Support for corporate regulatory compliance

Support for corporate regulatory compliance

Compliance areas
Security Identity Manager addresses corporate regulatory compliance in the following key areas:

Provisioning and the approval workflow process
Audit trail tracking
Enhanced compliance status
Password policy and password compliance
Account and access provisioning authorization and enforcement
Recertification policy and process
Reports

Provisioning and the approval workflow process

ISIM provides support for provisioning, for user accounts and for access to various resources. Implemented within a suite of security products, ISIM plays a key role to ensure that resources are provisioned only to authorized persons. ISIM safeguards the accuracy and completeness of information processing methods and granting authorized users access to information and associated assets. ISIM provides an integrated software solution for managing the provisioning of services, applications, and controls to employees, business partners, suppliers, and others associated with your organization across platforms, organizations, and geographies. You can use its provisioning features to control the setup and maintenance of user access to system and account creation on a managed resource.

At its highest level, an identity management solution automates and centralizes the process of provisioning resources. The solution includes operating systems and applications, and people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the provisioning policies and procedures. However, the organization tree used for provisioning resources does not necessarily reflect the managerial structure of an organization. Administrators at all levels can use standardized procedures for managing user credentials. Some levels of administration can be reduced or eliminated, depending on the breadth of the provisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among various organizations.

The approval process can be associated with different types of provisioning requests, including account and access provisioning requests. Lifecycle operations can also be customized to incorporate the approval process.

Models for provisioning

Depending on business needs, ISIM provides alternatives to provision resources to authorized users on request-based, role-based, or hybrid models.

Approval workflows

Account and access request workflows are started during account and access provisioning. You typically use account and access request workflows to define approval workflows for account and access provisioning.

Account request workflows provide a decision-based process to determine whether the entitlement provided by a provisioning policy is granted. The entitlement provided by a provisioning policy specifies the account request workflow that applies to the set of users in the provisioning policy membership. Multiple provisioning policies might apply to the same user for the same service target. There might also be different account request workflows in each provisioning policy. The account request workflow for the user is based on the priority of the provisioning policy. If a provisioning policy has no associated workflow and the policy grants an account entitlement, the operations that are related to the request run immediately. For example, an operation might add an account.

However, if a provisioning policy has an associated workflow, that workflow runs before the policy grants the entitlement. If the workflow returns a result of Approved, the policy grants the entitlement. If the workflow has a result of Rejected, the entitlement is not granted. For example, a workflow might require a manager's approval. Until the approval is submitted and the workflow completes, the account is not provisioned. When you design a workflow, consider the intent of the provisioning policy and the purpose of the entitlement itself.

Tracking

ISIM provides audit trail information about how and why a user has access. On a request basis, ISIM provides a process to grant, modify, and remove access to resources throughout a business. The process provides an effective audit trail with automated reports.

The steps involved in the process, including approval and provisioning of accounts, are logged in the request audit trail. Corresponding audit events are generated in the database for audit reports. User and Account lifecycle management events, including account and access changes, recertification, and compliance violation alerts, are also logged in the audit trail.

Enhanced compliance status

Dormant accounts View a list of dormant accounts with the Reports feature. ISIM includes a dormant account attribute to service types we can use to find and manage unused accounts on services.
Orphan accounts Accounts on the managed resource whose owner in the ISIM Server cannot be determined are orphan accounts. These accounts are identified during reconciliation when the applicable adoption rule cannot successfully determine the owner of an account.
Provisioning policy compliance status Compliance status based on the specification of provisioning policy is available for accounts and access. An account can be either compliant, non-compliant with attribute value violations, or disallowed. An access is either compliant or disallowed.
Recertification status Available for user, account, and access target types, which indicates whether the target type is certified, rejected, or never certified. The timestamp of the recertification is also available.

Password policy and password compliance

Use ISIM to create and manage password policies. password policy defines the password strength rules used to determine whether a new password is valid. A password strength rule is a rule to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be five. The rule might specify that the maximum number of characters must be 10.

The ISIM administrator can also create new rules to be used in password policies.

If password synchronization is enabled, the administrator must ensure that password policies do not have any conflicting password strength rules. When password synchronization is enabled, ISIM combines policies for all accounts that are owned by the user to determine the password to be used. If conflicts between password policies occur, the password might not be set.

Provisioning policy and policy enforcement

A provisioning policy grants access to many types of managed resources, such as ISIM server, Windows NT servers, and Solaris servers.

Provisioning policy parameters help system administrators define the attribute values that are required and the values that are allowed.

Policy enforcement is the manner in which ISIM allows or disallows accounts that violate provisioning policies.
You can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute.

Mark Set a mark on an account that has a noncompliant attribute.
Suspend Suspend an account that has a noncompliant attribute.
Correct Replace a noncompliant attribute on an account with the correct attribute.
Alert Issue an alert for an account that has a noncompliant attribute.

Recertification policy and process

A recertification policy includes activities to ensure that users provide confirmation that they have a valid, ongoing need for the target type specified (user, account, and access). The policy defines how frequently users must validate an ongoing need. Additionally, the policy defines the operation that occurs if the recipient declines or does not respond to the recertification request. ISIM supports recertification policies that use a set of notifications to initiate the workflow activities that are involved in the recertification process. Depending on the user response, a recertification policy can mark a user's roles, accounts, groups, or accesses as recertified. The policy can suspend or delete an account, or delete a role, group, or access.
Audits that are specific to recertification are created for use by several reports that are related to recertification:

Accounts, access, or users pending recertification List of recertifications that are not completed.
Recertification history Historical list of recertifications for the target type specified.
Recertification policies List of all recertification policies.
User recertification history History of user recertification.
User recertification policy List of all user recertification policies.

