Employee Offboarding Best Practices

Companies failing to follow proper employee offboarding measures are at risk for data loss, cyberattacks and other malicious activities. Regardless of the reason for an employee’s exit, offboarding is an essential part of the transition process. Protect your system and all sensitive data with these six critical identity management procedures.
employee offboarding best practices

Collect All Company-Owned Devices

Company-issued smartphones, tablets, laptops and other devices should be turned in before an employee leaves for good. These devices not only contain sensitive information but also represent a significant monetary investment. Be sure to collect all other items used for data transfer and storage, such as memory cards and flash drives, to prevent confidential information from leaving the premises.

Retrieve keys and security cards to ensure employees can’t gain physical access to the building once their tenure is over. Being able to get in and out of the office without checking in or making an appointment literally leaves the door open for serious breaches if the conditions of departure are less than cordial.

Terminate Personal Device Access

If your business has a BYOD policy, employee-owned devices may retain information, applications and other company assets. Removing data and programs pertaining to company activities is a key part of offboarding. Even if no ill will is intended, employees can easily walk away with proprietary data on their personal smartphones, tablets, laptops and external storage devices. If passwords were stored using tools on any of these devices, hackers could gain access to your system with stolen credentials long after an employee has left the company.

Revoke Network Access

The identity and access management (IAM) solution your company uses should have tools for managing the entire employee
lifecycle, including offboarding. When the time comes to remove a user from the system, take advantage of these tools to completely eliminate the employee’s unique

identity. Don’t be tempted to reuse the account with different login credentials for the next person taking over the position. A new employee may not need the same level of access even if he or she performs similar duties, and rolling accounts over may cause problems with “privilege creep,” in which an employee accumulates more access rights than necessary to perform his or her job.

Access to company applications and third-party cloud-based programs used by your business for communication and collaboration must also be revoked. Change any common passwords for these applications or other system tools, and make sure related apps are wiped from personal devices. If an employee-owned device has its own identity within your system, remove this privilege when the person leaves.

IAM software makes network access management much easier by centralizing all information about each employee’s credentials, level of access and privileges so that you can be sure all points of vulnerability have been addressed and don’t have to search through every application to terminate access.

Remove Employee Data from Systems

Once access has been revoked, make sure the names of employees who no longer work for your company don’t show up on contact lists, in meeting rosters or as the primary contacts for projects. Forward all communications from terminated employee accounts to a manager or supervisor, and communicate clearly with other employees to ensure everyone is aware who has been offboarded and who is responsible for picking up their tasks until a new hire is made.

Follow a Set Procedure Every Time

Go through the same steps with each employee you offboard. Adhering to a plan ensures you don’t miss any critical actions and greatly reduces the risk of disgruntled employees wreaking havoc once they’ve left. Employees in good standing are saved the potential embarrassment of and backlash from accidental data leaks. Create a checklist of best practices, and follow it to the letter to keep your company and your employees safe.

Keep Records

Compliance is an important issue for any business handling sensitive information, interacting with clients and customers or conducting transactions. You may be subject to additional compliance rules depending on the industry in which you operate. Proper offboarding is necessary for compliance, especially in cases where the information you store could be stolen, sold or publicly distributed by employees with malicious intentions.

If your IAM solution doesn’t already keep detailed logs, enable the option or upgrade to a system with this capability. Logs can be used in the event of a compliance audit to prove you followed your offboarding procedure correctly and no loose ends were left to create vulnerabilities. Furthermore, logs are necessary for any critical investigation as a result of security policy violations and data breach cases.

Following the same offboarding procedure with every candidate reduces the risk of accidental or deliberate data theft and eliminates as many points of vulnerability within the system as possible. Make offboarding part of the process of managing the employee lifecycle to avoid the potential for serious security problems down the road.

Things Now Have Identities

In the ever-changing IoT landscape, things now have identities. With the number of connected IoT devices set to reach 75 billion by 2025, having a strong identity and access management (IAM) policy is more important than ever. IoT technology is now an integral part of the business world and may represent as much as 6 percent of the global economy in the near future. Such rapid expansion in the network of devices connected to the systems within your business requires a new approach to access and security.

Identity and Access Management in an IoT World

What once involved keeping track of one identity per user within a network has evolved into a complex web of monitoring and managing the interactions occurring between users and devices both onsite and in remote locations. Further complications can arise from transient access, in which devices connect to the network only part of the time and may or may not be running in privacy mode when they do. Each device is associated with its user’s unique identity, but the device itself is able to communicate with other devices, and perform actions such as access and transfer data.

This pivotal shift comes at a time when companies are still trying to get a handle on IoT technology and implement identity management protocols capable of handling the unique combination of corporate, employee-owned and remote devices connecting to their networks every day. Each new device creates additional points of vulnerability, and the more complex the web of connectivity, the more robust the related security measures need to be.

