For context, I am a one person security team as a ISM. Other IT departments are Network, Systems, and Customer service that are under a completely different direction. There has a small about of push-back when I speak on access management roles/responsibilities and separation of duties. What are some opinions on what is the best take on access management ownership with AD and Entra ID, and other services?
If you are having resistance about it, I think the first step is to engage higher organization levels showing evolved risks. If you get green sign of them next steps are: 1) training teams about security and risks; 2) review organization's security policy; 2.1) maybe create a standard about IAM's administration; 3) implement IAM policy
There is no formula about which team should do what, each organizations has its own way of working. It isn't a question of organizational chart, it's a question of resposibility. The most important thing is to ensure teams are aware of the their roles in the security implications.
Heavily involved (from initial evaluation to post-transaction integration)23%
Moderately involved (only during specific phases)69%
Minimally involved (occasional consultation)8%
Not involved
View Results
Do you believe that it's possible to still have security programs if security policies for the lead cannot be officially published or enforced on their organization?
If you are having resistance about it, I think the first step is to engage higher organization levels showing evolved risks. If you get green sign of them next steps are:
1) training teams about security and risks;
2) review organization's security policy;
2.1) maybe create a standard about IAM's administration;
3) implement IAM policy
There is no formula about which team should do what, each organizations has its own way of working. It isn't a question of organizational chart, it's a question of resposibility. The most important thing is to ensure teams are aware of the their roles in the security implications.