cis13: how iam improved sallie mae's compliance and risk posture

FINANCIAL SERVICES CASE STUDY: Improving Compliance & Risk Posture With Next-gen IAM

Speaker: Jennifer Darwin, Manager of IAM, Corporate Information Security

CLOUD IDENTITY SUMMIT JULY 2013

2

ABOUT SALLIE MAE

▶  The nation’s #1 financial services company specializing in education

▶  Over 10 million student and parent customers, more than 9,000 employees and 2,000 contractors

▶  Manages $207 billion in education loans & 529 college-savings plans

▶  The company’s saving programs, planning resources and financing options have helped more than 31 million people make the investment in higher education

3

▶  Comply With Major Regulations –  FISMA, SOX, GLBA, PCI and SAS-70’s (Sallie Mae) –  FFIEC and State of Utah (Sallie Mae Bank ) –  SEC, FINRA & FTC (Upromise Rewards and Investments )

▶  Enhance Efficiencies Through Automated Provisioning –  Some relatively high turnover functions create demand for more rapid SLAs –  Restructuring creates short-term demand –  New business initiatives require rapid but controlled response

▶  Reduce Operational Risk –  Eliminate redundant, sub-optimal processes and centralize controls in one place

across the enterprise –  Prevent/detect fraud - manual processes and hand-offs make security policy

enforcement challenging

KEY BUSINESS DRIVERS

4

▶  Increase efficiency through Automation

▶  Improve effectiveness through process Optimization

▶  Improve Quality of compliance activities

PROJECT STRATEGY

Ariba

ADP

Workday

Databases

Mainframe

Exchange

AD

App 1

App 2

App 3

Etc.

5

PROJECT OVERVIEW

Compliance Management

Employee

Customer

Business Partner

HR & Other Authoritative Sources

Enterprise Roles

Access Management

Bus

ines

s E

vent

s Business Role

- IT Roles

- - Entitlements

User Provisioning

Apps &

Users

Copyright ©2010 by Deloitte

6

PROJECT OVERVIEW: IMPLEMENT ROLE-BASED ACCESS

Compliance Management

Employee

Customer

Business Partner

HR & Other Authoritative Sources

Enterprise Roles

Access Management

Bus

ines

s E

vent

s Business Role

- IT Roles

- - Entitlements

User Provisioning

Apps &

Users

Copyright ©2010 by Deloitte

Enterprise Roles

7

PROJECT OVERVIEW: STREAMLINE ACCESS CERTIFICATIONS

Compliance Management

Employee

Customer

Business Partner

HR & Other Authoritative Sources

Enterprise Roles

Access Management

Bus

ines

s E

vent

s Business Role

- IT Roles

- - Entitlements

User Provisioning

Apps &

Users

Copyright ©2010 by Deloitte

Automated Access

Certification

8

PROJECT OVERVIEW: FOCUS ON ACCESS REQUEST FORMS

Compliance Management

Employee

Customer

Business Partner

HR & Other Authoritative Sources

Enterprise Roles

Access Management

Bus

ines

s E

vent

s Business Role

- IT Roles

- - Entitlements

User Provisioning

Apps &

Users

Copyright ©2010 by Deloitte

Application Access Request

Form

9

RESULTS: CLEARLY DEFINED USER ROLES

Phase  1 Phase  2 Phase  3 Phase  4 Phase  5

250 25005000

60006500

#  of  Users  with  Enterprise  Roles#  of  Users

10

RESULTS: ENHANCED PROVISIONING

Original State

Current State

Future State

Request

Request

Request

Provision

Provision

Provision

Duration

Provisioning Efficiencies

33% Reduction

60% Reduction (est.)

11

RESULTS: STREAMLINED ACCESS CERTIFICATION PROCESS

12

RESULTS: 64% IMPROVEMENT ACHIEVED, EXCEEDING EXPECTATIONS!

Separate, manual spreadsheets Single repository, solution enabled

Before After

INTEGRATED 400

•  64% overlap removed •  400 Integrated Requirements •  Common Framework using 16 Functional

Risk Areas •  Full traceability to 160+ mandates •  Includes FISMA, ICE, PCI DSS, GLBA, etc.

•  Over 1100 Controls •  Different frameworks; different risk

areas •  Inconsistent traceability to mandates •  Incomplete coverage of mandates

PCI 240

FISMA 200

ICE (for IT)

400

GLBA / FFIEC

250 FACTA

14

13

▶  More than 700 applications on-boarded

▶  Over 6,500 users in a job role (approximately 75% of the company)

▶  Seven segregation of duty or monitoring processes implemented

▶  Access certification improvements institutionalized – This consists of over 20,000 user entitlements to

be reviewed this year

WHERE WE ARE NOW

14

▶  Continue to expand current project scope –  Goal is to have 90% of the company in enterprise roles –  Goal is to have 24 certifications scheduled

▶  Continue expanding project scope to include even more SaaS and hosted apps –  ADP, Ariba, Workday –  Looking at externally hosted apps too (FIS, FNI, FDR)

▶  Moving to make Workday becoming our authoritative source –  Corporate HR system moving to Workday – tentatively

scheduled for Q4 2014

WHERE WE WANT TO BE BY Q4 2013

15

▶  Do Enterprise Roles First –  Simplifies the implementation of

all IAM components and reduces future rework

–  Team MUST include someone who has successfully deployed Enterprise Roles

▶  Well Defined Roadmap –  Requires shared vision from

business and executives –  Part of broader program

▶  Achieve Quick Wins –  Showing results is critical to

keep momentum of multi-year program

LESSONS LEARNED/BEST PRACTICES

User Provisioning

Enterprise Roles

Access Requests

Access Certification

Can be leveraged across…

16

Jennifer Darwin 317.598.4104

jennifer.a.darwin@salliemae.com

THANK YOU AND QUESTIONS