Millicent,
IAM is huge, and I'm not sure of your detailed scope. Here are some quick thoughts. I assumed your scope is not PAM.
- You have many different types of users (students, staff, faculty, alumni, emeritus, external researchers/participants, potential students, etc.). You may need to break it down according to the type of user. Normally, requirements and processes differ a lot....
- Central IAM process versus Distributed IT IAM. What is your scope and coverage of IAM within the institution?
- AD group management. AD groups are usually key in IAM.
- Azure/Entra AD Integration
- Link to good practices (CIS Access control 6.1-6.8, Cobit, NIST CSF PR.AA)
- Ensure you cover the specific legal access control requirements: 800-171 (3.1, 3.3, etc.), GLBA, FERPA, and the new proposed HIPAA access controls as applicable
- Make sure you assess the IAM program. Usually, the root cause.
Let me know if you have any questions.
This is a fun audit with a lot of value.
See you all in Oklahoma City on March 9th. I will cover Access control as part of my CMMC session.
Johan Lidros CISA, CISM, CGEIT, CRISC, CDPSE, HITRUST CCSFP, ITIL-F
------------------------------
Johan Lidros | President | Eminere Group LLC
(813) 832-6672 |
johan.lidros@emineregroup.com------------------------------
Original Message:
Sent: 02-03-2025 19:25
From: Millicent Mwai
Subject: Identity and Access Management Review
We are currently conducting an Identity and Access Management (IAM) Review, focusing on key areas such as Third-Party Access, User Access Management, Access Logging and Monitoring, and Authorization & Authentication. As part of our planning, we are looking to see if anyone has recently completed an audit in any of these areas and would be willing to share insights, best practices, or key takeaways. Any guidance or experiences would be greatly appreciated.
------------------------------
Millicent Mwai | IT Auditor | University of Oregon
| mmwai@uoregon.edu
------------------------------