Public Sector Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise Now in its Phase 2 rollout, The Department of Homeland Security (DHS) and General Services Administration (GSA) s Continuous Diagnostics and Mitigation (CDM) program requires organizations like yours to ensure compliance with and the enforcement of D/A s security policies and procedures. With the Infor Risk and Compliance platform, you get a solution that supports CDM management of enterprise governance, risk and compliance (GRC). Infor Risk and Compliance is an established solution that uses the current D/A processes and systems and can adapt as the D/A matures their capabilities. In this guide, you ll learn the benefits of using the Infor Risk and Compliance platform to manage CDM compliance and enforcement.
Table of Contents 3 CDM Phase 2 offerings 5 The Master User Record for all users 6 The Infor solution for Phase 2: Tool areas 8 Dynamic 3600 view across the enterprise 9 Case management for investigations and remediation 10 Platform components 11 Key benefits
CDM Phase 2 offerings The Department of Homeland Security (DHS) and General Services Administration (GSA) created the Continuous Diagnostics and Mitigation (CDM) program to enhance and modernize the security posture for Federal Departments and Agencies (D/A). Phase 1 of the program was focused on endpoint security and was rolled out in 2014/2015. Phase 2 of the program, rolling out late 2015 and 2016, monitors and manages user-based accounts and services, moving from endpoint to internal network activity. The four functional tool areas of CDM Phase 2 TRUST, BEHAVE, CRED, and PRIV will be deployed to verify trust levels, training, credentials, and access rights according to established D/A policies. DHS and GSA have approved Infor Risk and Compliance, (formerly Approva) for all four functional areas of Phase 2. The software will correlate multiple data sources to create and monitor the Master User Record (MUR) the central repository of attributes for all four tool areas to not simply alert users to violations, but also to remediate issues, in real time, when the MUR reflects a delta from the desired state as defined by D/A policy. Infor Risk and Compliance: Delivering full lifecycle ICAM The Infor Risk and Compliance platform supports CDM management of enterprise governance, risk and compliance (GRC), to help ensure compliance with and enforcement of D/A s security policies and procedures. As the foundation for all Infor GRC solutions, the platform allows you to adapt a broad range of solutions to your requirements, build new models, and integrate with external systems without touching a single line of code. Infor Risk and Compliance s flexible strategy has won over some of the most demanding Fortune 500 companies and public sector entities. These organizations have seized the power of the platform to make Infor solutions their own, modeling additional authorization and process insights in a fraction of the time it would take to develop traditional custom applications. Infor Risk and Compliance is an established solution that uses the current D/A processes and systems and can adapt as the D/A matures their capabilities. Additionally, it can be configured to support locally defined defects that are only tracked and displayed on D/A dashboards, while automatically posting to the standard Federal dashboard. 3
Infor Risk and Compliance offers: Complete CDM Phase 2 platform (see Figure 1) Master User Record (MUR) repository Automated continuous controls monitoring and detection Case management for analysis, mitigation, and audit reporting IRC: CDM CREDMGMT solution overview KPIs, Dashboards & Reporting Policy Enforcement Point (PEP) Policy Decision Point (PDP) Exception Identification Trust Master User Record (MUR) Behave Credential Privilege Identity Credential & Access Management (ICAM) Risk Scoring, Analytics User Access Monitoring & Certifications Authorizations Insights Certification Manager Access Manager User Activity Insight Who What When Where D/A Policies 3600 View of Exceptions Exception Management Process, Configuration & Master Data Monitoring Business process insights Configurations Insight Vendor Insight Inventory Insight Analysis Engine Data Extraction Audit Trail Reporting, Integration & Development BI Analysis & Reporting Studio Integration Kit Data Extractor / Loader Workflow Workflow Engine Extensibility Infor ION Framework / Application specific adapters Agency Specific Digital Policy & Metapolicy Master Device Record (MDR) Phase 1 Monitoring Tools Logs Access Control HRMS / LMS ERP/Business Active Directory / LDAP Figure 1. Infor s CDM Phase 2 solution components 4
