3.1.6

Risk

Risk assessment of users in Cymmetri involves evaluating the potential risks associated with user access and actions within the Cymmetri platform. This assessment helps in identifying and mitigating risks to ensure the security and integrity of the system.

The risk calculations are done based on various Cymmetri and AD metrics. A list of these metrics can be seen here:

Cymmetri offers in-depth insights into user risks. To view this information, navigate to Insights > Risks.

Risk Scoring

Cymmetri allows Aggregate Risk Scoring to offer a holistic view of security risks across various organizational levels, such as by manager, department, location, or company-wide. Below is a structured approach to profiling and organizing these risk scores:

1. Risk Aggregation Overview

  • Risk Score Calculation: The solution must aggregate individual user and role-based risks to produce higher-level risk scores that reflect the overall security posture across different tiers of the organization.

  • Formula: Risk scores can be calculated using weighted factors such as:

    • Severity of risks (e.g., High, Medium, Low)

    • Number of violations

    • Impact on critical business applications

2. Profiled Risk Scores

The system should generate reports that profile risks across several organizational dimensions:

a. By Manager

  • Manager Name: Identify managers overseeing specific users or teams.

  • Team Risk Score: Aggregate risk score for the manager’s team, considering users' access rights, policy violations, SoD violations, and role mismanagement.

  • Manager’s Accountability: Identify potential risks related to the manager’s own access and their team's overall risk exposure.

  • Top Risks by Team: Highlight the most critical risks faced by each manager’s team.

b. By Department

  • Department Name: Clearly identify departments (e.g., Finance, HR, IT).

  • Department Risk Score: Aggregate risk for the entire department by analyzing access patterns, policy violations, and SoD conflicts among members.

  • Risk Breakdown:

    • Percentage of High, Medium, and Low risks by department

    • Number of roles and permissions posing risks within the department

    • Key Applications at Risk: Applications within the department that are highly exposed to security threats

c. By Location

  • Location Name: Identify office locations or regions where users are based.

  • Location Risk Score: Aggregate risk based on geographic considerations, accounting for localized compliance and security issues.

  • Risk Distribution: Display geographic risk scores to indicate which locations have the highest or lowest security vulnerabilities.

d. Company-Wide

  • Overall Risk Score: Present a high-level, company-wide risk score reflecting the organization’s overall security posture.

  • Company-wide Risk Distribution:

    • Total number of high, medium, and low risks across the company

    • Key risk contributors (departments, managers, locations)

    • Top 10 Critical Risks: Highlight the most urgent risks requiring immediate attention

    • Historical Trend: Display changes in the company-wide risk score over time, such as improvements post-policy enforcement or increases due to new vulnerabilities.

3. Risk Severity and Prioritization

  • Severity Levels: Each profiled risk should be categorized as:

    • High Risk: Critical and requires immediate remediation.

    • Medium Risk: Significant but less urgent.

    • Low Risk: Monitor, but not immediately critical.

  • Prioritization: Focus on departments or teams with higher aggregate risks for expedited action.

4. Risk Mitigation Recommendations

For each profiled risk, provide:

  • Mitigation Actions: Suggestions to reduce the risk (e.g., removing unnecessary roles, enabling multi-factor authentication).

  • Responsible Entity: Identify who (manager, department, or location) should take action to resolve the risk.

  • Remediation Deadline: Suggested deadlines for risk mitigation.

5. Dashboard and Visualization

The IAM solution should feature a dashboard to visualize aggregate risk scores across the organization. Key dashboard features should include:

  • Heat Maps: Color-coded maps displaying risk scores by location, department, or manager.

  • Bar Charts and Graphs: Visual representation of risk distribution and trends over time.

  • Filter Options: Allow users to filter views by department, location, manager, or specific applications for detailed analysis.

6. Periodic Reporting

  • Report Scheduling: Automatically generate and distribute risk score reports at regular intervals (e.g., monthly, quarterly).

  • Stakeholder Distribution: Tailor reports for managers, department heads, compliance officers, and the CISO, based on their level of responsibility.

