Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise

Similar documents
Fulfilling CDM Phase II with Identity Governance and Provisioning

Dynamic Enterprise Performance Management

Infor Risk & Compliance Monitor and control risk across your business

Infor Service Management for manufacturing and distribution

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

The Next Level of Controls Automation: How you can fully automate controls testing in financial systems by combining MetricStream and IRC

DATA SHEET RSA IDENTITY GOVERNANCE & LIFECYCLE SERVICES ACCELERATE TIME-TO-VALUE WITH PROFESSIONAL SERVICES FROM RSA IDENTITY ASSURANCE PRACTICE

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

Securing Your Business in the Digital Age

Top 5 reasons to upgrade Infor d/epm

INTELLIGENT IAM FOR DUMMIES. SecureAuth Special Edition

Detect. Resolve. Prevent. Assure.

Infor SunSystems. Grow with flexibility. Integrate

Modernizing Cyber Defense: Embracing CDM. Okta Inc. 301 Brannan Street, Suite 300 San Francisco, CA

Vendor Cloud Platinum Package: Included Capabilities

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Making intelligent decisions about identities and their access

Simplify and Secure: Managing User Identities Throughout their Lifecycles

CHOOSE THE RIGHT IDENTITY & ACCESS MANAGEMENT SOLUTION

AppManager + Operations Center

Infor CloudSuite Business

Infor LN. Introduction. Statement of direction

Sage ERP Solutions I White Paper

7 things to ask when upgrading your ERP solution

Identity Governance and Administration

ServiceNow Order Form Product and Use Definitions

Optanix Platform The Technical Value: How it Works POSITION PAPER

NetSuite OneWorld. Why NetSuite OneWorld? The Platform for Your Global Business. Manage Multiple Subsidiaries, Business Units and Legal Entities

Audit Trends & Framework for Improved Financial Reporting. Data Quality, Integrity, and Reliability

IBM Data Security Services for activity compliance monitoring and reporting log analysis management

RSA Identity Management & Governance

Demystifying and Applying the DHS Continuous Diagnostic Mitigation (CDM) Program for Physical Security. Mark Steffler and Ross Foard

Infor VISUAL. Introduction. Statement of direction

Identity Management Solutions for Oracle E-Business Suite. An Oracle White Paper January 2008

Security Monitoring Service Description

RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.

TOP 6 SECURITY USE CASES

Infor Supply Chain Execution

Architecting a Digital Supply Chain with Birst. How Citrix unified hundreds of data sources and increased inventory turns 5X.

What if... You could deploy the leading industrial ERP solution with the lowest total cost of ownership, freeing up capital for other ventures?

Infor Cloverleaf Integration Suite

CONTROL-SA. The Foundation for Secure Identity Management

Why You Should Take a Holistic Approach

An Oracle White Paper April Developers and Identity Services - Bridging Usability and Transparency with Role Provider Service

Quantifying the Value of Investments in Micro Focus Quality Center Solutions

SOLUTION BRIEF HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: 15042

Identity and Access Management

Oracle Identity Governance 11g R2: Essentials

Oracle Identity & Access Management

The Data Opportunity: Using data for economic and social benefit reaping the

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008

ORACLE FUSION FINANCIALS CLOUD SERVICE

An Oracle White Paper March Access Certification: Addressing and Building On a Critical Security Control

Infor Food & Beverage for the dairy industry

10/16/2018. Kingston Governance, Risk, and Compliance

Comprehensive Enterprise Solution for Compliance and Risk Monitoring

Optimizing Service Assurance with Vitria Operational Intelligence

InforCloudSuite. Distribution. Overview

The Optanix Platform. Service Predictability. Delivered. Optanix Platform Overview. Overview. 95% 91% proactive incidents first-time fix rate

Version 4.6. CMS Online Quarterly Release Notes. October Copyright 2017 International Human Resources Development Corporation

Enterprise Compliance Management for Credit Unions

Security solutions White paper. Effectively manage access to systems and information to help optimize integrity and facilitate compliance.