Whereas IAM used to require only associating a user with a device, it now must also bridge the gap between devices and networks or systems. This necessitates a fresh approach to identity management to prevent a situation in which device use gets out of control and creates security gaps your current protocols can’t handle.

Say Hello to the Identity of Things

A new concept known as the identity of things (IDoT) has arisen to describe the relationship between IAM and IoT. As the nature of connectivity changes, IDoT offers solutions for handling new types of digital interactions by proposing unique identities for the devices themselves. This essential evolution of IAM makes it possible for your company to handle not only the employee lifecycle but also the lifecycle of every device requiring access to your network.

To properly control access for both users and devices, a modern IAM protocol must take into account the kinds of data each device will access, handle or store as it interacts with other devices and programs in a network. Each device needs to be integrated into the network to facilitate seamless communication regardless of device type, manufacturer or operating system. Requiring device registration and creating specific protocols for transient devices helps to prevent unauthorized data access and makes it possible to monitor for unusual behaviors across the network. When sensitive or proprietary data is involved, you also need to consider what data manufacturers collect when monitoring device performance and put in place to protect against accidental access to confidential information.

The Future of the Internet of Identities

The expanding network of connected “things” with their own identities is creating a new landscape for IAM in which users control devices with collections of attributes and the ability to carry out multiple functions within a network. Dubbed the internet of identities (IoI), this matrix of connectivity presents fresh security challenges requiring:

  • Employee training and background checks to ensure device security;
  • Detailed protocols dictating when and how data can be accessed by specific devices;
  • Privacy and security rules to govern inter-device communications and connections;
  • Updated security protocols and standards;
  • Use of behavioral analytics to detect unauthorized access attempts; and
  • Centralized IAM and security procedures to prevent bottlenecks and preserve open communications.

With these changes, identity management will increasingly focus on securing the relationships between connected devices to allow businesses the freedom to take advantage of IoT technology without falling victim to the vulnerabilities inherent in such a system.

As IoT connectivity continues to evolve, businesses without a robust approach to IAM and device security will become more vulnerable to cyber-attacks. Prevention is the best approach, which requires getting a handle on the current state of device use within your company and preparing for a steady increase in the use of IoT technology over time.

Getting ready for changes in IDoT and IoI today will make it easier to comply with new protocols and standards as they’re developed and released. IoT is set to have a $3.9 trillion impact globally by 2025, so implementing smart identity management strategies now has the potential for big payoffs in the future. An updated security policy and a solid training plan for employees prepares your company to step into the future of IAM with the lowest possible level of risk.

Visit the blog page to find another article.

6 Best Practices for Managing the Identity Lifecycle

Every time organizations hire a new employee, he or she needs access to essential information, apps and processes to successfully perform daily tasks. With the cost of data breaches at $4 million per incident and businesses losing an average of $158 for every stolen record, it’s crucial that organizations grant and manage access with the utmost care.

Employee identities and the information to which associated credentials allow access must be carefully managed throughout each team member’s time at your organization. Defined by Techopedia as “the full life cycle of identity and access for a user on a given system,” identity lifecycle covers every aspect of identity and access management (IAM) from the moment a person is hired to the moment they leave the company.

With constant changes in technology and the dynamic nature of employees’ access needs in the modern workplace, it’s essential to follow these 6 IAM best practices throughout the employee lifecycle.

Cover the Basics

IAM should begin with the most straightforward steps for better security:

  • Enable multifactor authentication,
  • Create and enforce a Bring Your Own Device (BYOD) policy, or consider a Corporate-Owned, Personally Enabled (COPE) policy as an alternative,
  • Update all tools, platforms and apps regularly, and
  • Encrypt all data during sending and receiving.

Proper employee training also ensures all staff members understand policies and procedures, thereby minimizing the risk of error and reducing vulnerabilities resulting from ignorance.

Start with Smart Provisioning

Role- and attribute-based access control methods assign employee access based on the minimum levels necessary to complete tasks. This makes it easier to allocate privileges to new employees. Instead of guessing what access they’ll require and running the risk of being too liberal, your system can be set to automatically assign the right level of access at the time of hiring. Real-time provisioning ensures access is available to all employees from day one. Adding a single sign-on (SSO) process streamlines the procedure, allowing staff members to use multiple apps using just one set of credentials.

Use Automatic Updating

SSO also eases the burden on your IT department when paired with automatic updating. An increasing number of apps are required to manage modern businesses, and your IT team doesn’t have the time to update provisions across apps or create new rules every time you adopt another platform.

Look for a solution designed for adding apps centrally and creating the proper provisions across all of them at the same time. As the apps you use change, employees gain instant access based on existing permissions, preventing bottlenecks in essential workflows.

