Identity and Access Management Process - Mergers & Acquisitions
In mergers and acquisitions, identity management is the process of consolidating and managing multiple user identities from different organizations into a single identity. This can be a challenging task, as each organization usually has its identity management system in place. In oTocessfully manage identities in a merger or acquisition, it is important to have a clear understanding of the identity management systems and processes of each organization involved.
Provisioning New Access:
As part of access to Business internal tools, access is integrated with G Suite, AWS SSO and, Google SSO. Create a new request using the Internal Desk URL:
New Entitlement
All new access requests will be submitted through the current Business Internal service desk ticketing tool Entitlements require both an account and credential that is granted a right or privilege through membership in a group or role. Depending upon the maturity of the tool the following data points will either be options to be chosen in the request form or will need to be provided within the body of the request.
NOTE: For all account and group types the request number for the creation request must appear in the description field of the entity. Failure to include the request number shall result in removal or disablement of the entity.
Account Types
There are five different account types: User, Client, Service, Admin and, Vault; the account type will have to be specified in the request. Sharing of accounts between individuals and/or teams is prohibited unless otherwise stipulated in the standard below.
NOTE: For all account types, the username shall be a minimum of six characters, ora maximum of 256. Accounts/Usernames with fewer than six characters will be “padded” with digits to meet the minimum. Those that exceed 256 characters will be truncated. The placement of digits within the username for padding purposes is specified in the subsections, below.
User Account
A user account is an electronic credential assigned to a single individual who exists in Business HR database as either an employee, contractor or ,person of interest (POI). The individual is responsible for keeping the credential/password combination secure and it is to be used only by the owner. This account should NOT be placed into groups that are providing elevated access to files, applications or ,devices.
NOTE: Temporary or test accounts shall be a copy of the requesting individual’s username, preceded by tmp_. An expiration date, not to exceed 180 days, shall be provided in the request for the account. If no expiration date is provided, the request shall be rejected.
Client Account
A client account is an electronic credential assigned to a single individual who DOES NOT exist in Business ’s HR database. The client team representative and the assigned individual is rareponsible for keeping the credential/password combination secure and it is to be used only by the assigned client personnel.
Service Account
A service account is an electronic credential with ownership assigned to an individual or team for the purposes of running a service/application (NON-INTERACTIVE SERVICE) OR when multiple individuals need to log on with the same credential (INTERACTIVE SERVICE). The requesting team is responsible for keeping the credential/password combination secure and it is to be used only by the authorized personnel. SHARING INTERACTIVE SERVICE ACCOUNTS IS ALLOWED.
Admin or Privileged Account (Individual)
An admin account is an electronic credential assigned to a single individual who exists in Business HR database as either an employee, contractor, person of interest (POI) or ,client assigned personnel. The individual is responsible for keeping the credential/password combination secure and it is to be used only by the owner. This account can be a member of any group that is providing elevated privilege. SHARING OF NON-DEFAULT ADMIN ACCOUNTS IS PROHIBITED!
Vault Account (Shared Elevated Privilege)
A vault account is an electronic credential assigned with ownership assigned to an individual or team to allow different individuals to log on with the same privilege for purpose of supporting an application or device. The vault should be responsible for the maintenance of the credential/password combination to be presented to individuals who properly authenticate into the vault and have been assigned access to the account.
Naming Standard:
Client user accounts shall use the SAM Account name. If a username is already in use, the name may be appended with a number.
Approval Matrix
All requests for entitlements (an account to be added to a group or role) must be accompanied by the appropriate approval outlined in the matrix below.
U - User’s Manager
G - Group or Platform Owner
VP
Update Entitlement
Changes to the user’s information will be requested through the existing account request process outlined in the New Access section above. In the event that a data owner determines that an entitlement is no longer appropriate for any reason, they are authorized to request a change at any time.
Disable/Remove Entitlement
At the end of the identity lifecycle is the removal of rights/roles that had previously been granted to the credential; There are a myriad of reasons for the removal of those entitlements. If a customer is specifically requesting for removal of the External or client user accounts, Business will revoke upon notification from external users or client contacts.
Termination:
Results in top level access (VPN, RSA token) being disabled upon notification from Human Resources, detective controls, or users’ managers within 24 hours (exception is service accounts—which will be reassigned to other users—either within the group or to the manager of the user). Emergency terminations will be fulfilled within 8 hours. The Service Desk Request number for the termination shall be appended to the account description attribute, including the date of the action.