Big risks require big data thinking: EY Forensic Data Analytics (FDA), powered by IBM

Financial Services Compliance

FUELING FINANCE S NEEDS FOR INSIGHTS WITH SAP S/4HANA

Streamline Physical Identity and Access Management

Infor Automotive. Meet customer expectations. Infor Automotive:

10 ways to make analytics more useful and consumable

ONEWORLD NETSUITE THE PLATFORM FOR YOUR GLOBAL BUSINESS. subsidiaries at the click of a button, ensuring compliance of standard processes worldwide.

NetIQ AppManager Plus NetIQ Operations Center

Infor PM 10. Do business better.

Infor Distribution. Grow your business. Infor Distribution:

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

Infor CloudSuite Distribution/SX.e

Top 5 reasons to upgrade Infor System21

_ PRODUCT OVERVIEW EFFECTIVE MARCH 6, 2019 PRODUCT OVERVIEW

_ PRODUCT OVERVIEW EFFECTIVE AUGUST 6, 2018 PRODUCT OVERVIEW

The Hybrid Enterprise: Working Across On-premises, IaaS, PaaS and SaaS

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

TOP 20 QUESTIONS TO ASK BEFORE SELECTING AN ENTERPRISE IAM VENDOR

10/18/2018. London Governance, Risk, and Compliance

VULNERABILITY MANAGEMENT BUYER S GUIDE

Sustainable Identity and Access Governance

A Financial Executive s Guide to Internal Controls & Fraud Prevention in the Cloud

Minimizing fraud exposure with effective ERP segregation of duties controls

Brochure. Information Management & Governance. Find and Control Enterprise Content. Micro Focus ControlPoint

Infor Distribution SX.e

SPIRAL UNIFIED SUPPLY CHAIN MANAGEMENT

Infor CloudSuite Equipment Rental

BUYER S GUIDE. Identity Management and Governance

Solution Overview Enabling the efficient management of justice

Plugging the Gaps in Financial Controls Monitoring

OIC LLC is our Oracle Partner name. It stands for Oracle Independent Consultants (OIC) LLC.

Experience what an integrated PLM and ERP system can do

CloudSuite Corporate ebook

Employee Lifecycle Management in an R12 World

Transcription:

Public Sector Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise Now in its Phase 2 rollout, The Department of Homeland Security (DHS) and General Services Administration (GSA) s Continuous Diagnostics and Mitigation (CDM) program requires organizations like yours to ensure compliance with and the enforcement of D/A s security policies and procedures. With the Infor Risk and Compliance platform, you get a solution that supports CDM management of enterprise governance, risk and compliance (GRC). Infor Risk and Compliance is an established solution that uses the current D/A processes and systems and can adapt as the D/A matures their capabilities. In this guide, you ll learn the benefits of using the Infor Risk and Compliance platform to manage CDM compliance and enforcement.

Table of Contents 3 CDM Phase 2 offerings 5 The Master User Record for all users 6 The Infor solution for Phase 2: Tool areas 8 Dynamic 3600 view across the enterprise 9 Case management for investigations and remediation 10 Platform components 11 Key benefits