Reports
Security administrators, auditors, managers, and service owners in your organization can use one or more of the following reports to control and support corporate regulatory compliance:

Security Identity Manager Cognos reports. See report types
Accesses Report Show all access definitions in the system.
Approvals and Rejections Report Show request activities that were either approved or rejected.
Dormant Accounts Report Show the accounts that were not used recently.
Entitlements Granted to an Individual Report Show all users with the provisioning policies for which they are entitled.
Noncompliant Accounts Report Show all noncompliant accounts.
Orphan Accounts Report Show all accounts not having an owner.
Pending Recertification Report Show recertification events that can occur if the recertification person does not act on an account or access. This report supports filtering data by a specific service type or a specific service instance.
Recertification Change History Report Show a history of accesses (including accounts) and when they were last recertified. This report serves as evidence of past recertifications.
Recertification Policies Report Show the current recertification configuration for a specific access or service.
Separation of Duty Policy Definition Report Show the separation of duty policy definitions.
Separation of Duty Policy Violation Report Show the person, policy, rules violated, approval, and justification (if any), and who requested the violating change.
Services Report Show services currently defined in the system.
Summary of Accounts on a Service Report Show a summary of accounts on a specified service defined in the system.
Suspended Accounts Report Show the suspended accounts.
User Recertification History Report Show the history of user recertifications done manually (by specific recertifiers), or automatically (due to timeout action).
User Recertification Policy Definition Report Show the user recertification policy definitions.

All reports are available to all users when the appropriate access controls are configured. However, certain reports are designed specifically for certain types of users.

Designed for Available reports

Security administrators

Dormant Accounts
Orphan Accounts
Pending Recertification
Recertification History
Recertification Policies
User Recertification History
User Recertification Policies

Managers

Pending Recertification
Recertification History
Recertification Policies
User Recertification History
User Recertification Policies

Service owners

Dormant Accounts
Orphan Accounts
Pending Recertification
Recertification History
Recertification Policies
User Recertification History
User Recertification Policies

Auditors

Dormant Accounts
Orphan Accounts
Pending Recertification
Recertification History
Recertification Policies
User Recertification History
User Recertification Policies

End users, help desk, and developers None

Parent topic: Features overview

Dormant accounts	View a list of dormant accounts with the Reports feature. ISIM includes a dormant account attribute to service types we can use to find and manage unused accounts on services.
Orphan accounts	Accounts on the managed resource whose owner in the ISIM Server cannot be determined are orphan accounts. These accounts are identified during reconciliation when the applicable adoption rule cannot successfully determine the owner of an account.
Provisioning policy compliance status	Compliance status based on the specification of provisioning policy is available for accounts and access. An account can be either compliant, non-compliant with attribute value violations, or disallowed. An access is either compliant or disallowed.
Recertification status	Available for user, account, and access target types, which indicates whether the target type is certified, rejected, or never certified. The timestamp of the recertification is also available.

Mark	Set a mark on an account that has a noncompliant attribute.
Suspend	Suspend an account that has a noncompliant attribute.
Correct	Replace a noncompliant attribute on an account with the correct attribute.
Alert	Issue an alert for an account that has a noncompliant attribute.

Accounts, access, or users pending recertification	List of recertifications that are not completed.
Recertification history	Historical list of recertifications for the target type specified.
Recertification policies	List of all recertification policies.
User recertification history	History of user recertification.
User recertification policy	List of all user recertification policies.

Security Identity Manager Cognos reports.	See report types
Accesses Report	Show all access definitions in the system.
Approvals and Rejections Report	Show request activities that were either approved or rejected.
Dormant Accounts Report	Show the accounts that were not used recently.
Entitlements Granted to an Individual Report	Show all users with the provisioning policies for which they are entitled.
Noncompliant Accounts Report	Show all noncompliant accounts.
Orphan Accounts Report	Show all accounts not having an owner.
Pending Recertification Report	Show recertification events that can occur if the recertification person does not act on an account or access. This report supports filtering data by a specific service type or a specific service instance.
Recertification Change History Report	Show a history of accesses (including accounts) and when they were last recertified. This report serves as evidence of past recertifications.
Recertification Policies Report	Show the current recertification configuration for a specific access or service.
Separation of Duty Policy Definition Report	Show the separation of duty policy definitions.
Separation of Duty Policy Violation Report	Show the person, policy, rules violated, approval, and justification (if any), and who requested the violating change.
Services Report	Show services currently defined in the system.
Summary of Accounts on a Service Report	Show a summary of accounts on a specified service defined in the system.
Suspended Accounts Report	Show the suspended accounts.
User Recertification History Report	Show the history of user recertifications done manually (by specific recertifiers), or automatically (due to timeout action).
User Recertification Policy Definition Report	Show the user recertification policy definitions.

Designed for	Available reports
Security administrators	Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies
Managers	Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies
Service owners	Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies
Auditors	Dormant Accounts Orphan Accounts Pending Recertification Recertification History Recertification Policies User Recertification History User Recertification Policies
End users, help desk, and developers	None