The webinar covers: • Access reviews? Which one and who? • The challenges of reviewing access rights • Improvement in your reviews campaigns Presenter: This webinar will be presented by Mr. Roseau. He is director of business development for In Fidem, a Canadian company based in Montreal, Quebec. He has been working in the IT sector for more than 8 years, as a security solution specialist. As a security consultant, Mr. Roseau has been working on numerous projects for several types of industries. Those projects were about strong authentication, data loss prevention, review processes and access rights governance. He is also certified ISO 27001 Lead Auditor and ISO 27005 Risk Manager. Link of the recorded session published on YouTube: https://youtu.be/Md5mtA3fzLY

1. Best Practices for Access Reviews -
How to Reduce Risks and Improve
Operational Efficiency
WEBINAR
2016

2. 2
Mathieu Roseau
Job Positions
Mathieu Roseau is a director of business development for In Fidem, a Canadian company based in
Montreal, Quebec. He's been working in the IT sector for more than 8 years, as a security solution
specialist. As a security consultant, M.Roseau has been working on numerous projects for several types
of industries.
514 699-6834
mathieu.roseau@infidem.biz www.infidem.biz
https://www.linkedin.com/in/mathieuroseau/en

3. In Fidem in an nutshell
3
GOVERNANCE, RISKS & COMPLIANCE (GRC)
Experts to help you manage your security governance, risks & compliance framework (GRC) around
the globe – PCI-DSS – SOX - ISO 27001 – NIST compliance – NERC CIP - and many others.
CYBER-MONITORING
To implement the right detection mechanisms of security issues before it’s too late. Experts to help
you to implement right incident management processes.
ERP & WEB APPLICATIONS SECURITY
To implement the right security measures into your business applications services & software
development life cycle (SDLC) – Training – Code Review – application security software's.
IDENTITY ANALYTICS & INTELLIGENCE
To ensure that people having access to your critical IT systems are the right persons & have the right
access level - Automation of regular accesses review for application & IT systems review.
FRAUD MANAGEMENT & FORENSIC INVESTIGATION
Fraud management systems & investigation methods designed to detect computer fraud and
preserve the integrity of the evidence collected.

4. Security is a business problem
FINANCIAL RISKS
REPUTATION RISKS
COMPLIANCE RISKS

5. Failure to adequately manage Access Rights is at the root of
most security incidents and compliance issues
55% of companies have been victims of a security incident over
the last 24 months
56% of fraudsters are internal workers and cause the most impact
Types of Security Incidents
PwC, Global Economic Crime Survey PwC, Global Information Security Survey
Top 3 Audit Findings
Deloitte, DTTL Global Financial Services Industry Security Study
Excessive access rights
Removal of access rights
Segregation of Duties
Internal
Employee
Excecutive Man
Age between
31 and 40
Employed for
more
than 3 years
Typical Fraudster
Security issues behind incidents

6. “PEBCAK Syndrom”

7. Access reviews & ISO 27002 controls
ISO Section Control
9 Access control
9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access
to systems and services.
9.2.5 Review of user access rights Asset owners should review users’ access rights at regular intervals.
a) users’ access rights should be reviewed at regular intervals and after any
changes, such as promotion, demotion or termination of employment (see
Clause 7);
b) user access rights should be reviewed and re-allocated when moving from
one role to another within the same organization;
c) authorizations for privileged access rights should be reviewed at more
frequent intervals;
d) privilege allocations should be checked at regular intervals to ensure that
unauthorized privileges have not been obtained;
e) changes to privileged accounts should be logged for periodic review.
This control compensates for possible weaknesses in the execution of controls
9.2.1, 9.2.2 and 9.2.6.

8. WHY you need it?
• An access review shows a person’s rights to access
an application comply with a company’s access
management policy.
WHO (should) carries out them?
• The unit in charge of security is often responsible
for preparing and organizing access reviews.
Access reviews & ISO 27002 controls

9. Different types of reviews
Organisational reviews
• Asking to a manager to validate the actual status of people identified to his team
Role review
• Asking to a manager to validate that people working in his team have access to the right systems
System rights review
• Asking to a system owner (or system superuser) to validate that people accessing the system have
the right level of authorisation into the system (least access principle)
And this for all your critical systems, applications, data, …

10. Challenges of reviewing access rights
1. Obtaining the information
• Getting an overall picture of people and of access rights
• Putting together an overall picture of people and of access
rights to an information system
Are you able today to obtain easily the information of
• Who works for you?
• What are their accesses?
• Which systems do they have access?
Cloud
systems
Unix
Windows
AS / 400
SQL
SAP
ERPs
HR
Etc.

11. Challenges you will facing off
2. How can you tell if an access
right is valid?
• Least access principle
• Segregation of duties principle
3. Data quality
• Is the data can be understood by a Manager ?
• Is the review can be audited?

12. 3 simple questions ? Not so simple…

13. Summary of good practices
• Simple is beautiful
• Max 15 minutes to perform for a manager
• Visibility on the security issues to be
reviewed by the managers
• Understood the issues surrounding the
validation process
• Free up the necessary time to validate the
data

14. How to perform that ?
1. Define a scope for the review
2. Reduce the amount of information
by
• Focus on the risks
• Limit to max 30 persons per reviews
• Implement incremental reviews, only
the changes recorded since the last full
review
3. Automate reviews
4. Do not use Excel spreadsheets
Good practice
means carrying
out a full
annual review
followed
reviews solely
of the changes.

15. Gartner Terminology
•Audit, Controls, Analyses and DashboardsIAI
Identity Analytics and Intelligence
•Roles and RecertificationIAG
Identity and Access Governance
•Account and password managementIAM
Identity and Access Management
Business
IT

16. Main Features
•Entitlements and granular permission analysis
•Audit controls (including SoD)
•Tracking of changes over time
•KPI and reporting Dashboards
IAI
Identity Analytics and Intelligence
•Access Rights Recertification Workflows
•Access Request Workflows
•Role Modelling
•Role provisioning
IAG
Identity and Access Governance
•Joiner/Leaver workflows
•Account provisioning
•Directory synchronization
•Password reset
IAM
Identity and Access Management
Business
IT

17. Data
Reconciliation
Cloud
Business
applications
ERP, HR, etc.
Security
systems
IAM, SIEM, etc.
User access
controls
(SoD, policies,
rules, etc.)
Brainwave uses BI analytics to correlate data
Report + Analysis :
• Who can access what?
• User privileges
• User access risks
• Which control is deficient?
• Am I compliant ?

18. Out of the box features
Reporting module
• Production of compliance reports
• User friendly interfaces to facilitate reviews
• Highlighting of risky situations
• Reviews limited to changes
• Automated corrections within systems

19. Automatic campaign management interfaces to increase productivity
Out of the box features
Access reviews module

20. Brainwave benefits
1. Can be set up in just a few weeks!
2. Includes numerous processes as
standard: reviews of people,
applications, rights by organizations,
etc.
3. Includes all management and
summary interfaces
4. Automatically publishes your summary
reports and compliance reports
Brainwave Identity GRC
help you reducing your
risk of fraud and
information leaks
You can rest assured
that you are abiding by
compliance regulations
easily

21. ?
QUESTIONS
THANK YOU
514 699-6834
mathieu.roseau@infidem.biz www.infidem.biz
https://www.linkedin.com/in/mathieuroseau/en