7. Integration with Governance and Compliance

  • Compliance Checks: Align risk scoring with compliance frameworks (e.g., SOX, GDPR, HIPAA) to highlight areas where the organization may be falling short of regulatory requirements.

  • Audit Trail: Provide detailed logs of risk score changes, access adjustments, and mitigation actions for audit purposes.

Cymmetri's Risk scoring offers both a detailed and high-level overview of security risks, empowering stakeholders to make informed decisions and prioritize security efforts across the organization.

Dashboard

The Dashboard section provides a comprehensive overview of the current risk status across the Cymmetri platform. By visualizing key metrics and trends, it allows for quick identification of high-risk areas and users.

Risk Stats

The dashboard features a "Risk Stats" section, presenting a graphical display of the number of users categorized by risk level—High, Medium, and Low. This visualization represents data synced across various days within a specified date range.

It also shows a section where it shows various risk calculation metrics. This section outlines various user activities and status changes observed over the past 7 days, as well as upcoming account expirations in the next 30 days.

  • User cannot change the password in AD: Users that are restricted from changing their passwords, which could affect user security and compliance.

  • User Recently Created last 7 days: New user accounts have been created in last 7 days.

  • User Recently Modified last 7 days: Accounts that have been modified in last 7 days in any ways.

  • User Recently Deleted last 7 days: Users whose accounts that have been removed in last 7 days. Monitoring deletions is crucial for understanding changes in user access and potential security risks.

  • User Account Expires next 30 days: Users whose accounts are set to expire within the next 30 days. These need to be reviewed to determine if extensions are necessary.

  • User recently not logged in last 7 days: Users whose accounts that have not had any login activity in the last 7 days. This could indicate unused accounts or potential issues with user access.

  • User recently locked last 7 days: Users whose accounts that have been locked out due to incorrect password attempts or other security protocols in the last 7 days.

Each of these section has a View link which opens up a modal that further shows user details for each of these metrics as shown below:

Risk Configuration

The risk configuration section is used to configure Active Directory which is later used to sync Active DIrectory risk parameters.

Some of the basic configurations fields are:

  • Name: Risk Configuration Name. For eg. AD Risk Config

  • Description: A general description about the Risk Comfiguration

  • IdM Repository Field: A unique identifier on Cymmetri side. For eg. login

  • Source Attribute Name: A unique identifier from Active Directory. For eg. sAMAccountName

Next we need to do User and Server Configuration

Server Configuration

Consists of configuring the connector server. Enter the IP address of the host server and its password. The rest of the fields come pre-filled with default values; you can change them according to your use case. Next, click on the save configuration button.

Mentioned below are the field descriptions:

Note: Ensure that the bundle used is for Active Directory Risk configuration is adanalytics-1.0-bundle.jar and the connector server version is atleast 1.5.2.0

User Configuration

User Configuration consists of all user settings like domain name, search filter, etc. We can also configure an OU (Organisational Unit) in this window.

Risk Assessment History

The section allows administrators to view a list of synchronization events that have occurred for Active Directory (AD) Risk Details, along with the ability to access a detailed Risk Assessment Report for high-risk users.

The Risk Assessment History page displays a list of synchronization events for AD Risk Details. The following information is displayed for each synchronization event:

  • Name: The name of the synchronization event.

  • Description: A brief description of the synchronization event.

  • Start at: The start time of the synchronization event.

  • End at: The end time of the synchronization event.

  • Start Mode: The start mode of the synchronization event (MANUAL or AUTO).

  • End Mode: The end mode of the synchronization event (MANUAL or AUTO).

  • Status: The status of the synchronization event.

  • Actions: The Actions section contains a View button, which allows users to view the Risk Assessment Report for the synchronization event.

Risk Assessment Report

The Risk Assessment Report provides detailed information about all users associated with the synchronization event. The following information is displayed for each user:

  • Name: The name of the user.

  • SAM Account: The Security Account Manager (SAM) account name of the user.

  • Mail: The email address of the user.

  • Type: The type of user.