With Infor Risk and Compliance, you can: Manage policies, controls, risks, assessments, attestations, and deficiencies through one central platform. Establish Master User Record (MUR) repository for relevant user information. Automate user access across systems, enforcing SoD, ensuring compliance with security policies and procedures, and certifying user access rights. Automate business processes, streamline workflow and deliver real-time reports across your enterprise. Put control in the hands of security operations, enabling them to tailor IRC solutions and build new applications without development resources. Integrate with external systems to support data analysis, process management and reporting. Select an on-premises or hosted (SaaS) deployment. The Master User Record for all users CDM envisions the creation of a MUR for every D/A user. Because the MUR houses the master data elements defining the to-be state, it can help identify deltas between the to-be and real states of user activity to reveal potential risks. Infor Risk and Compliance serves as the MUR by ingesting data from all Policy Decision Point (PDP) and Policy Enforcement Point (PEP) tools. It communicates bi-directionally with PDPs to exchange data on detected defects and anomalies. If the IRC platform or a PDP detects a policy-based defect, Infor Risk and Compliance can generate an alert and/or run a script to bring the user into compliance with the defined policy. The Infor Risk and Compliance platform can integrate with all known approved Phase 2 tools. It indexes and monitors data in real time and provides alerting and reporting based on defined thresholds. It can also trigger a workflow in the Infor Risk and Compliance case management module for further analysis and mitigating actions. The Infor Risk and Compliance platform is highly scalable and can easily support large-scale environments of 100k users or more, and can ingest data from individual tools and deliver appropriate streams to the CDM dashboard. As a result, Infor Risk and Compliance can break down data silos in even the largest agencies. Rather than monitor separate systems, agencies can gain unified, real-time views of their data and processes. 5
The Infor solution for Phase 2: Tool areas TRUST the trust accorded to users. Users within D/A environments must have levels of trust commensurate with the sensitivity of the data and resources they access. Infor Risk and Compliance can use identity information from sources like HR systems, asset databases, identity management solutions, and Active Directory (AD) to maintain a list of known identities. It then correlates incoming information against this record. Infor Risk and Compliance will build a master record of data on all currently granted trust levels for each person employed or contracted by the D/A including: Status of Trust Level (i.e., Pending, Authorized, Suspended, Revoked, Expired) Date initially authorized Date last authorized Date revoked Values of local enhancements, including date of last status change, or any other data to compare with locally-defined desired state specifications Information collected will be used to determine: Appropriate security clearances are in place (if applicable) User suitability and fitness for access BEHAVE the behavior of users. Users should be granted access to facilities, systems, and information only when they possess the appropriate security related behavior that includes training, skills, knowledge, or certification. Infor Risk and Compliance can access training information from D/A s HR and/or learning management systems to confirm training levels and skill levels are appropriate. Users who lack the proper training can pose risks by engaging in behaviors that jeopardize systems, expose sensitive data, or subvert security policies. In real time, Infor Risk and Compliance can identify the level of training completion for each authorized user including. Training or knowledge identifier Status Date first trained or tested Date of most recent training Information collected will be used to confirm: General security awareness training Role-based security training CRED the credentials assigned to users. Poor credential management and authentication practices increase the risk of unauthorized users accessing buildings, networks, and information. Examples of faulty practices include weak passwords, unsecured physical tokens and not enforcing multifactor authentication for remote access to restricted information. The Infor Risk and Compliance platform can correlate data from HR databases, password management systems, and repositories like Active Directory, as well as e-learning systems with TRUST and BEHAVE information to determine which users require security awareness training. Infor Risk and Compliance uses the master record on all Issued credentials for each authorized user employed by the D/A, and collects the related credential and authorization data elements, including: Credentials issued to each user employed by the D/A (including contractors) Credential reissuance, revocation, and suspension enforcement mechanisms and their configuration for all credential types Password complexity enforcement mechanisms and configuration for all in-scope accounts at the D/A Authentication mechanisms implemented for every in-scope account in the D/A Account status for every in-scope account at the D/A Default accounts/passwords enabled on in-scope systems Collection mechanisms and/or processes to detect and record/report the actual state information 6
