EIC 2012 Session: IAM Governance in the New Commerzbank

Before I hand over, I would like to introduce di Resk to you di has both an it as well as a business background. Yes. He started off as a project management, I guess, moving on to, to HR I T topics and now landed in the identity and access management arena. And I think you have a lot of stories to tell, especially also when ING span with Rayna bank and so on, on the forth. I think that sounds all very interesting. And we are curious to hear your presentation.

Thanks, Badal one. Welcome from my side this afternoon, I have the pleasure to start now in our stream topic I've chosen is I want to share with, with you my experience we made in command span within integration with setting up the new authorization management system. And therefore I put on the agenda first, what are requirements and regulatory needs to this? I think we have discussed it quite rightly this in the morning sessions so we can skip quite short over it. And then a short look to our program structure. How was the setup set up of it? And then main part in the middle.

What was the design and the setup we've chosen for our authorization management in new CED bank, after integration with Rener bank, how did we make the setup of the accountabilities responsibilities and the depending structures? What are our first experiences we've made in the first big re-certification process we did last year, and then overall the summary. What are our achievements in the last year and how was the topic going on this year? And next year's even two. So first look, I think should be clear to all of us.

We have regulatory needs like ma risk or the things they are mentioned here on the slides, but this is the one side of it. As the colleague from the B mentioned before in his presentation. The other side is we have to fulfill these needs too from business reasons. Cause we are dealing every day with critical customer data in our systems, and we have to secure these data and the depending money on it to avoid money losses.

And of course, to the more severe reputation losses, which are going on with these two, if there is a lack or a misuse of these data, and then here you see it again, we will fulfill the regulatory compliance risk management, and even of course, process efficiency too. Cause so far before we will take a short look later on on it. When we make a re-certification of applications and we revoke certain user rights, then we don't have to the need to use the license again in this amount we used it before.

So we can save license cost in the end, too, in this gains to, to the process efficiency Here, short definition, when I'm talking about am governance, I'm talking really about the governance concerning this topic, including how are we using with income Matthias bank de regulations, the rights in our internal descriptions and rules and regulations we've done primarily with our security colleagues and then the authorization management itself with income span. This means how does the user at the end of the day is getting his yeah, access rights he needs.

And these are provisioned either automatically by ODM system or by one of our shared service units. So how was the, the setup? First of all, we had a big attention of board members in our steering committee. We have three members of the board in it and there you can see quite good backing of this topic. And this is quite responsible too, for getting this through the bank. And then in the program we had the last year's my project, the authorization management governance. We take a deeper look on it on the next slide, the three in the middle.

What did we do there by Comy release maxil we did a Comy release exchange in the last year for our IDM system, which is called Comy. Then we made a reorganization of our am administration processes as well. And the task force deals with topics of recertification of files and shares. Cause we also have to recertify these things too, and not only applications. And the last one on the side is my partner project called control objective initiative, COI.

This is dealing with the scope of recertifying privileged accounts, primarily those on it environment and infrastructure components like accounts on unique shelves or databases. So these admin accounts, the series projects in the middle by having done the integration with ner bank last year, we ended up last year and we closed them down and my project and koi is going on this year.

And the next year's two as strategic bank project, what was in the scope of my project, the last year Five streams, we took a look at our workflow systems for authorization management to find here, set up for a new solution. We did the first wave of recertification of our critical banking applications. We did the complete rollout for the new responsibilities in our am governance last year for the critical applications.

And we did, of course you can mention that structural reassessments after integration, we revoked several accounts, which were not needed any longer after we had done integration quite successfully. And then of course the part of conception and optimization here, we dealing with topics. Is it the right way for the future to put on our access rights, to parts from cost centers also on, or should we bind them better to job profiles or something like that to find here good, mixed and structure for the, for the next years.

So, first of all, when we started in the program, we set up with the security colleagues, our so-called house or model of our new governance. So we defined the model. We took a look at the regulatory needs and how want, how do we want to live with them in our house with income bank? And we put them in directives and procedure instructions for our house. Then we made a proof of concept of this model. And by the middle of last year, we started the rollout. Why middle of last year?

Cause as we remember Easter last year that we did the final step of integration and this had to be done first before we started with this activities here, all the content and all the necessary information we put on the central am, Porwal in our intranet. So all the responsibilities like role managers, authorization management offices can inform themselves every time, what are the needs? How are the processes and how are things going on? And even our employees can see, what do I have to do if I need a certain access, right? And what is the process to it?

Let's take a look to the main parties in authorization management, in command spank. We put it together for three parts. First of it is GSS E the security guys. They set up the model, the defining the roles, responsibilities, the processes, and so on from me, I'm part of the organization. The second one, I'm responsible for the implementation of these processes and for coordinating all the rollout things. It is providing us with the necessary systems and necessary data we need, for example, to do a recertification.

And as we have seen in the presentation from the colleagues before the responsibility for having the right access rights in the business line is in the business line. They can't exclude them from this responsibility. So the senior manager of a business unit has to take care and has to, has to assure that his employees have the right access rights. And this is fulfilling the needs of segregation of duty need to know principle and so on. And last below HR is important for us. Cause many of our access rights are quite linked, close together to HR parameters like cost centers or job profiles.