Prevent Privileges from Piling Up

Privileged accounts give specific employees access to the most sensitive data and processes within your system. However, employee responsibilities change over time, and it may not always be necessary for high-level permissions to remain in place. Privilege levels must be adjusted accordingly as part of regular automatic updates. By revoking access as soon as it’s no longer needed, you minimize vulnerabilities and shut the door on hackers who target these types of accounts.

Put Up a (Geo) Fence

If your company has a team of remote employees or otherwise allows remote access to data, geo-fencing can cut down on the risk of sensitive information being accessed from the wrong places. Many employees still use public Wi-Fi connections to perform business tasks, and logging into your system while sipping a latte at Starbucks can throw the door wide open for hackers.

Geo-fencing adds another layer of protection by preventing access outside of specific locations. If you choose to implement a “fence,” make sure your access rules don’t create situations so restrictive your remote staff members can’t do their jobs.

Have a Plan for Deprovisioning

Around 49 percent of former employees log into their accounts after leaving a job or being let go. Deprovisioning prevents this type of unauthorized access by completely revoking privileges as soon as a person no longer works for your company. Like provisioning and continuous certification, deprovisioning can be automated to offload your IT department from the tedious task of revoking permissions and removing roles. This is especially important in cases where an employee’s exit was less than cordial and your company could be at risk for a malicious attack if the account remains open.

Adopting a framework for proper identity lifecycle management gives you more control over the information to which you employees have access and decreases the likelihood your company will suffer a data breach. Even in a world where BYOD and remote work have become everyday realities, following best practices for managing identity and access keeps your company safe and ensures no accounts are left open to enterprising hackers. Working with a professional can make it easier to identify weaknesses in your current systems and implement the best fixes for your business model.

Learn about audit and certification of your IAM program.

Privileged Account Management (PAM)

With the increasing use of cloud computing and storage and interconnected Internet of Things, as well as the growing number of systems, remote users, and large volumes of data, today’s business  environment and security risks have changed enormously and require a shift in our security mindset and practices.

As the number of systems, users, and data grows, the need for a robust identity and access management solutions and experts becomes even more important to manage accounts and their access. Specifically, privileged accounts which offer the highest level of access to a system are prime hacking targets.

Most data breach incidents prove that privileged account passwords are compromised through social engineering techniques and other means to gain access to the most valuable functions and data of a system. Sometimes, user accounts with lower level permissions are escalated after account takeover to gain privileged access. When legitimate accounts are used to access systems, the intrusion often goes unnoticed for weeks allowing hackers to obtain as much information as necessary before taking action. To protect privileged accounts, owners of privileged accounts must be properly trained to protect their account passwords, use multi-factor authentication for access, and, monitor the accounts to detect any suspicious activity.

What are Privileged Accounts

Privileged accounts are accounts with elevated access permission that allow the account owners to access the most restricted areas of the system and execute highly privileged tasks. Just like typical user accounts, privileged accounts also require a password to access systems and perform tasks.

Typical Users of Privileged Accounts

A privileged account may be used by a human or a system. Privileged accounts such as administrative accounts are often used by IT professionals to manage software, hardware, and databases. Examples of non-human privileged accounts are system accounts with special permissions to run automated tasks. Privileged account users can perform tasks such as install a software, access restricted areas, reset passwords, and make other system changes.

Why Privileged Accounts Pose a Risk

The problem with admin and service accounts is that they are often shared, used across many systems, and may use weak or default passwords which make them great hacking targets given their ease of theft, widespread use across the organization, and highly elevated access permissions. In addition, the passwords of these accounts are often shared, weak, and not changed frequently which can be stolen with many specialized tools that hackers possess. Hijacking privileged accounts gives attackers the ability to access and download an organization’s most sensitive data, distribute malware, bypass existing security controls, and erase audit trails to hide their activity.

Industry analysts estimate that up to 80 percent of all security breaches involve the compromise of user and privileged account passwords and most compromised systems go undetected for over 200 days. A major reason for the ease of password theft is that more than 20 percent of companies fail to change well known default passwords such as “admin” and “12345.” And, to compound the problem, account owners use the same password for several different accounts.

Hackers exploit these weaknesses to elevate their existing permissions, access systems, data, and key administrative functions, and, conceal their activities.

Consequences of Compromised Privileged Accounts

Privileged accounts are powerful accounts that give full access to a system. Hackers can perform malicious activities, steal sensitive information, commit financial fraud, and often remain undetected for weeks or months at a time. After attackers compromise a system, they typically use the access to observe the system for a while and learn about the activities of users. Eventually the attacker can get an accurate picture of the target systems. Depending on the motive of the attackers, they can use privileged accounts to:

  • Change system functionality,
  • Disable access for some accounts,
  • Elevate access for some accounts,
  • Steal sensitive data for fraud, ransom, or revenge,
  • Poison data, and
  • Inject bad code or malware

How Privileged Account Passwords are Stolen

Up to 80 percent of breaches result from stolen passwords. Hackers’ most preferred pathway to privilege exploitation is to steal account credentials. Hackers may use malware or social engineering to steal account information for gaining unauthorized access. Employees are typically fooled by phishing scams that ask them to click on a link, download an attachment with malware hidden inside, or enter their passwords into fake website forms. In many cases, these scams appear to be legitimate requests from an employee’s manager, company executive, or another trusted source.