CDM Phase 2 offerings The Department of Homeland Security (DHS) and General Services Administration (GSA) created the Continuous Diagnostics and Mitigation (CDM) program to enhance and modernize the security posture for Federal Departments and Agencies (D/A). Phase 1 of the program was focused on endpoint security and was rolled out in 2014/2015. Phase 2 of the program, rolling out late 2015 and 2016, monitors and manages user-based accounts and services, moving from endpoint to internal network activity. The four functional tool areas of CDM Phase 2 TRUST, BEHAVE, CRED, and PRIV will be deployed to verify trust levels, training, credentials, and access rights according to established D/A policies. DHS and GSA have approved Infor Risk and Compliance, (formerly Approva) for all four functional areas of Phase 2. The software will correlate multiple data sources to create and monitor the Master User Record (MUR) the central repository of attributes for all four tool areas to not simply alert users to violations, but also to remediate issues, in real time, when the MUR reflects a delta from the desired state as defined by D/A policy. Infor Risk and Compliance: Delivering full lifecycle ICAM The Infor Risk and Compliance platform supports CDM management of enterprise governance, risk and compliance (GRC), to help ensure compliance with and enforcement of D/A s security policies and procedures. As the foundation for all Infor GRC solutions, the platform allows you to adapt a broad range of solutions to your requirements, build new models, and integrate with external systems without touching a single line of code. Infor Risk and Compliance s flexible strategy has won over some of the most demanding Fortune 500 companies and public sector entities. These organizations have seized the power of the platform to make Infor solutions their own, modeling additional authorization and process insights in a fraction of the time it would take to develop traditional custom applications. Infor Risk and Compliance is an established solution that uses the current D/A processes and systems and can adapt as the D/A matures their capabilities. Additionally, it can be configured to support locally defined defects that are only tracked and displayed on D/A dashboards, while automatically posting to the standard Federal dashboard. 3

Infor Risk and Compliance offers: Complete CDM Phase 2 platform (see Figure 1) Master User Record (MUR) repository Automated continuous controls monitoring and detection Case management for analysis, mitigation, and audit reporting IRC: CDM CREDMGMT solution overview KPIs, Dashboards & Reporting Policy Enforcement Point (PEP) Policy Decision Point (PDP) Exception Identification Trust Master User Record (MUR) Behave Credential Privilege Identity Credential & Access Management (ICAM) Risk Scoring, Analytics User Access Monitoring & Certifications Authorizations Insights Certification Manager Access Manager User Activity Insight Who What When Where D/A Policies 3600 View of Exceptions Exception Management Process, Configuration & Master Data Monitoring Business process insights Configurations Insight Vendor Insight Inventory Insight Analysis Engine Data Extraction Audit Trail Reporting, Integration & Development BI Analysis & Reporting Studio Integration Kit Data Extractor / Loader Workflow Workflow Engine Extensibility Infor ION Framework / Application specific adapters Agency Specific Digital Policy & Metapolicy Master Device Record (MDR) Phase 1 Monitoring Tools Logs Access Control HRMS / LMS ERP/Business Active Directory / LDAP Figure 1. Infor s CDM Phase 2 solution components 4

With Infor Risk and Compliance, you can: Manage policies, controls, risks, assessments, attestations, and deficiencies through one central platform. Establish Master User Record (MUR) repository for relevant user information. Automate user access across systems, enforcing SoD, ensuring compliance with security policies and procedures, and certifying user access rights. Automate business processes, streamline workflow and deliver real-time reports across your enterprise. Put control in the hands of security operations, enabling them to tailor IRC solutions and build new applications without development resources. Integrate with external systems to support data analysis, process management and reporting. Select an on-premises or hosted (SaaS) deployment. The Master User Record for all users CDM envisions the creation of a MUR for every D/A user. Because the MUR houses the master data elements defining the to-be state, it can help identify deltas between the to-be and real states of user activity to reveal potential risks. Infor Risk and Compliance serves as the MUR by ingesting data from all Policy Decision Point (PDP) and Policy Enforcement Point (PEP) tools. It communicates bi-directionally with PDPs to exchange data on detected defects and anomalies. If the IRC platform or a PDP detects a policy-based defect, Infor Risk and Compliance can generate an alert and/or run a script to bring the user into compliance with the defined policy. The Infor Risk and Compliance platform can integrate with all known approved Phase 2 tools. It indexes and monitors data in real time and provides alerting and reporting based on defined thresholds. It can also trigger a workflow in the Infor Risk and Compliance case management module for further analysis and mitigating actions. The Infor Risk and Compliance platform is highly scalable and can easily support large-scale environments of 100k users or more, and can ingest data from individual tools and deliver appropriate streams to the CDM dashboard. As a result, Infor Risk and Compliance can break down data silos in even the largest agencies. Rather than monitor separate systems, agencies can gain unified, real-time views of their data and processes. 5