And so on in the business units, we implemented these responsibilities. You can see here on this slide, on the management level, so called authorization management officer, our AMO then for the single applications, the responsible one is the business coordinator. And on his side is the role manager. It's quite similar from the contents as Behar current showed us to the, this morning different names, but similar content like in German bank here, you can see the AMO is the responsible executive manager of being responsible for the access rights for one business unit.

So we have one AMO for each business unit, the business concept coordinator, the BC Is the one of being responsible for one application. So he knows exactly what user rights are in an application and what can be done with this rights and who should use this rides and what users are not allowed of these rides. And the role manager is the one working quite close together with the business coordinator of defining the necessary business roles for the business unit, which are needed.

So what single access rights does perhaps the credit officer need in our house to fulfill his job properly and out of the, the single applications. And this is combined in command spank in a so-called business role Here, you'll see the responsibilities on the separate levels.

On the top level strategic, we have a so-called group operating committee, similar, the one in, in German bank we've seen in the presentation before then on the tactical level, we bind together the three parties of security organization and it in the so called central control function, authorization management, the set SPM central management in German, they are preparing the decisions for the, for the GC and on the operational level, we have our shared service units for providing the necessary access rights to our users and employees.

This was the central view of it, the decentralized view of it for the business units. Yeah. You can see above again, the GOC then in the middle, the management with his ammo on executive level, being responsible for the access rights in the business units and below on the operational level, the role manager and the business coordinator who have to work quite closely together to provide the necessary access rights to each user in the business unit Here you see, yeah. Was a lot of work last year.

Cause we only had the second half of the last year for it first Easter and the finalization of the integration process. And then these next activities and here can see yeah, a part of our role, our plan for setting up the new responsibilities. And what we did is we made information workshop with each of the Amos, the role managers, the business coordinators of our top critical 300 banking applications and inform them about the new governance and the new structures and their renew responsibilities.

Cause our thought was, and I think it was right from the procedure that it would not be enough to describe this in a theoretical document and to put it somewhere in our internet, you have to go into the dialogue with these colleagues and to make it clear, what is your responsibility? What is mine? And how does these procedures work together? Main documents are our authorization concept. We developed a new template for it to unify it for, for our bank. Then of course we need a security concept.

And then off the operation concept, I think similar as in other houses too, and on the next slide, we will take a short look how these documents are playing together and how we use them content of our authorization concept. You can see here a bit. So we are asking, for example, what kind of technical user accounts are used in this banking application? Or are there one, how is authorization managed? How is the process for us? Is there an ma risk, exception process or authorization going on in this application and on the second slide or I think the, the marking is wrong. Must be not number seven.

It's number six. The main part is the description of the authorization groups and the description of the functions. Cause often these authorization groups are technical codes like TX 1, 2, 3, and there's no description and nobody can tell you, what is this authorization group doing if you have not a clear description.

So it, and so a line manager cannot decide, does my employee need this authorization group or does he not? If he does not know what is the content of it? Therefore this description is a very necessary point for us. And here you get a bit an impression how these documents work together. And what is the part of the business coordinator?

The BC we see it below and the role manager above the business coordinator is describing in this template office business concept, the specific single access rights, as you can see there, for example, for reading rights in Lisi, in a limit system or for doing certain things in customer systems, and then the role managers can pick out from these concepts of each application, the necessary rights, one job profile needs in his business unit to fulfill his job quite well and put this and bind this together in a so-called business role, Let's move on to our first recertification process.

And what we did is risk based assessment on our recertification. Cause as the colleague from baring told before, you can't do everything, you have the, the, the necessary things to do all the things you need to, you have to focus on the, on the risk based things and with income Matthias bank, approximately we have 2000 banking applications. Not all of them are same critical. So in the first step we did a risk based assessment looking at these applications and trying to find out is ma risk data protection fraud.

And Soran, you can see the criteria on the slide here invented by these application or not. And then we came down to a number of approximately 300 critical banking applications.

But again, for having only the second half of the last year for this first big re-certification wave after integration, 300 was too much was not manageable. And we discussed it again, a dialogue with the regulators and with our auditors too. And we break it down to roughly 60 applications, 50 plus 10 for having a scope for the first recertification wave last year. And this year in 2012, we will do 150 and next year, all the 300, How do we do this? We talk with the it guys for providing us with the necessary data from the application systems.

We match to this data in the data collection phase, the organizational and HR data, so that we can see, okay, this is cloud Mayer sitting in organization, and he has user access rights to the limit system. And with the description I mentioned before, then his line manager can approve in this ongoing process. Does this employee need this access rights or does he not? And can it be revoked?

So, and here you can see what we have already achieved last year. You see in the first re-certification process on account level for this approximately 60 applications we put in and you see it in the re-certification column, approximately 40,000 accounts in this recertification wave, 35,000 of them were agreed.

