Identity and Access Management Remediation
A leading Tier-1 bank identified significant gaps and deficiencies in the design, implementation, and operation key procedural controls for identity and access management. A program was established to address the issues and multiple remediation workstreams were initiated to reduce the risk of privileged and inappropriate access to infrastructure. While the immediate issues and basic remediation options were operationally understood, it was recognized that a sustainable approach and new strategy for the management of access rights was required to realise successful long-term risk reduction.
Synechron was retained to lead and execute several projects and provide the expertise necessary to help achieve the program’s objectives. A highly skilled team of security architects, experienced project managers, and domain business analysts and SMEs were engaged across a diverse stakeholder group (including IT Security, CTO, Architecture, Risk & Compliance, Infrastructure, Application Development, Operations, and Audit).
The team executed a basket of projects to realise near-term risk reduction benefits across audited key procedural controls in four areas of critical concern: segregation of duties, highly privileged users, temporary privileged access, and management of technical (non-user) accounts. Existing control processes were analysed and remediated, and new processes were designed and implemented resulting in the downgrade/closure of several high-visibility operational risk issues.
Synechron also defined, mobilised and executed a project to design and deliver a centralised access management controls assurance service providing improved transparency on the effectiveness of access management controls as well as governance and tracking around the remediation of control violations. Working closely to meet the needs of 1st and 2nd lines of defence, the service directly supported the quarterly internal controls assessment process for on boarded controls. Additionally, Synechron led the program’s flagship project to define a new end-to-end future-state strategy for access management. The target operating model addressed control gaps strategically by considering the full lifecycle of infrastructure entitlements from request & approval through to provisioning and removal. It also encompassed supporting processes such as re-certification and reconciliation. Controls were embedded in the processes including upstream and downstream dependent activities such as Joiner, Mover, and Leaver processes.
Near-term risk reduction benefits
Sustainable control effectiveness
How we’ve helped our clients achieve their transformation goals for other large-scale, global programs
Strategic client rationalization
Global Business Wind-down and Divestment
A Path to IT Optimization