A 14-point plan for starting an Identity Management Program
Ullas Tharakan – is a Identity Management Champion who have involved with Fortune 100 companies for Identity Management Implementation
1. Identify executive leadership. An executive sponsor needs to champion the new Identity Management Program
2. Identify Goals, Objectives and ROI of Identity Management Program
a. Evaluate Points of Support – Compliance Audit, Security Compromises etc
b. Better Helpdesk
c. Improved Security
d. Better User Management control
e. Etc
3. Select a point person. The CISO or another information security leader should manage day-to-day activities and should be hold responsible to champion the program. This person will have the authority to drive the program
4. Define Application Profiling Program. Try to tie business objectives to security objectives. Evaluate authentication, Authorization and User Management Process of Existing Applications
5. Risk Profiling of Application – Review Traces of historical problems on application. Evaluate on these parameters
a. Revenue Impact
b. Level of Security
c. Resulting Help Desk Calls
d. Information Managed by Application
6. Establish Priority Matrix on Application based on the Application Risk and Create buckets of 5 applications for each phase
7. Evaluate and Consolidate Global Directory Initiative – A central Store will be key for Identity Management program, A good User Attribute design requirement will ensure a balance between business Logic and Identity Management Logic
8. Kick Off Role Engineering Program – A crystal create role in the organization will lay foundation to a solid Identity Management Program. Many of the Identity Management programs cripple as the Application stakeholders fail to understand this issue
9. Define Phase Wise Program – Identity implementation is best and smooth at a phase. Avoid BIG BANG Approach. And follow the following guidelines
a. Start with Foundation Build with three low priority Application
b. Add 5 Application ( 3 Normal 1 Medium,1 Complex)
c. Repeat point “b” till you find a logical end
10. Assess and tighten the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education. A special eye on the following policies are required
a. User Identity Format Policy
b. Password Policy
c. Account Management Policies
d. Role Management Policies
e. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.
11. Get Endorsed - Have the executive security review board endorse the plans : Use Point number 2 to make a justification –
a. This group should consider budget, timing and prioritization.
b. Review the technical feasibility
c. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.
12. Change Agent : Setup Change Management Program with this Initiative an Identify a Change Agent
13. Migration Initiative – Last but not the least, remember Identity Management initiative is also a Identity Mess cleanup – Identifying source of authoritative data and migrating them needs a through analysis – Start this by Data Analysis (Identity Data) of different application
14. Identity Technology Selection and Implementation –
a. Build Versus Buy( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Product Strategy)
b. In- House Implementation very Outsourced Implementation ( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Outsourced Implementation )
GOOD LUCK and Go ahead –
1. Identify executive leadership. An executive sponsor needs to champion the new Identity Management Program
2. Identify Goals, Objectives and ROI of Identity Management Program
a. Evaluate Points of Support – Compliance Audit, Security Compromises etc
b. Better Helpdesk
c. Improved Security
d. Better User Management control
e. Etc
3. Select a point person. The CISO or another information security leader should manage day-to-day activities and should be hold responsible to champion the program. This person will have the authority to drive the program
4. Define Application Profiling Program. Try to tie business objectives to security objectives. Evaluate authentication, Authorization and User Management Process of Existing Applications
5. Risk Profiling of Application – Review Traces of historical problems on application. Evaluate on these parameters
a. Revenue Impact
b. Level of Security
c. Resulting Help Desk Calls
d. Information Managed by Application
6. Establish Priority Matrix on Application based on the Application Risk and Create buckets of 5 applications for each phase
7. Evaluate and Consolidate Global Directory Initiative – A central Store will be key for Identity Management program, A good User Attribute design requirement will ensure a balance between business Logic and Identity Management Logic
8. Kick Off Role Engineering Program – A crystal create role in the organization will lay foundation to a solid Identity Management Program. Many of the Identity Management programs cripple as the Application stakeholders fail to understand this issue
9. Define Phase Wise Program – Identity implementation is best and smooth at a phase. Avoid BIG BANG Approach. And follow the following guidelines
a. Start with Foundation Build with three low priority Application
b. Add 5 Application ( 3 Normal 1 Medium,1 Complex)
c. Repeat point “b” till you find a logical end
10. Assess and tighten the current state of security. Look at policies, processes, guidelines, standards, existing technology (both hardware and software), training and education. A special eye on the following policies are required
a. User Identity Format Policy
b. Password Policy
c. Account Management Policies
d. Role Management Policies
e. Revise existing policies and develop new ones as needed. This might include an acceptable-use policy and minimal security configuration for any device on a network.
11. Get Endorsed - Have the executive security review board endorse the plans : Use Point number 2 to make a justification –
a. This group should consider budget, timing and prioritization.
b. Review the technical feasibility
c. Assign, schedule, execute and discuss deliverables. Give individuals or teams clear responsibilities and time lines.
12. Change Agent : Setup Change Management Program with this Initiative an Identify a Change Agent
13. Migration Initiative – Last but not the least, remember Identity Management initiative is also a Identity Mess cleanup – Identifying source of authoritative data and migrating them needs a through analysis – Start this by Data Analysis (Identity Data) of different application
14. Identity Technology Selection and Implementation –
a. Build Versus Buy( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Product Strategy)
b. In- House Implementation very Outsourced Implementation ( Best practice – Your core competence is your own Business – Health Care, Manufacturing etc – Go with a Outsourced Implementation )
GOOD LUCK and Go ahead –
No comments:
Post a Comment