View
218
Download
1
Category
Preview:
Citation preview
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Ant Allan
IAM Program Management and Governance: Building Firm Foundations for Future Success
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Most IAM program failures are not technology related. Failure is more likely to occur because of poor governance or poor management of the overall program or individual projects. Many IAM programs lack clear priorities, goals, and decision-making processes. As a result, they will likely suffer from cost overruns, function shortfall, timeline slippages, or reputational damage.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Through 2016, more than 20% of enterprises will still lack formal IAM programs, and will thus experience at least 25% more in operational costs than enterprises with Level 4 (managed) maturity.
Through 2016, no more than 30% will have achieved an IAM program maturity of Level 4 (managed) or Level 5 (optimizing).
Strategic Planning Assumptions
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues
1. How best can you establish an ongoing IAM program?
2. What constitutes sound formal governance processes and functions for IAM?
3. How can you ensure that the PMO and governance forums are made up of the right people?
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues
1. How best can you establish an ongoing IAM program?
2. What constitutes sound formal governance processes and functions for IAM?
3. How can you ensure that the PMO and governance forums are made up of the right people?
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
What Does an IAM Program Encompass?
• Vision and Strategy
• Roles and Responsibilities
• Architecture
• Plan and Budget C
P
ID ID: Infrastructure design
P: Process definition
C: Policy and controls definition
• Identity and Entitlements Processes
• Technology Selection and
Implementation • Communications
Govern Steering Committee
Executive Support Delegation of
Authority
Risk Assessment
Plan Build
Run
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
The Seven Pillars of an IAM Program C
om
ple
xity,
Tim
e t
o D
eliv
er
Processes Principles Policies Practices People Products Production
Too many IAM
programs fail
because of
a misplaced focus
on technology
projects
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Vision noun:
• The ability to think about or plan the future with imagination and wisdom
• A mental image of what the future will or could be like
Create a well-crafted vision that clearly outlines:
• Goals
• Implications
• Impacts
Articulate this in the light of your organization's:
• Business drivers
• Goals
• Pain points
• Future direction
Vision — The Key to a Successful IAM Program
Definition From the New Oxford American Dictionary | Image of Hubble Space Telescope From NASA and STScI
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner defines visioneering as:
• Having a vision of a future state.
• Believing in the necessity of achieving that vision.
• Being willing to take action to pursue that vision.
• Persevering through the trials and turmoil necessary to systematically accomplish that vision.
• Arriving at the desired future state and re-evaluating it.
The visioneering process:
Step 1: Developing a vision of a future state (turning criticism into aspiration).
Step 2: Believing in the vision.
Step 3: Taking action to pursue the vision.
Step 4: Persevering to accomplish the vision systematically.
Step 5: Continuous re-evaluation ("chasing the vision horizon").
Visioneering — The Key to Creating a Successful Vision!
A long-term commitment is essential to realizing the vision.
Absent short-term results, the program may become expendable.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Program Vision Must Be Continually Re-envisioned
Time
Original One-year
Vision
Original Three-year
Vision
Original Five-year
Vision
Vis
ion
ee
rin
g
First-year Re-visioneering
Closely aligned to original vision
Some refinements
Second-year Re-visioneering In this example, some business discontinuity has meant that
the longer-term vision has diverged widely
But the shorter-term vision is more closely aligned to avoid abrupt, disruptive change to projects currently under way
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
The Gartner ITScore for IAM
Level 1 Initial
Level 2 Developing
Level 3 Defined
Level 4 Managed
Level 5 Optimizing
Governance is ad hoc
and informal
Tools put in place on a piecemeal
basis
An IAM vision is defined
An IAM architecture is defined
Tactical priorities set
based on certain
business drivers
Technology redundancy
is likely
An IAM governance structure is
defined
The IAM PMO is
established
Multiyear projects are aligned with vision and strategy
IAM performance targets are actualized
Performance is continuously monitored
Transforma-tional value
Discrete technology
projects
Business value is tactical
Responsibilities are poorly
defined
Key stakeholders are actively
involved in the IAM program
IAM architecture aligned with
EA
The IAM program is
dynamic and adaptive to changes in business
conditions
"ITScore for Identity and Access Management" G00249408. July 2013
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues
1. How best can you establish an ongoing IAM program?
2. What constitutes sound formal governance processes and functions for IAM?
3. How can you ensure that the PMO and governance forums are made up of the right people?
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Governance is the process of:
• Setting decision rights and accountability, as well as establishing policies that are aligned to business objectives
• Balancing investments in accordance with policies and in support of business objectives
• Establishing measures to monitor adherence to decisions and policies
• Ensuring that processes, behaviors, and procedures are in accordance with policies and within tolerances to support decisions
Key attributes:
• Decision rights
• Business objectives
• Policies
• Procedures
• Measures
• Adherence
• Behaviors
• Investments
Gartner Defines "Governance"
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Putting the Governance of IAM in the Context of IT Governance ...
IT Governance The processes that ensure the effective and efficient use of IT in
enabling an organization to achieve its goals.
• Governance is made up of processes with activities, inputs, outputs, roles, and responsibilities.
• Governance's role is identified as "ensuring" as opposed to "executing."
• The goal of governance is a business goal.
• Key performance measures are effectiveness and efficiency — and achievement of business goals.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
… and of Information Security and Risk Governance
IT Governance The processes that ensure the effective and efficient use of IT in
enabling an organization to achieve its goals.
Information Security and Risk Governance The processes that ensure that reasonable and appropriate actions
are taken to protect the organization's information resources, in the most effective and efficient manner, in pursuit of its business goals.
• Sets and manages accountability and decisions rights
• Allocates resources
• Arbitrates between conflicting security requirements and risk affinities
• Provides assurance to the executive and stakeholders that information risk is appropriately managed
The Governance of IAM Defined
IT Governance The processes that ensure the effective and efficient use of IT in
enabling an organization to achieve its goals.
Information Security and Risk Governance The processes that ensure that reasonable and appropriate actions
are taken to protect the organization's information resources, in the most effective and efficient manner, in pursuit of its business goals.
Governance of IAM The decision making that ensures that the IAM program is efficient
and effective; provides reasonable and appropriate controls; and contributes to business value and desirable business outcomes.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
The Gartner Information Security and Risk Governance Model
Program
Strategy
Architecture
Budget
Planning
Policy
Management
Strategy
Develop
Governance
Processes
Institute
Governance
Forum(s)
Policy
Development
Accountabilities
Funding
Conflict
Conciliation or
Arbitration
Program/
Project
Oversight
Project
Assessment
Value
Assessment
Operational
Oversight
Metrics and
Measurement
Plan Implement Manage Monitor
P1
P2
P3
P4
I1
I2
I3
M4
M5
M6
M7 M5P
M6
M7
M8
S2
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
The Gartner Governance Model for IAM
IAM
Program
Strategy
IAM
Architecture
IAM
Budget
Planning
Policy
Management
Strategy
Develop
Governance
Processes
Institute
Governance
Forum(s)
Policy
Development
Accountabilities
Funding
Conflict
Conciliation or
Arbitration
Program/
Project
Oversight
Project
Assessment
Value
Assessment
Operational
Oversight
Metrics and
Measurement
Plan Implement Manage Monitor
P1
P2
P3
P4
I1
I2
I3
M4
M5
M6
M7 M5P
M6
M7
M8
S2
Investment
Portfolios
(PPM) I4
Business
Benefits
Realization M9
Additional IAM Governance Processes
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Issues
1. How best can you establish an ongoing IAM program?
2. What constitutes sound formal governance processes and functions for IAM?
3. How can you ensure that the PMO and governance forums are made up of the right people?
Au
tho
rity
Common Governance Structures for Information Security and Risk and IAM
Forums Functions Outcomes
Executive
Sponsor
•Set accountability and authority
•Policy legitimacy and awareness
•Authority of the program
High-level
Council(s)
•Policy and strategy definition
•Program oversight
•Conciliation/arbitration
•Budget allocation
•Approvals and exemptions
•Policy and strategy
•Budgets
•Priorities
Mid-level
Council(s)
•Project oversight
•Local policy definition
•Reporting
•Local policies
•Reports
Information
Security or
IAM Teams(s)
•Project oversight
•Operations oversight
•Policy compliance monitoring
•Reporting
•Compliance certifications and exceptions
•Reports
Assu
ran
ce
Does the Governance of IAM Require Different Forums?
• Size and culture of the enterprise
• Relative maturity of security and IAM programs
• Scale and scope of the program
• Unique skills requirements
• Most likely at team level, least likely at sponsor
and high-level councils
Remember Occam's Razor!
Entities must not be multiplied
beyond necessity.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
The Functions of the IAM Program Management Office
• A PMO facilitates the strategic coordination of all IAM activities and should be vested as an initiative under the auspices of the high-level council or steering committee.
• It sets a common vision, strategies, principles, and practices, as well as guiding the use of common management tools.
• The PMO consists of a program manager, the CSO, CISOs and "appropriate staff." If one or more IAM leaders exist, they can fill the roll of the CSO or CISOs in the IAM PMO.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Participants in the Governance of IAM and IAM Program Management
It is desirable to include more staff from the lines of business and other constituencies at all levels.
Information security
Legal and compliance
Internal audit
Application development
Data center operations
Human resources
Business units
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Carrot:
• Enlightened self-interest
• Operational benefits; e.g., workforce productivity
• Business benefits; e.g., attract and retain customers
Stick:
• Executive mandate
• IAM charter
Ensuring the Participation of the Right People
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Create a well-crafted vision and articulate it in light of strategic business needs. Continuously re-evaluate this.
Establish an IAM program based around the activity cycle and the "pillars of IAM."
Establish sound formal governance processes and functions for IAM:
- This should be incorporated within information security governance frameworks, but may require discrete entities at some levels.
Ensure that the governance forums are made up of the right people.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Action Plan for IAM Leaders
Monday Morning:
- Review your existing vision and governance structures for IAM.
- Identify IAM stakeholders throughout the enterprise.
Next 90 Days:
- Create your vision for IAM based on liaison with all stakeholders.
- Seek an executive mandate for an IAM program (or for substantive IAM activities within the information security and risk program).
- Establish a new governance framework for IAM.
Next 12 Months:
- Develop your strategic and new tactical plans for IAM.
- Progress projects in your tactical plan.
- Keep your plates spinning.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
ITScore for Identity and Access Management Ant Allan, Earl Perkins (G00249408)
Best Practices for Identity and Access Management Program Management and Governance Ant Allan, Earl Perkins and Tom Scholtz (G00212791)
IAM Foundations, Part 1: So You've Been Handed an IAM Program ... Now What? Perry Carpenter (G00200386)
IAM Foundations, Part 3: Developing Your IAM Plan Perry Carpenter (G00205681)
For more information, stop by Gartner Research Zone.
Recommended