High Profile Security Incidents and Statistics

  • Most companies face the threat of a data breach by a criminal group in 51% of the cases vs. 18% by a state-sponsor actor.
  • Just over 60% of breaches involve hacking.
  • 81% of hacking-related breaches leverage stolen and/or weak passwords.
  • 43% of breaches involve social attacks (including phishing, pretexting, and spearphishing).
  • 14% of breaches involve employee errors, while another 14% involve privilege misuse.
  • 51% of breaches include malware, and 66% of that malware is delivered by malicious email attachments.
  • 27% of breaches are discovered by third parties.

In a high profile incident, JP Morgan Chase discovered in 2014 that hackers were reportedly able to gain “root” privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. Hackers stole names, addresses, phone numbers and email addresses as well as internal information about 76 million persons and 7 million small businesses.

Privileged Account Management (PAM) Tips

  • Identify privileged accounts,
  • Decide who needs or has privileged access,
  • Define when privileged accounts can be used,
  • Have an incident response plan,
  • Monitor privileged account activities, and
  • Select strong passwords and change them frequently. Privileged account passwords should be set to very large, complex values and stored securely. They should never be shared or used to access multiple systems.

Apply for a certification course in identity and access management.

Credit Report Review Guide

Careful monitoring of credit reports can alert consumers to fraudulent activities or inaccuracies in records potentially indicating identity theft. The information included on a credit report, such as amounts owed, payment history and public records, affects the scores used by financial institutions and credit card issuers to assess the creditworthiness of applicants and decide whether to approve applications.

Credit reports also provide consumers with a total picture of their credit status at a particular point in time. Few consumers know exactly where they stand when it comes to total debt, thus seeing everything laid out in a report reveals not only where changes can be made to improve credit scores but also mistakes and incorrect information they must dispute and correct. Some of these inaccuracies may be red flags, warning of a breach of privacy or outright identity theft in need of investigation. In these cases, appropriate measures must be taken to correct all information and ensure the security of personal information.

Under the Fair Credit Reporting Act or FCRA, every consumer is entitled to one free copy of his or her credit report per year from the “big three” CRAs: Equifax, Experian and TransUnion. This law is enforced by the Federal Trade Commission and gives consumers the opportunity to keep a close eye on credit activities associated with their accounts.

It is reported that one in five consumers have at least one error on their credit reports. Because these errors can have negative effects on a person’s overall credit history and make it difficult to qualify for loans or obtain new credit cards, they should be addressed and fixed as soon as they’re discovered.

CRAs are required by law under the FCRA to correct inaccurate or incomplete credit report information and must investigate claims from consumers within 30 to 45 days of receipt. Although Equifax, Experian and TransUnion all offer online dispute options, it’s best to carry out communications by mail. Physical letters provide a paper trail consumers can file, track and refer back to as necessary.

The way a consumer handles his or her finances, including making purchases, payments and credit requests, will impact the total FICO score because of the influence such habits have on each of the five elements on which the score is based.

Any patterns indicating reckless spending could prevent consumers from qualifying for card promotions, special deals and higher credit limits. However, those with short credit histories may benefit from charging the majority of their purchases to their credit cards as long as balances are paid off on time. Rather than demonstrating poor spending habits, such a pattern helps to establish a stronger credit history, making other financial products more accessible.

Credit monitoring to detect unusual activity reported to any or all of the big three CRAs is an important part of the overall scope of identity theft protection. Consumers need to be alerted to fraudulent activity as soon as it appears so that appropriate measures can be taken before irrevocable damage is done to their credit histories. Helping consumers better understand the elements of their credit reports provides the knowledge they need to spot errors, empowers them to take corrective steps when necessary and gives potential identity thieves fewer opportunities to compromise credit records.

Identity Management Institute offers a video course to teach about how to obtain, review, and correct credit reports. This video is available for purchase and is offered to Certified Identity Protection Advisor (CIPA)  candidates who are valuable resources for helping consumers.

Visit our training page to learn more and access our video courses for preview and purchase.

Access Re-Certification

Access certification is the process of validating access rights within systems. This process is mandatory for compliance and security risk management; however, it can be a very daunting process for some organizations with dispersed systems

Read more

Identity Theft Certifications

Identity theft certifications issued by Identity Management Institute offer professional credibility, knowledge, employment opportunity, and career advancement. Organizations which employ identity theft certified professionals invest in valuable defense against identity fraud which affects the enterprise and their customers or members.