The information collected is used to confirm that: Only authorized users are issued the authorized credentials of the correct type to access facilities, information, and networks. All authorized users have their credentials reissued or reset on a periodic basis. All authentication mechanisms deployed on in scope systems across the D/A implement the appropriate authentication policy. All credential types have appropriate expiration, reissuance, and revocation policies. PRIVILEGES the access rights granted to users. Agencies assign privileges based on access requests, but as jobs and missions change, privileges are rarely removed, resulting in the risk of improperly accessed resources. Infor Risk and Compliance Authorization Insights captures and logs attempted access across a multitude of platforms and network devices, tracking unwanted users with repeated login failures, unauthorized access attempts, and inappropriate privilege escalation. On top of this, Infor Risk and Compliance can look beyond the network into granular role-based policies on access to business transactions within ERP systems or purposely built systems. Preventive (can-do) monitoring can help ensure that proper Segregation of Duties and detective (did-do) monitoring finds improper or fraudulent use of the given transactional access. Infor Risk and Compliance builds a master record of any authorized accesses for each person employed or contracted by the D/A including: Common identifier Information collected is used to confirm that: Only authorized users with authorized accounts of the correct type are accessing systems. All employees have only the privileges necessary to do their jobs. All accounts are in compliance with the D/A s Dynamic Segregation of Duties policies. All authorized users have their accounts and access reauthorized on a periodic basis (also referred to as periodic attestation). All accounts deployed on in-scope facilities and systems across D/A implement the appropriate restrictions. All account types employ appropriate expiration and disable policies. Manager Attribute ID, including the status (pending, active, revoked, inactive); date initially authorized; date last authorized; and date revoked 7
Dynamic 3600 view across the enterprise The power to correlate disparate data sources is the key to CDM. D/As often deploy PDPs and collect data from identity, credential, access management and e-learning systems, but often without implementing a correlation engine. As a result, they are limited to the visibility and awareness of each individual tool and the attributes it collects. They are unable to correlate data across multiple tools for comprehensive visibility and awareness. The Infor Risk and Compliance platform provides true situational awareness of risk by dynamically mapping data from all four Phase 2 tool areas. Every attribute of desired and real states not just those siloed in one tool area is compared and analyzed for compliance and defects. By correlating different data types across diverse toolsets, Infor Risk and Compliance helps ensure that there are no gaps in views of the holistic enterprise. For example, log data may represent a user as an employee number; the HR system may use the employee s full name; and User IDs may vary per network device and application. By collating data from all sources, the solution presents a unified perspective of the employee and eliminates false alerts. The Infor Risk and Compliance platform issues alerts when it detects any anomaly. Someone who logs into the network might be confirmed to have Trust and Privileges, but not Credentials. Infor Risk and Compliance alerts this action as someone seeking to access the system without proper credentials. Other examples of behavior that would trigger alerts include: A user s clearance has lapsed. A user is accessing file systems they are not entitled to access. A user has not completed mandatory training. A user is logging in from a geographic area outside of policies or improperly using a VPN. A user is working outside of their normal working hours. Infor Risk and Compliance strengthens the monitoring of user behavior with advanced anomaly detection and enhanced risk scoring. It prioritizes risks based on rules and policies, and enables the most serious incidents to be remediated promptly before they impact the organization. 8
Case management for investigations and remediation The value of the Infor Risk and Compliance platform extends beyond identifying deltas between desired and actual states. Its unified views of all data sources eliminate the need to manually gather data across individual point solutions for analyses. The solution not only correlates data between all Phase 1 and Phase 2 sources, it also can integrate data from Phase 3 sources (or tools deemed outside the scope of CDM) for holistic visibility. Without this visibility, agencies could lack the insight to even know that remediation is necessary. Infor Risk and Compliance also provides deep-dive search functionality for forensic investigations. Analysts can examine patterns of data, trends in network and host access behaviors, and rapidly identify activity and patterns that lie outside of the norm. They then can drill down to the original source events for corroboration and further granularity. The solution can also take precautionary measures proactively or when analysts detect issues. For example, analyst can use the IRC provisioning functionality to deny access to a particular resource or the entire network. Only Infor Risk and Compliance offers a complete platform for the CDM program. It uniquely tracks all other toolsets used for CDM, for identifying potential security risks and issues, and for remediation to ensure compliance. IRC serve as the monitors of monitors and the escalation and prioritization of alerts & incidents for mitigation Multiple Stakeholders Outsourcing Partners COO / Operations CFO / Finance CIO / IT Risk Management Human Resources External Audit Desired State Can Do Actual State Did Do Access to applications/systems Can anyone? Application/process configuration Do our systems allow anyone to? User activity/transactions Did anyone? Master data controls Is the underlying data compromised? 5. Network & Asset Controls 6. Trust & People Granted Access 7. Security Related Behavior 8. Credential & Authentication 9. Privileges & Accounts 10. Prepare for Contingencies and Incidents 11. Detect Suspicious Events / Patterns 12. Respond to Contingencies and Incidents Multiple Controls Phase 1 Phase 2 Phase 3 Digital Policy & Metapolicy Master Device Record (MDR) Phase 1 Monitoring Tools Logs Policy Decision Point (PDP) HRMS Business Legacy / Program Monitored (People, Data, Applications, Infrastructure, Incidents, Alerts) Figure 2. Infor CDM continuous controls monitoring framework 9
