Access Standards Alignment Project

Project complete: Raising the bar on access standards

While the EIAM program has been exploring opportunities to improve security and reduce vulnerabilities regarding identity and access management, the Access Standards Alignment Project (ASAP) focused on the current and future state of access controls within Michigan Medicine.

In particular, ASAP’s task was to compare current authentication, authorization, and access standards with those identified as best practices by the National Institute of Standards and Technology (NIST). The project analyzed the current state of data security at Michigan Medicine with the five step model below:

Create Standard, Define Security Control, Identify Tools, Implement Tools, Monitor & Metrics

The team reviewed 10 access security controls, among them password management, login controls, separation of duties and roles, and session lock after inactivity. For each one of these controls, it is only when all five steps are implemented, that security measures are considered to be at low risk.

Results and recommendations

The project identified a need for clearer and stricter controls to help secure Restricted, High, Moderate, and Low risk data. Gaps and recommendations were identified in each of the 10 areas with a goal to initiate further discussion. Foundational recommendations were also made including the need to establish and maintain an application database and implement regular internal monitoring and auditing.

The project completed in June 2018. See News and Updates for details in the status report. If you’re interested in learning more about this project, please contact the EIAM program team.