Identity theft and data protection certifications by Identity Management Institute

An increasing number of companies and government agencies recognize the growing identity theft threats facing businesses and consumers as well as the need for well educated, trained and qualified professionals to mitigate identity theft risks. Employee error is a major root cause of many data breach incidents which contribute to the rising identity theft epidemic. Therefore, trained and certified professionals in identity theft management are needed to take the lead within organizations to minimize risks, educate their employees as well as their customers, and ensure compliance with regulations. Consequences of identity theft are enormous which include lawsuits, fines and penalties, public relations nightmare, high cost of identity theft resolution, damaged business reputation, lost customer loyalty, and low productivity to name a few.

There are specialized identity theft certifications from which professionals can choose to complement their overall expertise and knowledge. For example, the US government recognized a few years ago that consumers continue to be vulnerable to identity theft due to the business failure to prevent identity theft and protect their customers.

Assuming that businesses will continue to lose personal data and fail to prevent identity theft in their daily operations, the US government introduced the Red Flags Rule to provide specific guidelines for preventing identity theft and force companies to take the necessary measures to protect themselves and their customers against identity theft. “The Red Flags Rule fills the gap in the fight against identity theft whereby regardless of how or from where consumer data is stolen, criminals can not use that data to commit identity fraud at any business where identity fraud is possible” says Henry Bagdasarian, Founder of Identity management Institute. However, for businesses to be successful in their identity theft prevention efforts and comply with the regulations, they must hire experts with identity theft certifications who can design, implement, and maintain an identity theft prevention program. Many companies are now required to design and implement a comprehensive program to identify and detect identity theft red flags, and prevent fraud cases resulting from identity theft. However for the program to successful, key employees, consultants and auditors of companies must be educated, trained and certified in identity theft prevention techniques.

Identity Theft Certifications

Below is a list of three identity theft certifications offered by Identity Management Institute and a brief description for each to illustrate how they complement each other by targeting a specific  risk area in the identity theft cycle for a complete identity theft management coverage:

Certified Red Flag Specialist (CRFS) workplace identity theft prevention certification.The Certified Red Flag  Specialist (CRFS) is the leading workplace identity theft certification which is designed for professionals who help businesses prevent account fraud in connection with opening new accounts or existing account activities, complying with identity fraud prevention laws, and reducing fraud costs and related waste. CRFS is the recognized identity theft prevention training and certification which is designed in close alignment with the US government requirements set forth in the Red Flags Rule regulation.

Certified Identity Protection Advisor (CIPA) consumer identity theft certificationWhereas the CRFS professionals help businesses prevent account fraud resulting from identity theft without consumer involvement, the Certified Identity Protection Advisor (CIPA) is a consumer centric program designed for professionals who serve consumers and business customers to protect their identities through awareness and education, credit report management, and identity theft victim resolution services. Consumer identity theft laws define business obligations and consumer rights which are designed to protect consumers from identity theft which may affect their accounts, credit worthiness and ability to borrow money, and credit reports.

Lastly, the Certified in Data Protection (CDP) professionals aim to limit data breach incidents within their organizations which can lead to personal data disclosure, identity theft, and fraud. CDP experts are able to identify and secure Personally Identifiable Information or PII in their business environment. They are also capable of responding to data breach incidents, ensure compliance with data protection laws, and have knowledge about operational and system security controls. Data protection laws such as the General Data Protection Regulation or GDPR  in the EU are increasingly requiring data protection experts to also be familiar with system security controls in addition to the operational and reporting aspect of the privacy laws. CDP is an exceptional certification which consolidates privacy and security best practices.

Learn about all Identity Management Institute certifications.

Identity Theft Prevention Program Certification

Identity Management Institute offers an Identity Theft Prevention Program certification service as part of its global and independent solutions. Due to the rise in identity theft cases which affect businesses as well as their customers and partners, many businesses are required by law to have a formal Identity Theft Prevention Program (“Program”) to identify, detect, and prevent identity theft in their day to day business operations. By instituting and enforcing identity theft prevention laws, the regulators intend to protect consumers from the consequences of identity theft which mainly affect their credit score and credit worthiness for obtaining loans on a timely basis. In the United States (“US”), the law requiring businesses to design and implement an identity theft prevention program is the Red Flags Rule.

The Identity Theft Prevention Program certification and audit is designed to provide businesses a reasonable assurance that their Program is in place and operating effectively. The Program certification also allows businesses to display their readiness for protecting their customers from the rising risks of identity theft and compliance with regulatory requirements. Many organizations require their business partners and third party vendors to provide evidence of their compliance with identity theft laws. The independent certificate of compliance issued by Identity Management Institute can be used by businesses to provide the necessary compliance evidence to their customers, business partners, and regulators.

