Skip to main content

Navigating Compliance Controls in the IAM Space

November 20, 2013

We previously covered developing the business case for IAM and briefly touched on the role of ROI analysis for investment justification. While calculating numbers and measuring required return is important, there is something that can do more harm to the business than negative ROI: reputational damage and fines incurred by non-compliance.

While number of compliance regulations and their granularity vary depending on vertical and business profile, there are some buzzword regulations that affect almost everyone: HIPAA/HITECH and PCI DSS, which require privacy of personal information in the healthcare and payment card industry. Regulations such as SOX (Sarbanes-Oxley Act), GLBA (Gramm-Leach-Bliley Act) and SSAE no.16 (previously known as SAS 70) are also widespread and no less important. There are, however, implementation differences between controls prescribed by the former and the latter.  

Both HIPAA/HITECH and PCI DSS provide formal requirements for various security areas that need to be implemented and controlled for an organization to remain compliant. HIPAA, for example, contains various Rules - Privacy, Security, Enforcement, etc. - and consists of Safeguards - Administrative, Technical, and Physical. The Security Rule comprises a total of 42 controls, some of which are directly IAM-related. DCI PSS (version 3.0 was introduced November 2013) contains 12 granular requirements that can be split into six functional areas.

On the other hand, the latter group of regulations – SOX, GLBA and SSAE no.16 – does not contain any granular requirements or controls and simply prescribes implementation of “adequate internal controls” as those relate to information privacy and access rights.

We recommend taking steps to strengthen IAM-related controls in the following compliance areas:

Access Provisioning and Deprovisioning

  • Streamline and automate manual and simulated access provisioning and deprovisioning processes that are prone to human error. Leverage unique user ID and attributes to enhance risk controls and allow for audit trails.
  • Configure automatic, event-based notifications to respective business process owners and stakeholders for follow-up and control purposes.  

Access Certification Campaigns and Access Requests

  • Implement automated and periodic certification campaigns to enable application owners and supervisors to review and authorize access of users who work with financial data and are involved in financial statements and reports creation process.
  • Establish access request functionality that provides audit trails for requests and approvals (specifically for privileged access), user status and a point of audit for currently approved end-user access.

Role Management

  • Even though compliance regulations do not usually provide strict requirement for role-based access control (RBAC) adoption, RBAC, if implemented, leads to granular access management policies and better access management flexibility. A Compliance & Identity Management Readiness (CIMR) Assessment (data aggregation, correlation, and analysis) can provide a view of enterprise-wide access privileges and assist in modeling groups and role mining (bottom-up and top-down role analysis) for more granular internal controls over user access.    

Segregation of Duties (SOD)

  • SOD policies play a key role in violation prevention and detection process. SOD policies implementation is important to assure that user functions, while working with financial data, are segregated and accounting fraud is prevented.

Audit and Reporting

  • An Identity and Access Governance (IAG) solution can create detailed periodic access reports, reports related to high risk systems containing financial and accounting information, as well as create reports on security violations. This will help in sustaining risk standards and internal audit controls mechanisms.       


  • Evaluate existing password policies and authentication mechanisms and assist in selecting and implementing alternative or advanced authentication solutions and password management functionality (reduced sign-on, simplified sign-on, single sign-on) based on your security policies, environment and existing challenges.

What we are witnessing today is that the cost of compliance is constantly growing, especially if organizations try to implement separate controls for each regulation. The number of regulations is unlikely to decrease; in fact, they will grow, especially for global and diversified companies. IAM-related controls, however, if implemented with due diligence and strategically approached, can address numerous regulations, thus reducing risks and enhancing business performance.

Related Blogs

April 20, 2018

Customization of IAM Solutions: Risks of Having it Your Way

Forty years ago Burger King launched a revolution in customization, declaring that they could provide you the power of creating your perfect burger co...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

March 07, 2018

PCI Compliance Every Day – Requirement 4

In this latest post of my Payment Card Industry Data Security Standard (PCI DSS) compliance blog series, we will explore Requirement 4 of the standard...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


January 26, 2018

Identity and Access Management Solutions

We help you minimize risk and maximize efficiency with our IAM solutions.

See Details

September 20, 2017

PCI Compliance

Go beyond the PCI compliance checklist.

See Details

September 19, 2017

Governance Risk and Compliance Services

Optiv works with your organization to optimize its investment in RSA Archer.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.