Inactivity:
Accounts that have no activity for 90 days shall be disabled, except for service accounts, legal hold accounts, and accounts with an approved RAD, each of which will be assigned to a specific restricted access OU. The Service Desk Request number for the disablement shall be appended to the account description attribute, including the date of the action.
Disable Request During Review:
Accounts requested to be disabled through the review process will be disabled through a standard Service Desk Request. The Service Desk Request number for the disablement shall be appended to the Account Description attribute, including the date of the action.
Disable for Non-Review:
Accounts that are not reviewed during the normal review cycles will have a request submitted by Operations for their disablement. The description will be updated with the reason for the disable action. Accounts can be re-enabled by a simple request from the account owners’ manager and will not require additional approvals for reinstatement.
Expired Accounts:
Test/temporary accounts will expire at the end of the required test period, and shall be disabled and moved to the appropriate restricted access OU. The Service Desk Request number for the disablement shall be appended to the Account Description attribute, including the date of the action.
NOTE: Removal of disabled accounts will occur after 90 days after disablement.
All group memberships to be removed - During the disabling process, the targeted account, will be removed from all group memberships on the AD domains or devices where the account is being disabled, EXCEPT FOR ACCOUNTS DISABLED FOR NON-REVIEW.
Provisioning Ad hoc access
Business operations team performs ad hoc requests for Guest Account Authorization and Termination(Third-Party Vendor Access & Terminating Access). And as part of the Onboarding request creation process.
As part of access requests for any specific tool, user will have to create a req using an Service Desk (SD) URL: for the operations team. This request should be approved by their respective manager so that their Access Review happens as per an internal review.
Request Output: The request that is the output of the request process must contain all the required approvals and required attributes. The fulfillment teams are to create the requested entitlement(s) and close the request upon completion. SLAs for request execution will be a standard Priority 3 with 3-day target.
Monitoring and Control
The Operations team is responsible for the overall governance of identity security throughout the Business IT infrastructure. Gathering of entitlement data from devices, directory services, applications, databases, etc. will be conducted by the team for the purpose of controlling access in the environment. Recording of requests, changes, and reviews the team will control risk by minimizing the exposure of unknown or unnecessary privilege.
Company Role Change
The event of a users’ changes in role at the company (change of manager, location, business unit, client team, etc.) Operations team will trigger a review to both the inbound and outbound managers to attest to the privileges being carried to new role.
Security Log Monitoring
Security logs for all vaults, devices, domains, etc. will be monitored by operations for all entitlement activity; add/change/remove activities against accounts/groups will be validated for the following:
Completeness
Change Control
SLA Adherence
Change Control
The Operations team is responsible for monitoring the creation of entitlements. Any entitlements identified as being created outside of normal change control will be removed immediately upon discovery. Individuals who create accounts without proper requests will be subject to disciplinary action up and including termination.
Access Reviews
Proper Identity governance requires periodic review of entitlements for the purpose of validating appropriateness of existing privileges. A User Access Request Form shall be shared by the requester - “Authorization Request Form”
Frequency:
Access reviews shall be initiated by the Operations Team semi-annually, at a minimum, or according to the Business Information Security Standard, whichever is more frequent. Reviews shall be conducted in accordance with the Access Review Procedure.
Attestation:
Data owners or users’ managers are responsible for reviewing and attesting to the appropriate access to the systems or data are to be maintained. Data owners or users’ managers will identify accounts that no longer require access; Operations will submit the revocation request within 3 business days after the close of the review period. Accounts that are not attested to will be disabled and require an additional request to be re-enabled.
Results:
Access review results shall be documented by the Operations team and stored for a minimum of one year.
Additional reviews can be requested for any reason:
Ad hoc:
A data owner may request an ad hoc or regularly scheduled review for the data sources they own.
Job Change:
When a user has a job transfer or position change, the former manager and current manager shall be responsible for reviewing the user’s access and ensuring unnecessary access is removed.
Test:
During the development of new reviews, the Operations or the data owner(s), a test review can be generated for the purpose of a pre-implementation QC check.
Detective Controls
The Operations team will be responsible for monitoring the employee status changes within HRIS. There are individuals (non-{Company Name} employees i.e. parent or subsidiary company) whose HR staff do not have access to Business Service Desk system to initiate the termination of entitlements in the Business environment.
Single Sign On
AWS introduced AWS Single Sign-On (AWS SSO), a service that makes it easy for you to centrally manage SSO access to multiple AWS accounts and business applications. AWS SSO provides a user portal so that your users can find and access all of their assigned accounts and applications from one place, using their existing corporate credentials.