A complete and effective Program is designed to detect, prevent, and mitigate identity theft activity in connection with the opening of new accounts or with existing accounts. The Program must be consistent with various laws, rules, and regulations. In the US, rules and regulations covering identity theft include:

  • Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) of the Fair Credit Reporting Act (“FCRA”) – Sections 114 and 315
  • Provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (amended section 615(e) of the FACTA)
  • The Securities and Exchange Commission (“SEC”) [17 Code of Federal Regulations (“CFR”) – Part 248, subpart C “Regulation S-ID: Identity Theft Red Flags”].
  • Commodity Futures Trading Commission (“CFTC”) [17 CFR Part 162, subpart C “Identity Theft Red Flags”].
  • Section 326 of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”) requiring verification of the identity of persons opening new accounts through a Customer Identification Program (“CIP”) [31 CFR Part 103.122].
  • Federal Financial Institutions Examination Council (FFIEC) guidance entitled
    Authentication in an Internet Banking Environment requiring financial institution offering Internet-based products and services to their customers to use effective methods to authenticate the identity of customers.

The Program certification process is an annual process which will validate an organization’s compliance with the regulations which include but are not limited to the following requirements:

  • A written and comprehensive Program which reflects changes in risk to customers or to the safety and soundness of the organization;
  • Program approval by the Board of Directors or its committee and senior management;
  • The designation of an Identity Theft Program Administrator;
  • Existence of a Customer Identification Program “CIP”;
  • Procedures for monitoring, detecting, and mitigating identity theft red flag during new account opening and ongoing account activities;
  • Authenticating account access and transactions for new and existing accounts;
  • Providing employee training concerning the Program and the procedures to review suspicious activities relevant to identity theft;
  • Providing customer identity theft awareness and education including techniques to help mitigate identity theft risks;
  • Oversight of service providers; and
  • Filing the necessary reports with governmental agencies.

Visit this page for additional information about identity theft prevention program services.

Self Service Identity and Access Management

Self service identity and access management is increasingly embraced by users and companies and it is a matter of time before it’s widely adopted due to the many benefits it offers. Of all the expectations placed on the typical IT department, managing identity and access is perhaps the most challenging for a variety of reasons.

Self service identity and access management

People are often the root cause of the identity and access management challenges but not necessarily because they have bad intentions or are malicious. They change roles, leave their companies, fall victim to phishing scams that lead to the theft of their access credentials, share passwords, use the same passwords for multiple accounts, and most of all forget their passwords.

As users experience problems accessing their systems due to reasons that were listed above, they contact the help desk expecting a speedy solution. Gartner estimates that each call to the helpdesk to reset a forgotten or expired password costs the company $50. In an organization with thousands (or hundreds of thousands) of employees, those costs add up quickly.

The Self Service Solution

Many systems offer self service features to employees and customers to reduce the burden on the IT helpdesk and improve productivity as system users can quickly reset passwords online without the IT support involvement. Although the self service identity and access management concept is not new, many systems still lack self service IAM features.

Around the Y2K crisis, it became apparent that the old helpdesk model was not scaling well, especially with regards to password resets. Thus, self service identity management allowing users to reset passwords and change basic account info started to attract attention.

Back in those days, self service user identity management was sometimes web-based, but more frequently used automated call attendants because system users were familiar with the process of calling the helpdesk.

Ever since the Y2K crisis when users and companies panicked and prepared for the worst to come, self-service IAM has become commonplace, and is now often accessed via both voice and web based systems. Many years of experience and millions of transactions have provided some perspective on do’s and don’ts for implementing self service identity management.

Self-Service Pitfalls

The success of self service IAM for password resets has encouraged the delivery of automated services beyond password management. This has sometimes resulted in system security weaknesses and other issues.

Here are some pitfalls to avoid when implementing self service user identity management:

  • Validating the identity of the user is absolutely critical. In the days of password reset by human helpdesk, the technicians often acted on “hunches” they weren’t talking to a true account owner. Machines still don’t recognize hunches. Perhaps the self service IAM request is from the real user; or maybe it’s from vindictive ex-husband. Social security numbers and validation questions aren’t enough any longer. Instead, consider a two-factor authentication method to confirm an identity.
  • Contact information like cell phone numbers and physical addresses must be validated. Employees might neglect to update their personal contact records because thanks to direct deposit and email, people tend to be lazy or forgetful about updating their home addresses. To ensure data integrity, personal data must be validated upon updates and changes.
  • Keep expectations in check. Some self-service identity management solutions may offer short term savings, however,  chances are that any self-service IAM deployment won’t bring any immediate cost savings. However, the mid- and long-term prospects for cost savings on self-service IAM are excellent.

Choose Your Battles

When implementing a self service identity and access management tool, only parts of the self-service solution may be needed and benefit your organization, therefore, a requirements analysis must be made to better understand the organization’s needs and reduce the risks to the company without creating any unnecessary audit and compliance issues.

Perhaps the most important part of deploying a self service identity and access management solution is remembering that one size does not fit all.

Visit the list of identity and access management vendors for self service solutions.

