Mark Wahl of Informed Control Inc. presents Assessment Techniques for Auditing Identity Management at RSA conference
2007 February 5
Mr. Mark Wahl, CISA, presented an overview of Assessment Techniques for Auditing Identity Management at the RSA conference 2007 in San Francisco.
From the session abstract:
"Recent legislation mandates that US federal government agencies must perform annual security reviews of their computer systems that contain sensitive data. This has led to the development of a category of best practice techniques and tools, known as Certification and Accreditation, for performing risk assessments for networked services, and verifying that the security controls on these systems meet requirements and actually work as intended. These concepts are not government or US-specific: they are directly applicable to any large organization. In particular, they are best employed when new applications are being deployed or existing deployments are being audited, in order to reduce the risk that a misconfigured or unmonitored security control might find its way into the deployment and later be compromised by an attacker, which could lead to the loss or exposure of private, business-critical data."
"This vendor-independent presentation introduces the security verification and validation techniques as used today across government agencies, and shows how they can be applied within companies, as part of software procurement and auditing processes, to address regulatory requirements and increase confidence in the effectiveness of security controls. As a successful attack on an organization's identity infrastructure could lead to the theft of large quantities of personal information, as well as compromise that organization's line of business applications, the presentation focuses on techniques to improve the trust of Identity Management deployments. Specifically it discusses external and internal threats to these deployments, and approaches for reviewing and monitoring directory, access management, provisioning and federation services."
More information is available at the Resources page, including references to the documents mentioned in the presentation.