The Infor solution for Phase 2: Tool areas TRUST the trust accorded to users. Users within D/A environments must have levels of trust commensurate with the sensitivity of the data and resources they access. Infor Risk and Compliance can use identity information from sources like HR systems, asset databases, identity management solutions, and Active Directory (AD) to maintain a list of known identities. It then correlates incoming information against this record. Infor Risk and Compliance will build a master record of data on all currently granted trust levels for each person employed or contracted by the D/A including: Status of Trust Level (i.e., Pending, Authorized, Suspended, Revoked, Expired) Date initially authorized Date last authorized Date revoked Values of local enhancements, including date of last status change, or any other data to compare with locally-defined desired state specifications Information collected will be used to determine: Appropriate security clearances are in place (if applicable) User suitability and fitness for access BEHAVE the behavior of users. Users should be granted access to facilities, systems, and information only when they possess the appropriate security related behavior that includes training, skills, knowledge, or certification. Infor Risk and Compliance can access training information from D/A s HR and/or learning management systems to confirm training levels and skill levels are appropriate. Users who lack the proper training can pose risks by engaging in behaviors that jeopardize systems, expose sensitive data, or subvert security policies. In real time, Infor Risk and Compliance can identify the level of training completion for each authorized user including. Training or knowledge identifier Status Date first trained or tested Date of most recent training Information collected will be used to confirm: General security awareness training Role-based security training CRED the credentials assigned to users. Poor credential management and authentication practices increase the risk of unauthorized users accessing buildings, networks, and information. Examples of faulty practices include weak passwords, unsecured physical tokens and not enforcing multifactor authentication for remote access to restricted information. The Infor Risk and Compliance platform can correlate data from HR databases, password management systems, and repositories like Active Directory, as well as e-learning systems with TRUST and BEHAVE information to determine which users require security awareness training. Infor Risk and Compliance uses the master record on all Issued credentials for each authorized user employed by the D/A, and collects the related credential and authorization data elements, including: Credentials issued to each user employed by the D/A (including contractors) Credential reissuance, revocation, and suspension enforcement mechanisms and their configuration for all credential types Password complexity enforcement mechanisms and configuration for all in-scope accounts at the D/A Authentication mechanisms implemented for every in-scope account in the D/A Account status for every in-scope account at the D/A Default accounts/passwords enabled on in-scope systems Collection mechanisms and/or processes to detect and record/report the actual state information 6

The information collected is used to confirm that: Only authorized users are issued the authorized credentials of the correct type to access facilities, information, and networks. All authorized users have their credentials reissued or reset on a periodic basis. All authentication mechanisms deployed on in scope systems across the D/A implement the appropriate authentication policy. All credential types have appropriate expiration, reissuance, and revocation policies. PRIVILEGES the access rights granted to users. Agencies assign privileges based on access requests, but as jobs and missions change, privileges are rarely removed, resulting in the risk of improperly accessed resources. Infor Risk and Compliance Authorization Insights captures and logs attempted access across a multitude of platforms and network devices, tracking unwanted users with repeated login failures, unauthorized access attempts, and inappropriate privilege escalation. On top of this, Infor Risk and Compliance can look beyond the network into granular role-based policies on access to business transactions within ERP systems or purposely built systems. Preventive (can-do) monitoring can help ensure that proper Segregation of Duties and detective (did-do) monitoring finds improper or fraudulent use of the given transactional access. Infor Risk and Compliance builds a master record of any authorized accesses for each person employed or contracted by the D/A including: Common identifier Information collected is used to confirm that: Only authorized users with authorized accounts of the correct type are accessing systems. All employees have only the privileges necessary to do their jobs. All accounts are in compliance with the D/A s Dynamic Segregation of Duties policies. All authorized users have their accounts and access reauthorized on a periodic basis (also referred to as periodic attestation). All accounts deployed on in-scope facilities and systems across D/A implement the appropriate restrictions. All account types employ appropriate expiration and disable policies. Manager Attribute ID, including the status (pending, active, revoked, inactive); date initially authorized; date last authorized; and date revoked 7