Identity and Access Management Certifications

The fastest growing professional certifications in cyber security are the Identity and Access Management certifications and there are very good reasons why IAM certifications by Identity Management Institute have received enormous attention from the information security industry.

Identity and Access Management certifications -Identity Management Institute IAM certifications

As we explore and analyze the information security landscape, we can understand why Identity and Access Management (IAM) is one of the fastest growing and most dynamic segments of information security which in turn increases demand for certified IAM experts.

First, information security risks and focus have been shifting away from the traditional system security management practices to identity and access management because companies have discovered that information security threats are as much internal as they are external. Many user access credentials are increasingly under attack by hackers who see great value in weaknesses in identity and access management practices which they leverage to gain access to systems and data. It is reported in research reports that most system intrusions are executed using stolen IDs and passwords. As such, highly privileged accounts introduce even a greater risk because any unauthorized access with these accounts provides additional capabilities which can be used to inflict greater damage. Therefore, identity and access management is as much about processes and people as it is about technology.

Second, with the ever increasing number of mobile communication devices and Bring Your Own Device (BYOD) policies, identity and access management has expanded beyond the enterprise devices. Companies which allow employees to use their personal devices for business purposes to reduce costs and improve device management for employees and businesses need identity and access management experts to manage device identities and their access to enterprise resources for a greater security posture of the organization.

Third, due to the flood of drones and other Internet connected smart devices also known as the Internet of Things (IoT), identity and access management will become even more complicated and important to manage new and evolving risks. These devices will include self-driving cars and smart robots which self-teach with artificial intelligence and perform tasks on behalf of their owners. Today, we all have smart phones and many of us will own robots in the near future which will perform tasks on our behalf. Today, we are just worried about the security of our smart phones which if compromised will disclose some of our most private photos, emails, notes, and other information. In the future, we will also have to worry about the security of our smart robots and devices not just because of the private information they contain, but also the connectivity they will have to other devices or the transactions they can perform on our behalf.

“Identity theft committed by humans today will transition to identity theft committed by devices tomorrow which will initially be controlled and guided by humans. As automated devices are empowered with Artificial Intelligence to become independent, self-taught, and smarter, they will overtime have their own mind and potentially become corrupt” says Henry Bagdasarian, Founder of Identity Management Institute. “The rising deployment of the Internet of Things (IoT), and the arrival of automated cars, drones, and robots in all areas of personal and commercial markets as well as the increasing use of Artificial Intelligence validate this assessment”, he continues.

In addition, advancements in the areas of authentication technology, changes in identity services, and adoption of cloud services also require changes in today’s cyber security approach emphasizing the importance of identity and access management certifications. All of these evolving trends which are increasing risks for all organizations demand knowledgeable and qualified professionals who know how to assess risks and help manage human and device identities and their access.

In the future, information security managers must be much more proactive and fast in identifying risks before their organizations are impacted. This process requires very strong analytical skills to assess various security report data, open mindedness, and a vision to foresee the upcoming challenges and opportunities. These skills will not only help professionals identify risks but also propose innovative solutions in the form of new or improved products, services, and governance.

List of Identity and Access management Certifications

Identity Management Institute is the leading Identity and Access Management certification organization which offers global IAM certifications.

Below, you find a list of identity and access management certifications within IAM career categories and web page links for quick access to program details:

Certified Identity Governance Expert (CIGE)®

Certified Identity and Security Technologist (CIST)®

Certified Identity and Access Manager (CIAM)® 

Certified Identity Management Professional (CIMP)®

Certified Access Management Specialist (CAMS)®

Certified Identity Protection Advisor (CIPA)®

Certified Red Flag Specialist (CRFS)®

Certified in Data Protection (CDP)®

Download “Becoming a Cybersecurity Expert” from the IAM certification page for details about the IAM roles in cyber security career choices.

Identity and Access Management certification benefitsBenefits of Identity and Access Management Certification

Some people may not see the value of professional certification in the marketplace and others may question the benefits of pursuing identity and access management certifications. Below are some questions that some may ask themselves when considering a professional IAM certification:

  1. Is the certifying organization providing awareness and training with periodic articles, newsletters, blogs, social media posts, discussion groups, and other resources which serve the greater society?
  2. Is the IAM certification name a registered trademark to protect the organization and its certificate holders?
  3. Is a process in place to list criteria for IAM certification and ensure certificate holders are qualified?
  4. Does the organization and its certifications stand out as the leader in the field?
  5. What value do companies and the industry as a whole place on certification?

Let’s attempt to answer the above questions and further explore each area:

The image or perception of the certificate issuer is extremely important. The issuer must be a recognized leader, credible, and trustworthy with integrity. Certifying organizations must provide services and value to their members and respective industries by:

  1. Defining a scope of responsibility for the profession,
  2. Drafting articles, newsletters, analysis, and documentation to expand knowledge,
  3. Assessing member knowledge through exams and/or background assessments,
  4. Providing training for up to date knowledge,
  5. Helping members share information related to the profession and employment, and
  6. Connecting members to one another and companies.

