comprehensive and restrictive.
A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. Roles are used to simplify security administration on systems […]
The process of granting roles to users. A role may be implicitly assigned to a user, i.e., some database will include a rule of the form “users matching requirements X should be automatically assigned role Y.
The periodic review of a role or roles in order to validate that the role contains the appropriate access privileges and that members of the role are correct. Role certifications are commonly used as an internal control and a way to prevent role proliferation.
The process of defining roles within a role model and mapping those roles to the appropriate set of access privileges based on business process and job function.
Role lifecycle management
The process of automating role creation, modification, retirement; role approvals; role certifications; and role analytics.
Roles and role assignment are unlikely to remain static for any length of time. Because of this, they must be managed — the entitlements associated with a role must be reviewed and updated and the users assigned the role, implicitly or explicitly, must be reviewed and changed. Role Management includes […]
A schematic description of roles that defines roles and role hierarchies, subject role activation, subject-object mediation, as well as constraints on user/ role membership and role set activation. A role model is a set of role definitions and a set of implicit or explicit role assignments.
A set of prescribed guidelines that may be defined by an organization or by the outcome of regulatory mandates.
Security Assertion Markup Language is an XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).
Sarbanes-Oxley Act (SOX)
Also known as the “Public Company Accounting Reform and Investor Protection Act” is a law enacted in 2002 to protect investors by improving the accuracy and reliability of corporate financial disclosures. The regulation affects all companies listed on stock exchanges in the U.S.
Occurs when an incident results in unauthorized access to digital data, applications, services, networks, or devices when a private, protected, or confidential logical IT perimeter is entered without permission; the ultimate result is information being accessed without authorization.
Security information and event management (SIEM) technology
Security information management (SIM) provides log management—the collection, reporting and analysis of log data—to support regulatory compliance reporting, internal threat management and resource access monitoring. Security event management (SEM) processes event data from security devices, network devices, systems and applications in real time to provide security monitoring, event correlation and […]
Segregation of duties
Breaks tasks into at least two parts to ensure that no one person cannot perform actions unilaterally when the impact of irreversible effects exceeds an organization’s tolerance for error or fraud.
The process of allowing users to request access to resources using a self-service interface, which uses workflow to route the request to the appropriate manager(s) for approval.
Separation of duty (SoD)
An internal control designed to prevent fraud by ensuring that no one person has excessive control over one or more critical business transactions. It refers to mutually exclusive access or roles. This involves dividing responsibility for sensitive information or risky actions so that no individual acting alone can compromise a […]
A typed of shared account that is used for application-to-application communications when secured access must be granted by one system to another system.
Refers to digital systems, devices (e.g., personal computers (PCs), laptops, tablets, and smartphones), software, applications (i.e., usually off-the-shelf packaged software), and services (i.e., predominately software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS)) that are used within an organization without the knowledge of […]
A login ID on a system or application that is used by more than one human or machine user. Privileged accounts are often shared by administrators: for example, root, sa or Administrator.
Single sign-on (SSO)
An authentication process where the user can enter one username and password and have access to a number of resources within an enterprise, eliminating the need to separately authenticate and sign on to individual applications and systems.
A software distribution model in which applications are hosted by a vendor or service provider and made available to customers over the Internet, usually on a pay-as-you-go basis. SaaS software is owned, delivered and managed remotely by one or more service providers.
A risk-based regulatory framework that applies to all insurers in EU member states that took effect in 2012. Solvency II seeks to instill risk awareness into the governance, operations, and decision-making of the European insurance business.
Method for determining a required level of authentication based on a defined policy set on a resource. Based on policy evaluation, the user can be required to step-up the level of authentication to access any given resource (e.g., use multi-factor authentication).
System for cross-domain identity management (SCIM)
An open standard used to simplify user management in the cloud by defining a schema for representing users and groups and a REST API for all the necessary create, read, update, and delete (CRUD) operations.
Third-party risk management
The process of an organization’s identification, assessment, and control of risks from external business partners and vendors, including vendors, partners, service providers, suppliers, and contractors.
Threat detection and response
A set of cybersecurity practices and tools to identify malicious activities and neutralize or mitigate them before networks, systems, or sensitive data are compromised.
Either software or hardware used as an authentication factor to access an information system. Hardware tokens are small devices, typically either the size of a credit card or key fob, which compute a one-time password. A software token performs the same function as a hardware token except that it is […]
The availability of full information required for accountability, risk management, and collective decision making.
The formation, preservation, updating, and disposition of a user’s digital identity and access privileges for multiple resources at the same time, whether on-premises, in the cloud, or in a hybrid environment.
An IT security framework that requires all identities (people, devices, or any other entity designated as a user) to be authenticated, authorized, and continuously verified, whether the user is inside or outside the enterprise’s network, prior to and while accessing data and applications.