Scribd
Upload
29 views4 pages

Security Audit and Governance Week 2 Assignment

The document evaluates the cloud controls of ServiceNow's Identity and Access Management domain, focusing on five specific controls: Separation of Duties, Least Privilege, User Access Provisioning, User Access Changes and Revocation, and User Access Review. Each control is analyzed for its specifications, implemented measures, and associated risks, highlighting threats from malicious insiders and unauthorized users, along with vulnerabilities and potential impacts. The overall risk for these controls is assessed as high due to the potential for unauthorized access and data breaches.

Uploaded by

abrar.s7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
29 views4 pages

Security Audit and Governance Week 2 Assignment

The document evaluates the cloud controls of ServiceNow's Identity and Access Management domain, focusing on five specific controls: Separation of Duties, Least Privilege, User Access Provisioning, User Access Changes and Revocation, and User Access Review. Each control is analyzed for its specifications, implemented measures, and associated risks, highlighting threats from malicious insiders and unauthorized users, along with vulnerabilities and potential impacts. The overall risk for these controls is assessed as high due to the potential for unauthorized access and data breaches.

Uploaded by

abrar.s7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Gospel Okororie - 100908710

MGMT 1216-04 Security Auditing and Governance

Week 2 – Assignment

Week #2 – Independent/case study – Risk event exercise:

Evaluate the cloud controls of a recognized product's CSP. Select at least one control class domain and
choose five controls from it. Analyze both the control specifications, and implemented controls, and
identify the threat agent, threat, vulnerability, impact, and risk.

CSP – ServiceNow

Control Class Domain: Identity and Access Management

1. Separation of Duties
2. Least Privilege
3. User Access Provisioning
4. User Access Changes and Revocation
5. User Access Review.

1. Separation of Duties: Employ the separation of duties principle when implementing information
system access.

Implemented Control:

ServiceNow User Identities:

ServiceNow's Information Security Policy requires that a reasonable attempt to segregate duties, areas
of responsibility, and access be made based on risk, without impacting ServiceNow’s ability to effectively
support its customers and operations. The intent of such segregation shall be to address the potential for
abuse of authorized privileges and to help reduce the risk of malevolent activity without collusion. The
majority of ServiceNow personnel have no access to any systems hosting customer data, or to customer
data in general.

Customer Instance User Identities:

ServiceNow customers are responsible for the management of user identities within their instances. This
includes the creation of individual identities (credentials) for each of their users, both internal and
external, the methods used to authenticate those users, password policies (for built‐in authentication),
and the entitlements and access levels granted to those users.
Threat Agent: Malicious Insider threat. Disgruntled worker. Unauthorized user. Malicious threat actor
who has gained access to

Threat: Unauthorized access, data breach, exfiltration of sensitive data.

Vulnerability: Lack of proper access controls and separation of duties. Lack of security awareness
training. Lack of detailed job description. And responsibility

Impact: Loss of sensitive information, reputation damage, financial loss, and major impact on people,
processes, and systems.

Risk: High risk.

2. Least Privilege: Employ the least privilege principle when implementing information system access.

Implemented Control:

ServiceNow User Identities:

ServiceNow's Information Security Policy requires that information system access be designed based on
the principle of least privilege and role-based access. The majority of ServiceNow personnel have no
access to any systems hosting customer data, or to customer data in general.

Customer Instance User Identities:

ServiceNow customers are responsible for the management of user identities within their instances. This
includes the creation of individual identities (credentials) for each of their users, both internal and
external, the methods used to authenticate those users, password policies (for built‐in authentication),
and the entitlements and access levels granted to those users.

Threat Agent: Malicious Insider threat. Disgruntled worker. Unauthorized user

Threat: Unauthorized access, data breach, exfiltration of sensitive data

Vulnerability: Weak/Lack of proper access controls and separation of duties.

Impact: Loss of sensitive information, reputation damage, financial loss, and major impact on people,
processes, and systems.

Risk: High risk.

3. User Access Provisioning: Define and implement a user access provisioning process which
authorizes, records, and communicates access changes to data and assets.

Implemented Control:

ServiceNow User Identities:


New user access requests are recorded in tickets, approved by the user's manager, and provisioned by an
identity and access management system. The majority of ServiceNow personnel have no access to any
systems hosting customer data, or to customer data in general.

Customer Instance User Identities:

ServiceNow customers are responsible for the management of user identities within their instances. This
includes the creation of individual identities (credentials) for each of their users, both internal and
external, the methods used to authenticate those users, password policies (for built‐in authentication),
and the entitlements and access levels granted to those users.

Threat Agent: Malicious insiders, unauthorized users

Threat: Unauthorized access, data breaches, misuse of data and/or exfiltration of sensitive data

Vulnerability: Weak access controls, lack of user access provisioning policies

Impact: Loss of data, data breaches, sustained negative media coverage and reputational damage

Risk: High

4. User Access Changes and Revocation: De-provision or respectively modify access of movers / leavers
or system identity changes in a timely manner in order to effectively adopt and communicate identity
and access management policies.

Implemented Control:

ServiceNow User Identities:

ServiceNow utilizes an identity and access management system to automatically remove information
system access on a user's termination date. Reviews also take place when personnel change roles within
ServiceNow. The majority of ServiceNow personnel have no access to any systems hosting customer
data, or to customer data in general.

Customer Instance User Identities:

ServiceNow customers are responsible for the management of user identities within their instances. This
includes the creation of individual identities (credentials) for each of their users, both internal and
external, the methods used to authenticate those users, password policies (for built‐in authentication),
and the entitlements and access levels granted to those users.

Threat Agent: Malicious insiders, unauthorized users

Threat: Unauthorized access, data breaches, misuse of data and/or exfiltration of sensitive data

Vulnerability: Weak access controls, lack of user access revocation policies, lack of automated access
revocation.

Impact: Loss of data, data breaches, sustained negative media coverage and reputational damage

Risk: High
5. User Access Review: Review and revalidate user access for least privilege and separation of duties
with a frequency that is commensurate with organizational risk tolerance.

ServiceNow User Identities:

ServiceNow utilizes an identity and access management system to maintain an inventory of identities
including level of information system access. At a minimum, quarterly entitlement reviews are carried
out to ensure that personnel have the appropriate logical access rights assigned to them. Reviews also
take place when personnel change roles within ServiceNow. The majority of ServiceNow personnel have
no access to any systems hosting customer data, or to customer data in general.

Customer Instance User Identities:

ServiceNow customers are responsible for the management of user identities within their instances. This
includes the creation of individual identities (credentials) for each of their users, both internal and
external, the methods used to authenticate those users, password policies (for built‐in authentication),
and the entitlements and access levels granted to those users.

Threat Agent: Malicious insiders, Unauthorized users

Threat: Unauthorized access, data breaches, misuse of data and/or exfiltration of sensitive data

Vulnerability: Weak access controls, lack of user access review policies

Impact: Loss of data, data breaches, sustained negative media coverage and reputational damage

Risk: High

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy