3.1.6

Industry Compliance

Cymmetri is built in accordance to industry regulations and guidelines.

Insurance Regulatory and Development Authority of India(IRDAI)

Below are the IRDAI relevant control objectives.

Data Classification

Access Control

Generic Ids

Provisioning

Deprovisioning

SOD

Password Policy

Recertification/Access Control

User Authorization

EndPoint Security

Ruled Based Authentication

Secure Logon

Recertification

Remote Access

Compliance and Audit

Access to program source code

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) imposes strict requirements on organizations that process personal data. This includes specific guidelines related to Identity and Access Management (IAM).

General Considerations

  • Data Minimization

  • Lawful Processing

  • Data Subject Rights

  • Accountability

IAM-Specific Considerations

  • Strong authentication: Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to protect against unauthorized access.

  • Access control: Implement robust access control measures to ensure that only authorized individuals can access personal data.

  • Data encryption: Encrypt personal data both at rest and in transit to protect against unauthorized access and disclosure.

  • Regular reviews: Conduct regular reviews of access rights to ensure they remain appropriate and necessary.

  • Incident response plan: Have a plan in place to respond to data breaches and other security incidents.

  • Data retention policies: Establish clear data retention policies that align with the GDPR's requirements.

  • Consent management: If relying on consent as a legal basis for processing, ensure that consent is freely given, specific, informed, and unambiguous.

By adhering to these guidelines, organizations can ensure that their IAM practices comply with the GDPR and protect the privacy and rights of individuals.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) sets standards for the privacy and security of Protected Health Information. This includes specific requirements related to Identity and Access Management (IAM).

General Considerations

Security Rule

  • Administrative safeguards: Implement administrative procedures to safeguard PHI, including risk assessments, security awareness training, and incident response plans.

  • Physical safeguards: Implement physical measures to protect PHI, such as access controls, surveillance systems, and disaster recovery plans.

  • Technical safeguards: Implement technical measures to protect PHI, such as access controls, encryption, and audit trails.

  • Business associate agreements: If you work with business associates that handle PHI, ensure that they have appropriate safeguards in place and enter into business associate agreements.

HIPAA Breach Notification

  • Notify affected individuals: If a breach of PHI occurs, you must notify affected individuals without undue delay.

  • Report to HHS: In certain cases, you must also report the breach to the Department of Health and Human Services (HHS).

  • Incident response: Develop and implement an incident response plan to address security breaches and data breaches.

IAM-Specific Considerations

  • Access controls: Implement robust access controls to ensure that only authorized individuals can access PHI.

  • Authentication: Require strong authentication methods, such as multi-factor authentication, to prevent unauthorized access.

  • Authorization: Assign appropriate access privileges based on job functions and roles.

  • Password management: Implement strong password policies and enforce regular password changes.

  • Data encryption: Encrypt PHI both at rest and in transit to protect against unauthorized access and disclosure.

  • Audit trails: Maintain audit trails to track access to PHI and identify potential security breaches.

  • Risk assessments: Conduct regular risk assessments to identify potential vulnerabilities and take appropriate measures to mitigate them.

By adhering to these guidelines, organizations can ensure that their IAM practices comply with HIPAA and protect the privacy and security of PHI.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) is a U.S. federal law that sets standards for financial reporting and corporate governance. While it doesn't explicitly mention Identity and Access Management (IAM), its focus on internal controls and financial reporting has significant implications for IAM practices.

Internal Controls

  • Segregation of duties: Ensure that there is a separation of duties to prevent conflicts of interest and fraud. For example, individuals who have access to create or modify records should not also have the authority to approve or authorize transactions.

  • Access logs: Maintain detailed access logs to track user activity and identify unauthorized access.

  • Change management: Implement a formal change management process to review and approve changes to systems and access controls.

  • Regular reviews: Conduct regular reviews of access rights to ensure they remain appropriate and necessary.

  • Incident response: Have a plan in place to respond to security breaches and other incidents.

Financial Reporting

  • Accurate and reliable data: Ensure that financial data is accurate and reliable by implementing appropriate access controls and data integrity measures.

  • Management oversight: Management should oversee IAM practices and ensure that they are effective in preventing unauthorized access and data manipulation.

  • Documentation: Document IAM policies and procedures to demonstrate compliance with SOX requirements.

IAM Specific Considerations

  • User provisioning and deprovisioning: Establish clear procedures for adding and removing users from systems, ensuring that access is granted and revoked promptly.

  • Password management: Implement strong password policies and enforce regular password changes.

  • Privilege escalation: Limit the ability of users to escalate their privileges, preventing unauthorized access to sensitive systems or data.

  • Monitoring and alerting: Implement monitoring and alerting systems to detect unusual activity or potential security threats.

  • Third-party access: If you work with third-party vendors or contractors, ensure that they have appropriate safeguards in place to protect your data.

By adhering to these guidelines, organizations can demonstrate compliance with SOX and strengthen their internal controls related to identity and access management.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) outlines requirements for organizations that handle cardholder data. This includes specific guidelines related to Identity and Access Management (IAM). Here are some key points to consider:

Requirement 7: Restrict Access to Cardholder Data

  • Assign unique IDs: Assign unique identifiers to each person with authorized access to cardholder data.

  • Limit access: Restrict access to cardholder data to only those individuals who need it to perform their job functions.

  • Regular reviews: Conduct regular reviews of access rights to ensure they remain appropriate and necessary.

  • Least privilege principle: Grant individuals only the minimum privileges necessary to perform their job functions.

Requirement 8: Unique IDs for System Components

  • Identify components: Assign unique identifiers to all system components that process, store, or transmit cardholder data.

  • Track access: Track access to system components to identify unauthorized access.

Requirement 9: Restrict Physical Access to Cardholder Data

  • Secure areas: Restrict physical access to areas where cardholder data is processed, stored, or transmitted.

  • Access controls: Implement physical access controls, such as locked doors and security cameras.

Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

  • Access logs: Maintain detailed access logs to track user activity and identify unauthorized access.

  • Monitoring: Implement monitoring systems to detect unusual activity or potential security threats.

  • Alerting: Configure alerts to notify appropriate personnel of suspicious activity.

Requirement 12: Maintain a Strong Access Control Mechanism

  • Password policies: Implement strong password policies, including minimum length, complexity requirements, and regular password changes.

  • Authentication: Require strong authentication methods, such as multi-factor authentication.

  • Privilege escalation: Limit the ability of users to escalate their privileges, preventing unauthorized access to sensitive systems or data.

Requirement 13: Regularly Test Access Controls

  • Penetration testing: Conduct regular penetration testing to identify vulnerabilities in access controls.

  • Vulnerability scanning: Use vulnerability scanning tools to identify and address security weaknesses.

By adhering to these guidelines, organizations can demonstrate compliance with PCI DSS and protect cardholder data from unauthorized access.

Cymmetri.com