Platform components Application studio Tailor Infor Risk and Compliance solutions to your unique methodologies and build on-demand applications. Reports and dashboards Take advantage of pre-built reports and dashboards, and create your own with the user-friendly web interface. Or feed D/A s specific dashboards. Advanced business workflow Define and automate business processes for streamlining the management of content, tasks, statuses, and approvals. The advanced workflow engine enables application authors to visually describe business processes as a flowchart, with steps that can execute code. Access control Enforce access controls at the system, application, record, and field levels, so users interact only with the information that is relevant for their roles. Self-service access provisioning Enables privileged users to request (emergency) access to network components on a 24/7-basis, using the full access control logic. User experience Next-generation user interface puts GRC priorities right at the user s fingertips, presenting the right information at the right time for each role with fewer clicks required. Policy-driven remediation Forces the resolution of all flagged violations through configurable assignments, user, and account de-provisioning automation, compensating controls, and notifications. Infor Risk and Compliance s continuous monitoring helps ensure that all violations are resolved in a timely manner and documented in an extensive audit trail. Quarterly attestation Helps ensure that all users roles, assignments, access points, and other credentials are reviewed and approved by managers on a quarterly or periodic basis, to reduce the potential for fraud and lingering compliance violations. System integration The Infor Risk and Compliance platform serves as an aggregation point for consolidation of governance, risk, and compliance information of any type. The platform allows seamless integration of data systems, without requiring additional software. Users can automate movement of data into and out of the platform to support data analysis, process management, and reporting. Mobile capabilities Conduct audit, risk, and compliance assessments anywhere from your mobile device. Relationship visualization Easily visualize GRC data and relationships. By revealing patterns that may not be noticed in a standard report, relationship visualization allows users to more easily make business decisions and help ensure the highest risks are addressed. Globalization Infor continues to enhance the Infor Risk and Compliance platform for use in markets around the globe. The solution offers double-byte support. Localization provides region and language locale-specific components, and multilingual developments enable customers to support multiple languages within their Infor Risk and Compliance environment. Deployment flexibility Infor supports both on-premise and hosted (SaaS) deployments of the Infor Risk and Compliance platform, allowing users to balance administrative control, time to value, and cost considerations when planning an implementation. Users can deploy the platform in the most appropriate environment based on their current needs and move applications from one environment to another as their needs change. 10
Key benefits Infor Risk and Compliance is: Available Infor Risk and Compliance is an off-the-shelf solution that can be installed today. It includes pre-built insights, rules engine, and adapters, so it can be configured to work in weeks for immediate benefit realization. Plus, it provides a platform to build on. Flexible The platform offers a point-and-click interface for building and managing business applications. Non-technical users can automate processes, streamline workflow, control user access, tailor the user interface, and report in real-time. Unified Infor Risk and Compliance provides a common platform for managing policies, controls, risks, assessments, and deficiencies across lines of business. This unified approach eases system complexity, strengthens user adoption, and reduces training time. Collaborative The platform enables cross-functional collaboration and alignment. D/A users across IT, finance, operations, and legal domains can work together in an integrated framework using common processes and data. Visit us online or contact your Infor account representative to learn more. Share this : Copyright 2016 Infor. All rights reserved. The word and design marks set forth herein are trademarks and/or registered trademarks of Infor and/or related affiliates and subsidiaries. All other trademarks listed herein are the property of their respective owners. www.infor.com. 641 Avenue of the Americas, New York, NY 10011 INFDTP1523962-en-US-0616-1 11