ISG Case Study

IT Security – Non Person ID Catalog Assessment

The Client

Health Care Payor

Our client is the largest customer-owned health insurance company in the United States. The company, founded in 1936, serves more than 16 million members across five states

The Challenge

Address Audit concerns regarding all Non-Person Id’s within their enterprise systems environment.

The clients audit department raised a concern with their IT Security department related to Nonperson IDs or NPIDs.

Do they have a complete list of these? Where are they located within their enterprise systems environment? How are they managed?Have they been certified? What are te levels of permission on each?

Not fully knowing the function of every NPID used by computer services, applications, databases and more was problematic and hard to manage. Without full knowledge of every aspect of each NPID, they couldn’t be sure if the NPID is for a retired or critical application making it hard to address when they’re leery of making changes and possibly creating disruption to their business.

There were many questions that couldn’t be answered with absolute certainty.

This became not only an audit concern but also a major security risk.

The client needed to react quickly and address these concerns. They decided to engage a trusted external partner with the experience necessary to hit the ground running and identify and certify all NPIDs within their enterprise. As well, build a repository to manage these going forward and eliminate any risks associated with NPIDs in the future.

The Solution

Provide a Robust outsourced IT Security NPID Catalog and Governance process, Eliminating future Risk

ISG proposed to partner with the client’s IT Security group as well as internal IT areas within the Application, Database and Systems Administration functions of the organization to develop a process to identify, certify, store and manage a robust catalog of all NPIDs within their systems environment.

ISG will bring a team of experienced security leaders and analysts to the table that understood IAM as well as the technical aspects of their systems environment. Our team come with the necessary experience required to work with such a diverse range of technical environments and people.

ISG proposed a three-pronged approach to achieve the necessary outcome:

Identify all sources in your environment associated with the distributed NPIDs.

ISG will work with their staff and toolset to inventory and catalog all distributed NPIDs and transfer knowledge to your staff. Depending on their environment, ISG will use reference files to match your NPIDs to other data sources to identify owners or applications associated with the NPIDs.

Verify NPID ownership.

ISG will help you organize a process to link each NPID back to its appropriate application area and specific

owner. We will develop and organize the process that cleans and verifies the list, making it much easier to transition NPIDs to a current owner.

Clarify roles of each NPID.

Once an NPID is identified and verified, ISG will assist the client with organizing a process to seek a business justification for every NPID. If there isn’t one, such as the application being retired, the NPID may be deleted.

We were selected to engage with the client for this endeavor.

The Outcome

Safe & Secure NPID Governance Solution

Over a period of several months, our team engaged with the client to execute our program for addressing this issue.

Working closely with the IT Security group, our team utilized multiple sources of information and met with numerous key individuals within the organization to identify and create a robust catalog of all NPIDs within their enterprise systems environment.

Our Solution delivered the following:

Full Identification

Identification of all NPID’s within their organizations Distributed environments.

Complete Catalog

Catalog NPID’s and associated information including ID, Business System Usage, User, Function it performs, last used.

Solid Framework

Outlining NPID framework components that provide for the capture of NPID information and the ongoing maintenance of attributes such as entitlements throughout the NPID process lifecycle.

Established Certification Process

Built a process for the Provisioning and Certification of accounts containing NPIDs.

Overall Governance

Outlined a process to govern and manage all out of use, unclassified NPID data going forward.

Sustainability

Provide Training and Oversight to client Staff regarding how to continually update and refresh documentation as system and technical changes are implemented.

Our solution provided the necessary outcomes to meet the clients current Audit requirement and eliminated security risks and future audit concerns going forward. In addition, this solution provided information that could be fed into a future state IAM SalePoint solution that was targeted for implementation later that year.

ISG Case Study

IT Security – Non Person ID Catalog Assessment

The Client

The Challenge

Address Audit concerns regarding all Non-Person Id’s within their enterprise systems environment.

The clients audit department raised a concern with their IT Security department related to Nonperson IDs or NPIDs.

Do they have a complete list of these? Where are they located within their enterprise systems environment? How are they managed?Have they been certified? What are te levels of permission on each?

There were many questions that couldn’t be answered with absolute certainty.

This became not only an audit concern but also a major security risk.

The Solution

Provide a Robust outsourced IT Security NPID Catalog and Governance process, Eliminating future Risk

ISG will bring a team of experienced security leaders and analysts to the table that understood IAM as well as the technical aspects of their systems environment. Our team come with the necessary experience required to work with such a diverse range of technical environments and people.

ISG proposed a three-pronged approach to achieve the necessary outcome:

Identify all sources in your environment associated with the distributed NPIDs.

ISG will work with their staff and toolset to inventory and catalog all distributed NPIDs and transfer knowledge to your staff. Depending on their environment, ISG will use reference files to match your NPIDs to other data sources to identify owners or applications associated with the NPIDs.

Verify NPID ownership.

ISG will help you organize a process to link each NPID back to its appropriate application area and specific

owner. We will develop and organize the process that cleans and verifies the list, making it much easier to transition NPIDs to a current owner.

Clarify roles of each NPID.

Once an NPID is identified and verified, ISG will assist the client with organizing a process to seek a business justification for every NPID. If there isn’t one, such as the application being retired, the NPID may be deleted.

We were selected to engage with the client for this endeavor.

The Outcome

Safe & Secure NPID Governance Solution

Over a period of several months, our team engaged with the client to execute our program for addressing this issue.

Working closely with the IT Security group, our team utilized multiple sources of information and met with numerous key individuals within the organization to identify and create a robust catalog of all NPIDs within their enterprise systems environment.

Our Solution delivered the following:

Full Identification

Identification of all NPID’s within their organizations Distributed environments.

Complete Catalog

Catalog NPID’s and associated information including ID, Business System Usage, User, Function it performs, last used.

Solid Framework

Outlining NPID framework components that provide for the capture of NPID information and the ongoing maintenance of attributes such as entitlements throughout the NPID process lifecycle.

Established Certification Process

Built a process for the Provisioning and Certification of accounts containing NPIDs.

Overall Governance

Outlined a process to govern and manage all out of use, unclassified NPID data going forward.

Sustainability

Provide Training and Oversight to client Staff regarding how to continually update and refresh documentation as system and technical changes are implemented.