ISG Case Study
IT Security – Non Person ID Catalog Assessment
Health Care Payor
Our client is the largest customer-owned health insurance company in the United States. The company, founded in 1936, serves more than 16 million members across five states
Address Audit concerns regarding all Non-Person Id’s within their enterprise systems environment.
The clients audit department raised a concern with their IT Security department related to Nonperson IDs or NPIDs.
Do they have a complete list of these? Where are they located within their enterprise systems environment? How are they managed?Have they been certified? What are te levels of permission on each?
Not fully knowing the function of every NPID used by computer services, applications, databases and more was problematic and hard to manage. Without full knowledge of every aspect of each NPID, they couldn’t be sure if the NPID is for a retired or critical application making it hard to address when they’re leery of making changes and possibly creating disruption to their business.
There were many questions that couldn’t be answered with absolute certainty.
This became not only an audit concern but also a major security risk.
The client needed to react quickly and address these concerns. They decided to engage a trusted external partner with the experience necessary to hit the ground running and identify and certify all NPIDs within their enterprise. As well, build a repository to manage these going forward and eliminate any risks associated with NPIDs in the future.
Provide a Robust outsourced IT Security NPID Catalog and Governance process, Eliminating future Risk
ISG proposed to partner with the client’s IT Security group as well as internal IT areas within the Application, Database and Systems Administration functions of the organization to develop a process to identify, certify, store and manage a robust catalog of all NPIDs within their systems environment.
ISG will bring a team of experienced security leaders and analysts to the table that understood IAM as well as the technical aspects of their systems environment. Our team come with the necessary experience required to work with such a diverse range of technical environments and people.
ISG proposed a three-pronged approach to achieve the necessary outcome:
Identify all sources in your environment associated with the distributed NPIDs.
ISG will work with their staff and toolset to inventory and catalog all distributed NPIDs and transfer knowledge to your staff. Depending on their environment, ISG will use reference files to match your NPIDs to other data sources to identify owners or applications associated with the NPIDs.
Verify NPID ownership.
ISG will help you organize a process to link each NPID back to its appropriate application area and specific
owner. We will develop and organize the process that cleans and verifies the list, making it much easier to transition NPIDs to a current owner.
Clarify roles of each NPID.
Once an NPID is identified and verified, ISG will assist the client with organizing a process to seek a business justification for every NPID. If there isn’t one, such as the application being retired, the NPID may be deleted.
We were selected to engage with the client for this endeavor.
Safe & Secure NPID Governance Solution
Over a period of several months, our team engaged with the client to execute our program for addressing this issue.
Working closely with the IT Security group, our team utilized multiple sources of information and met with numerous key individuals within the organization to identify and create a robust catalog of all NPIDs within their enterprise systems environment.
Our Solution delivered the following:
Identification of all NPID’s within their organizations Distributed environments.
Catalog NPID’s and associated information including ID, Business System Usage, User, Function it performs, last used.
Outlining NPID framework components that provide for the capture of NPID information and the ongoing maintenance of attributes such as entitlements throughout the NPID process lifecycle.
Established Certification Process
Built a process for the Provisioning and Certification of accounts containing NPIDs.
Outlined a process to govern and manage all out of use, unclassified NPID data going forward.
Provide Training and Oversight to client Staff regarding how to continually update and refresh documentation as system and technical changes are implemented.
Our solution provided the necessary outcomes to meet the clients current Audit requirement and eliminated security risks and future audit concerns going forward. In addition, this solution provided information that could be fed into a future state IAM SalePoint solution that was targeted for implementation later that year.