Dynamic 3600 view across the enterprise The power to correlate disparate data sources is the key to CDM. D/As often deploy PDPs and collect data from identity, credential, access management and e-learning systems, but often without implementing a correlation engine. As a result, they are limited to the visibility and awareness of each individual tool and the attributes it collects. They are unable to correlate data across multiple tools for comprehensive visibility and awareness. The Infor Risk and Compliance platform provides true situational awareness of risk by dynamically mapping data from all four Phase 2 tool areas. Every attribute of desired and real states not just those siloed in one tool area is compared and analyzed for compliance and defects. By correlating different data types across diverse toolsets, Infor Risk and Compliance helps ensure that there are no gaps in views of the holistic enterprise. For example, log data may represent a user as an employee number; the HR system may use the employee s full name; and User IDs may vary per network device and application. By collating data from all sources, the solution presents a unified perspective of the employee and eliminates false alerts. The Infor Risk and Compliance platform issues alerts when it detects any anomaly. Someone who logs into the network might be confirmed to have Trust and Privileges, but not Credentials. Infor Risk and Compliance alerts this action as someone seeking to access the system without proper credentials. Other examples of behavior that would trigger alerts include: A user s clearance has lapsed. A user is accessing file systems they are not entitled to access. A user has not completed mandatory training. A user is logging in from a geographic area outside of policies or improperly using a VPN. A user is working outside of their normal working hours. Infor Risk and Compliance strengthens the monitoring of user behavior with advanced anomaly detection and enhanced risk scoring. It prioritizes risks based on rules and policies, and enables the most serious incidents to be remediated promptly before they impact the organization. 8

Case management for investigations and remediation The value of the Infor Risk and Compliance platform extends beyond identifying deltas between desired and actual states. Its unified views of all data sources eliminate the need to manually gather data across individual point solutions for analyses. The solution not only correlates data between all Phase 1 and Phase 2 sources, it also can integrate data from Phase 3 sources (or tools deemed outside the scope of CDM) for holistic visibility. Without this visibility, agencies could lack the insight to even know that remediation is necessary. Infor Risk and Compliance also provides deep-dive search functionality for forensic investigations. Analysts can examine patterns of data, trends in network and host access behaviors, and rapidly identify activity and patterns that lie outside of the norm. They then can drill down to the original source events for corroboration and further granularity. The solution can also take precautionary measures proactively or when analysts detect issues. For example, analyst can use the IRC provisioning functionality to deny access to a particular resource or the entire network. Only Infor Risk and Compliance offers a complete platform for the CDM program. It uniquely tracks all other toolsets used for CDM, for identifying potential security risks and issues, and for remediation to ensure compliance. IRC serve as the monitors of monitors and the escalation and prioritization of alerts & incidents for mitigation Multiple Stakeholders Outsourcing Partners COO / Operations CFO / Finance CIO / IT Risk Management Human Resources External Audit Desired State Can Do Actual State Did Do Access to applications/systems Can anyone? Application/process configuration Do our systems allow anyone to? User activity/transactions Did anyone? Master data controls Is the underlying data compromised? 5. Network & Asset Controls 6. Trust & People Granted Access 7. Security Related Behavior 8. Credential & Authentication 9. Privileges & Accounts 10. Prepare for Contingencies and Incidents 11. Detect Suspicious Events / Patterns 12. Respond to Contingencies and Incidents Multiple Controls Phase 1 Phase 2 Phase 3 Digital Policy & Metapolicy Master Device Record (MDR) Phase 1 Monitoring Tools Logs Policy Decision Point (PDP) HRMS Business Legacy / Program Monitored (People, Data, Applications, Infrastructure, Incidents, Alerts) Figure 2. Infor CDM continuous controls monitoring framework 9