And 5,000 we've been revoking in this first quarter of this year. And you see the yeah, high numbers of structural resettlements in the fourth column after integration, we did a validation of the general access rights and we revoked approximately 80,000 user access rights groups. And even we did a second wave of it in it, two in autumn last year after having done the it integration by Easter last year. And there we revoked again, approximately 50, 55,000 user access groups and, and rights. How's the topic going on this year.

And even the next years you see, we are staying on our topics from last year implementation of a new workflow system. We named it come flow quite well linked to our identity management system com D therefore we binded together with the com D enhancements. We are doing the next wave of recertification doing the 150 as I made this slides. The 150 were not quite a finalized. In meantime, we did the finalization with it.

And again, we discussed it with banking authorities and with our auditors. And for the next years in perspective, we will do it as follows for our critical applications amount of 300. We will do it in a shuffle principle for two years, we will take the 300 divide them into 150 and doing in the first year for the first trans of the 150 applications, re-certification on the light account level and for the other 150 on the deep user access rights level. And then we change it in the second year.

So in the shuffle principle of two years, we are done and have done a recertification on the deep user access rights level for these critical one applications. Then for the rest of our important applications, we will only stay for the recertification on the access rights level and not going to make this deep dive to the user access rights. This is not necessary as our talks show with regulators and auditors. And then of course there's a part of applications which are not necessary to take a look at like, yeah, visual or for example, might match.

Cause what is the damage that such applications can cause nothing, but if you have a wrong access, right, in a limit system for credits in a bank, this can cause pain. So this was the middle column of recertification. And then we will finish our activities of implementing the new authorization concepts and adjusting them with the content by the middle of this year, by helping the business colleagues to fill up the necessary content in this concept.

Yeah, so far in a, in a brief walkthrough to our first experiences in this topic. Thank you. Thank you, Jo. It was a very impressive presentation and I think it, I got a very good impression about the complexity and also the well structured approach of, of your project. Before I hand over to the, to the audience for, for further questions, perhaps to do one, one question, to get a better understanding of the size of this, how many people did you need, or do you need to, to survive something like that in an organization like Koman.

And second one, how important is senior management support for this? Okay. Yeah. Thanks for this questions. In very high times last year, we had involved up to 40, 50 people, internal and external in this topics. Now this year, we are driving these topics with the amount of, let's say, half of it, 20. So we size it down. We put some activities back to the, to the line managers where they, where they belong to and don't make them further on in our project activities, but they are doing, or they are done in the line unit this to the first question.

And second, yes, backing off management is quite important to get this done in, in a, in a organization without backing. Sometimes you have no chance to get these things done. Cause if only I tell a business coordinator, come on, you have to fulfill this new template and you have to put in your content in this content.

He says, okay, come on in a, in a quite bad or wrong way, who cares. But if the senior management told him this is necessary and there's the attention of the board on this topic, then it makes the play quite easy. Thanks for, thanks for the answer. I would probably have another of a couple of more questions, but I will save it and rather give people in here the opportunity to ask them, please. Thank you. Good afternoon, Dr. Fairchild from constellation research, you talked about in the structural cleaning that you removed several thousands accounts. What did you find there?

Why was there such a large number? Why was it so high?

Yeah, no, no doubt about that. Cause we did the integration with the big bank Dressner bank and the main focus during the integration was to keep the business running and not infected by, by revoking accounts. And therefore, of course, we talked with regulators and auditors too.

We, yes, we, we did some, some more user access rights or, or some, some of our employees had some access rights, more they needed even for doing at the, or for the it colleagues to do the, the integration activities. But after these have done, we had to, to make clear, we revoke these access rights quite nearly to, to, to have done the, the integration activities. We may have roof room for another question. Here's one, You, Your dinner Bosch and Siemens's household appliances I've seen in your organizational chart, that was a taskforce for complexity reduction.

What was their approach Approach was, and, And sorry. And maybe also some lessons learned or aha effects out of that taskforce. Okay. Yeah. Focus of the taskforce was to take a look of the necessary certification of our files and shares and even on together with the coy colleagues on the infrastructure components. And one lessons learned I can can share is we have with income Matthias bank, I think amount of 7,500 Unix machines in our house, are they all same or equal important? No.

So here we made a risk approach to, we made a mapping on which of these Unix machines are running critical banking applications. And these 2000 machines we did in the first wave of recertifications and the other ones we are doing step by step. Last question, probably. Yeah.

So, so Martin Zachary, so perhaps I missed it in your presentation, but was there, I mean, in the end of the project, did you see, was there kind some kind of assessment by management about the, the, did the overall impact in sense of, were there lasting security incidents and was there also a driver at the beginning in terms of security incidents? I mean, did you see a drop?

I didn't, I did management ask for this, like, so what in the end did we achieve? Yes, of course.

When, when you take a look again or you will see it in the documentation on, on the first slide, you see that we haven't fulfilled either command bank and resale bank in the last years, all the regulatory needs by the regulators. And that was the main part our management was driven by and therefore of course we have to, or we have the findings in, in our scope and to close these regulatory findings by doing these activities here, No clear link to security incidents. No. Okay. Thank you.

Thank you, Doug. I think it was very interesting session. Thanks for being here. And please give, we can Thanks a lot.