Certifying organizations also provide services and value to companies by:

  1. Ensuring employees are certified through formal assessments such as examination and enforcement of completed and required continuing education, and
  2. Connecting companies to certified members.

Certification Limitations

The total value that a professional may provide can not be solely determined with a certification. Therefore, the certification can only provide assurance for some of the qualification factors that companies are looking for which include education, experience, personality, appearance, passion or enthusiasm, creativity, integrity, and hopefully proven credibility and track record. The value of a certificate is determined by a combination of factors, however, a designation only complements the assessment that companies must perform to hire the best. For example, a certification does not guarantee that a person has great personality or creativity, however, it might provide assurance that the certified person’s knowledge has been assessed through an examination or other means of evaluation, and to some extent an assurance that the person is enthusiastic or ambitious because he or she joined a professional organization. A professional designation means that certified professionals have passed a rigorous certification assessment, including education and experience verification by the certification organization, and that certified members continue to be involved in their chosen professional field and take the necessary training to maintain an up to date knowledge.

And lastly, in order to assess the importance of having certification, the view or perception of a hiring company and its management must also be considered. A certificate like every thing else in life has no value except the value we give to it, therefore, the degree by which a hiring company and its management value professional designations is important when evaluating a certificate’s true and overall value. If management strongly considers a certificate or even requires one from job applicants, then the certificate’s overall value increases accordingly. In general, there are some people who recognize and highly value the benefits of professional certifications, and there are others who have no respect for them. Interestingly, those who don’t respect certifications also lack professional designations.

It is commonly said that a professional certification increases the overall value of an employee, and those holding a professional designation earn higher salaries than their counterparts who do not have a professional certification. It’s somewhat true that certified professionals can demand higher salaries and find jobs much more quickly, especially in tough economic times when the job market is much more competitive. A person has nothing to lose but every thing to gain with a little investment to be involved in a professional organization and maintain a professional designation. It takes very few resources to gain a competitive advantage when looking for work, and a professional certification from a recognized organization offers that competitive advantage. The cost of professional certification and membership is well worth the investment for a long and prosperous career.

Even if some companies do not reimburse the cost of the certification such as membership, study guide, training and exam fees, it is still recommended to aim for the desired IAM certification in your chosen field since no one really cares about your career as much as you do. The resources that you allocate to a professional organization or certification program is never wasted given the value you receive in return such as networking, knowledge, and credibility.

On a final note, a certification which has been registered for trademark protection will ensure that the certification will maintain leadership in the marketplace and offer protection to the certifying organization as well as its members for many years to come.

Identity Management Institute has carefully designed IAM certification programs for the identity management field which evolve as the industry evolves. All the programs have been registered for trademark protection and continue to be recognized internationally as leading identity and access management certifications in the cyber security field.

Why Are Identity and Access Management Certifications Important

One of the questions in the certification applications is about why identity and access management certifications are important to the applicants. Below are a few samples from actual member applications:

  • Having certification will help greatly in my professional career. Most of the Federal clients prefer to have certified professionals.
  • I have been a thought leader in IAM for years. I have helped my company to significantly improve their programs with automation, self-service and most importantly governance and security. The CIAM designation would help me validate my expertise and accomplishments.
  • I intend to become a Certified Identity and Access Manager to expand on my IAM knowledge and skillset. In addition to my Information Assurance MS degree, it will support my contribution to society by allowing me to practice what I’ve learned about IAM and reinforce its importance in the systems and people I work with.
  • Protecting user identity in cyber and cloud environments utilizing various cybersecurity tools will require knowledge, certification, and credibility. CIST will give me the credibility to continue working and supporting the industry and the enterprises to build cyber resiliency technology to manage the identity of the users. Today’s enterprises and social media tools would need CIST experts to help enhance their security capabilities to provide better cyber protection and prevention against the adversaries.
  • The CAMS certification would validate my several years of experience serving on projects as a project manager/business analyst in the identity access management field, including extensive experience directing and leading user support teams with activities related to role-based access control, audit report reviews, and user identity validation. The CAMS designation would expose me to more career opportunities that could leverage my experience for complex and challenging projects.
  • Protection of IT systems is data driven as we have witnessed from recent breaches that resulted in huge fines and losses on many fronts. CDP designation will position me to support my organization and providing expert advice with cost effective solutions to protect data.
  • The CIGE will further demonstrate my commitment to identity governance and strategic planning across technology and security. It is my hope that this IAM certification and membership in the IMI will allow me to further grow and practice sound identity governance.
  • My current duties are specifically around Identity Management. The CIMP certification will validate my expertise in the field.

Identity Management Institute on LinkedIn

Visit the IAM certification page to learn more identity and access management certifications and select the best certification for your career.