  • Risk Score: The risk score assigned to the user.

  • View Risks: A View Risks button which allows users to view the Risks for a particular user.

View Risks Button

The View Risks button is enabled only for high-risk users and allows administrators to view various AD and Cymmetri metrics used for risk calculation. This button provides additional insight into the factors contributing to the user's high-risk status.

Risk Details Page

The Risk Details page displays detailed information about a specific user's risk assessment. The following information is displayed:

  • Sam Account Name: The Security Account Manager (SAM) account name of the user.

  • Display Name: The display name of the user.

  • Mail: The email address of the user.

  • User Type: The type of user (e.g., Employee).

  • Risk Score: The risk score assigned to the user.

Additionally, a table is provided that lists the risk type name (ADProcessor or CymmetriUserProcessor), description, and risk score for each risk associated with the user.

Recommendation and Remediation

Cymmetri recommends risk mitigation actions for high risk users, for various actions like monitoring of user activity, review certifications, and remediation of various policy violations

Defining Risk Parameters

Cymmetri provides a framework for managing risk arising for application access to organization users. Broadly, the risk is quantified on the basis of Qualitative and Quantitative measures

Qualitative Risk

This is a risk that is identified from the knowledge of the system. This means that even in absence of the Enterprise Role model or mapping of activities or tasks or processes to the users, a certain risk value may still be assigned to the users, purely based on the application roles based on the COSO framework (i.e. admin / maker / checker / read only) and applications assigned to them.

The qualitative risk calculation will be based on: • The number of applications assigned to a particular user, the risk associated with the application, & • The risk associated with the COSO type of the application role.

Quantitative Risk

This is a risk that is identified from the specific classification of application roles based on High, Medium and Low risk. The risk classification is thus based on users having roles assigned to them.

To configure the risk parameters, it is necessary to categorize the application level risk as well as role level risk.

Risk Based Certification

Cymmetri enables trigerring of ad-hoc user certification based on parameters as mentioned below:

  • User's current risk level/ score

  • Duration between certification cycles

  • Manual execution of certification task by manager/ admin

Approver View

The above mentioned configurations assist the approving / certifying authorities to have a nuanced view of the user, their entitlements and the risks associated as per the existing policy configurations in Cymmetri. Refer the Access Certification process for more details.

Risk Based Reports

Considering Cymmetri has the ability to identify the potential risks associated with user identities and their entitlements from the system, the system can thus provide relevant risk assessment.

The parameters influencing the risk measures are several-

  • User Profile / High Risk Users

  • Application Access Reviews

  • Groups assigned to user

  • Role assigned to user

  • IT Roles provisioned to user

  • Policy violations including SoD

  • Anomaly Detection

Refer Cymmetri Risk Reporting video

Risk based Reporting

The Identity and Access Management (IAM) solution generates Defined Security Risks Report by Application with the following core elements:

  1. Application Summary

  • Application Name

  • Application Owner

  • User Base

  1. Risk Identification

  • Access Control Risks

  • Excessive Privileges

  • Unauthorized Access

  • Inactive Accounts (dormant access)

  • Role and Permission Risks

  • Redundant Roles

  • Orphaned Roles

  • Role Accumulation

  • Segregation of Duties (SoD) Violations

  • Policy Non-Compliance

  • Password Policies

  • Multi-Factor Authentication (MFA)

  • Compliance Gaps

  • Risk Scoring

  1. Affected Users

  • Name and Role

  • Access Level

  1. Historical Trends

  • Risk Evolution

  • Resolved Risks

  1. Recommendations

  • Remediation Actions

  • Role optimization or recertification

  • Removing excess privileges

  • Enforcing stronger password policies or MFA

  • Addressing SoD violations through role restructuring

  • Deadline for Action

  1. Integration with Incident Management / Service Desk

  • Incident Ticketing

  • Status Tracking

  1. Audit Logs

  • Access Changes

  • Violation Occurrences

  1. Reports

  • Export Options - Excel, PDF, CSV

  • Automated Distribution

Cymmetri.com