Platform components Application studio Tailor Infor Risk and Compliance solutions to your unique methodologies and build on-demand applications. Reports and dashboards Take advantage of pre-built reports and dashboards, and create your own with the user-friendly web interface. Or feed D/A s specific dashboards. Advanced business workflow Define and automate business processes for streamlining the management of content, tasks, statuses, and approvals. The advanced workflow engine enables application authors to visually describe business processes as a flowchart, with steps that can execute code. Access control Enforce access controls at the system, application, record, and field levels, so users interact only with the information that is relevant for their roles. Self-service access provisioning Enables privileged users to request (emergency) access to network components on a 24/7-basis, using the full access control logic. User experience Next-generation user interface puts GRC priorities right at the user s fingertips, presenting the right information at the right time for each role with fewer clicks required. Policy-driven remediation Forces the resolution of all flagged violations through configurable assignments, user, and account de-provisioning automation, compensating controls, and notifications. Infor Risk and Compliance s continuous monitoring helps ensure that all violations are resolved in a timely manner and documented in an extensive audit trail. Quarterly attestation Helps ensure that all users roles, assignments, access points, and other credentials are reviewed and approved by managers on a quarterly or periodic basis, to reduce the potential for fraud and lingering compliance violations. System integration The Infor Risk and Compliance platform serves as an aggregation point for consolidation of governance, risk, and compliance information of any type. The platform allows seamless integration of data systems, without requiring additional software. Users can automate movement of data into and out of the platform to support data analysis, process management, and reporting. Mobile capabilities Conduct audit, risk, and compliance assessments anywhere from your mobile device. Relationship visualization Easily visualize GRC data and relationships. By revealing patterns that may not be noticed in a standard report, relationship visualization allows users to more easily make business decisions and help ensure the highest risks are addressed. Globalization Infor continues to enhance the Infor Risk and Compliance platform for use in markets around the globe. The solution offers double-byte support. Localization provides region and language locale-specific components, and multilingual developments enable customers to support multiple languages within their Infor Risk and Compliance environment. Deployment flexibility Infor supports both on-premise and hosted (SaaS) deployments of the Infor Risk and Compliance platform, allowing users to balance administrative control, time to value, and cost considerations when planning an implementation. Users can deploy the platform in the most appropriate environment based on their current needs and move applications from one environment to another as their needs change. 10

Key benefits Infor Risk and Compliance is: Available Infor Risk and Compliance is an off-the-shelf solution that can be installed today. It includes pre-built insights, rules engine, and adapters, so it can be configured to work in weeks for immediate benefit realization. Plus, it provides a platform to build on. Flexible The platform offers a point-and-click interface for building and managing business applications. Non-technical users can automate processes, streamline workflow, control user access, tailor the user interface, and report in real-time. Unified Infor Risk and Compliance provides a common platform for managing policies, controls, risks, assessments, and deficiencies across lines of business. This unified approach eases system complexity, strengthens user adoption, and reduces training time. Collaborative The platform enables cross-functional collaboration and alignment. D/A users across IT, finance, operations, and legal domains can work together in an integrated framework using common processes and data. Visit us online or contact your Infor account representative to learn more. Share this : Copyright 2016 Infor. All rights reserved. The word and design marks set forth herein are trademarks and/or registered trademarks of Infor and/or related affiliates and subsidiaries. All other trademarks listed herein are the property of their respective owners. www.infor.com. 641 Avenue of the Americas, New York, NY 10011 INFDTP1523962-en-US-0616-1 11

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback