IAM Program Management and Governance: Building Firm ...postachio-files.s3-website-us-east-1.amazonaws.com/74979e29af749f... · The Gartner ITScore for IAM Level 1 Initial Level 2

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

Ant Allan

IAM Program Management and Governance: Building Firm Foundations for Future Success

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Most IAM program failures are not technology related. Failure is more likely to occur because of poor governance or poor management of the overall program or individual projects. Many IAM programs lack clear priorities, goals, and decision-making processes. As a result, they will likely suffer from cost overruns, function shortfall, timeline slippages, or reputational damage.


Through 2016, more than 20% of enterprises will still lack formal IAM programs, and will thus experience at least 25% more in operational costs than enterprises with Level 4 (managed) maturity.

Through 2016, no more than 30% will have achieved an IAM program maturity of Level 4 (managed) or Level 5 (optimizing).

Strategic Planning Assumptions


Key Issues

1. How best can you establish an ongoing IAM program?

2. What constitutes sound formal governance processes and functions for IAM?

3. How can you ensure that the PMO and governance forums are made up of the right people?


Key Issues





What Does an IAM Program Encompass?

• Vision and Strategy

• Roles and Responsibilities

• Architecture

• Plan and Budget C

P

ID ID: Infrastructure design

P: Process definition

C: Policy and controls definition

• Identity and Entitlements Processes

• Technology Selection and

Implementation • Communications

Govern Steering Committee

Executive Support Delegation of

Authority

Risk Assessment

Plan Build

Run


The Seven Pillars of an IAM Program C

om

ple

xity,

Tim

e t

o D

eliv

er

Processes Principles Policies Practices People Products Production

Too many IAM

programs fail

because of

a misplaced focus

on technology

projects


Vision noun:

• The ability to think about or plan the future with imagination and wisdom

• A mental image of what the future will or could be like

Create a well-crafted vision that clearly outlines:

• Goals

• Implications

• Impacts

Articulate this in the light of your organization's:

• Business drivers

• Goals

• Pain points

• Future direction

Vision — The Key to a Successful IAM Program

Definition From the New Oxford American Dictionary | Image of Hubble Space Telescope From NASA and STScI


Gartner defines visioneering as:

• Having a vision of a future state.

• Believing in the necessity of achieving that vision.

• Being willing to take action to pursue that vision.

• Persevering through the trials and turmoil necessary to systematically accomplish that vision.

• Arriving at the desired future state and re-evaluating it.

The visioneering process:

Step 1: Developing a vision of a future state (turning criticism into aspiration).

Step 2: Believing in the vision.

Step 3: Taking action to pursue the vision.

Step 4: Persevering to accomplish the vision systematically.

Step 5: Continuous re-evaluation ("chasing the vision horizon").

Visioneering — The Key to Creating a Successful Vision!

A long-term commitment is essential to realizing the vision.

Absent short-term results, the program may become expendable.


Program Vision Must Be Continually Re-envisioned

Time

Original One-year

Vision

Original Three-year

Vision

Original Five-year

Vision

Vis

ion

ee

rin

g

First-year Re-visioneering

Closely aligned to original vision

Some refinements

Second-year Re-visioneering In this example, some business discontinuity has meant that

the longer-term vision has diverged widely

But the shorter-term vision is more closely aligned to avoid abrupt, disruptive change to projects currently under way


The Gartner ITScore for IAM

Level 1 Initial

Level 2 Developing

Level 3 Defined

Level 4 Managed

Level 5 Optimizing

Governance is ad hoc

and informal

Tools put in place on a piecemeal

basis

An IAM vision is defined

An IAM architecture is defined

Tactical priorities set

based on certain

business drivers

Technology redundancy

is likely

An IAM governance structure is

defined

The IAM PMO is

established

Multiyear projects are aligned with vision and strategy

IAM performance targets are actualized

Performance is continuously monitored

Transforma-tional value

Discrete technology

projects

Business value is tactical

Responsibilities are poorly

defined

Key stakeholders are actively

involved in the IAM program

IAM architecture aligned with

EA

The IAM program is

dynamic and adaptive to changes in business

conditions

"ITScore for Identity and Access Management" G00249408. July 2013


Key Issues





Governance is the process of:

• Setting decision rights and accountability, as well as establishing policies that are aligned to business objectives

• Balancing investments in accordance with policies and in support of business objectives

• Establishing measures to monitor adherence to decisions and policies

• Ensuring that processes, behaviors, and procedures are in accordance with policies and within tolerances to support decisions

Key attributes:

• Decision rights

• Business objectives

• Policies

• Procedures

• Measures

• Adherence

• Behaviors

• Investments

Gartner Defines "Governance"


Putting the Governance of IAM in the Context of IT Governance ...

IT Governance The processes that ensure the effective and efficient use of IT in

enabling an organization to achieve its goals.

• Governance is made up of processes with activities, inputs, outputs, roles, and responsibilities.

• Governance's role is identified as "ensuring" as opposed to "executing."

• The goal of governance is a business goal.

• Key performance measures are effectiveness and efficiency — and achievement of business goals.


… and of Information Security and Risk Governance



Information Security and Risk Governance The processes that ensure that reasonable and appropriate actions

are taken to protect the organization's information resources, in the most effective and efficient manner, in pursuit of its business goals.

• Sets and manages accountability and decisions rights

• Allocates resources

• Arbitrates between conflicting security requirements and risk affinities

• Provides assurance to the executive and stakeholders that information risk is appropriately managed

The Governance of IAM Defined



Information Security and Risk Governance The processes that ensure that reasonable and appropriate actions

are taken to protect the organization's information resources, in the most effective and efficient manner, in pursuit of its business goals.

Governance of IAM The decision making that ensures that the IAM program is efficient

and effective; provides reasonable and appropriate controls; and contributes to business value and desirable business outcomes.


The Gartner Information Security and Risk Governance Model

Program

Strategy

Architecture

Budget

Planning

Policy

Management

Strategy

Develop

Governance

Processes

Institute

Governance

Forum(s)

Policy

Development

Accountabilities

Funding

Conflict

Conciliation or

Arbitration

Program/

Project

Oversight

Project

Assessment

Value

Assessment

Operational

Oversight

Metrics and

Measurement

Plan Implement Manage Monitor

P1

P2

P3

P4

I1

I2

I3

M4

M5

M6

M7 M5P

M6

M7

M8

S2


The Gartner Governance Model for IAM

IAM

Program

Strategy

IAM

Architecture

IAM

Budget

Planning

Policy

Management

Strategy

Develop

Governance

Processes

Institute

Governance

Forum(s)

Policy

Development

Accountabilities

Funding

Conflict

Conciliation or

Arbitration

Program/

Project

Oversight

Project

Assessment

Value

Assessment

Operational

Oversight

Metrics and

Measurement

Plan Implement Manage Monitor

P1

P2

P3

P4

I1

I2

I3

M4

M5

M6

M7 M5P

M6

M7

M8

S2

Investment

Portfolios

(PPM) I4

Business

Benefits

Realization M9

Additional IAM Governance Processes


Key Issues




Au

tho

rity

Common Governance Structures for Information Security and Risk and IAM

Forums Functions Outcomes

Executive

Sponsor

•Set accountability and authority

•Policy legitimacy and awareness

•Authority of the program

High-level

Council(s)

•Policy and strategy definition

•Program oversight

•Conciliation/arbitration

•Budget allocation

•Approvals and exemptions

•Policy and strategy

•Budgets

•Priorities

Mid-level

Council(s)

•Project oversight

•Local policy definition

•Reporting

•Local policies

•Reports

Information

Security or

IAM Teams(s)

•Project oversight

•Operations oversight

•Policy compliance monitoring

•Reporting

•Compliance certifications and exceptions

•Reports

Assu

ran

ce

Does the Governance of IAM Require Different Forums?

• Size and culture of the enterprise

• Relative maturity of security and IAM programs

• Scale and scope of the program

• Unique skills requirements

• Most likely at team level, least likely at sponsor

and high-level councils

Remember Occam's Razor!

Entities must not be multiplied

beyond necessity.


The Functions of the IAM Program Management Office

• A PMO facilitates the strategic coordination of all IAM activities and should be vested as an initiative under the auspices of the high-level council or steering committee.

• It sets a common vision, strategies, principles, and practices, as well as guiding the use of common management tools.

• The PMO consists of a program manager, the CSO, CISOs and "appropriate staff." If one or more IAM leaders exist, they can fill the roll of the CSO or CISOs in the IAM PMO.


Participants in the Governance of IAM and IAM Program Management

It is desirable to include more staff from the lines of business and other constituencies at all levels.

Information security

Legal and compliance

Internal audit

Application development

Data center operations

Human resources

Business units


Carrot:

• Enlightened self-interest

• Operational benefits; e.g., workforce productivity

• Business benefits; e.g., attract and retain customers

Stick:

• Executive mandate

• IAM charter

Ensuring the Participation of the Right People


Recommendations

Create a well-crafted vision and articulate it in light of strategic business needs. Continuously re-evaluate this.

Establish an IAM program based around the activity cycle and the "pillars of IAM."

Establish sound formal governance processes and functions for IAM:

- This should be incorporated within information security governance frameworks, but may require discrete entities at some levels.

Ensure that the governance forums are made up of the right people.


Action Plan for IAM Leaders

Monday Morning:

- Review your existing vision and governance structures for IAM.

- Identify IAM stakeholders throughout the enterprise.

Next 90 Days:

- Create your vision for IAM based on liaison with all stakeholders.

- Seek an executive mandate for an IAM program (or for substantive IAM activities within the information security and risk program).

- Establish a new governance framework for IAM.

Next 12 Months:

- Develop your strategic and new tactical plans for IAM.

- Progress projects in your tactical plan.

- Keep your plates spinning.


Recommended Gartner Research

ITScore for Identity and Access Management Ant Allan, Earl Perkins (G00249408)

Best Practices for Identity and Access Management Program Management and Governance Ant Allan, Earl Perkins and Tom Scholtz (G00212791)

IAM Foundations, Part 1: So You've Been Handed an IAM Program ... Now What? Perry Carpenter (G00200386)

IAM Foundations, Part 3: Developing Your IAM Plan Perry Carpenter (G00205681)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/2540215?ref=QuickSearch&sthkw=ITScore for Identity and Access Management

http://www.gartner.com/document/1698615?ref=QuickSearch&sthkw=Best Practices for Identity and Access Management Program Management and Governance



http://www.gartner.com/document/1364920?ref=QuickSearch&sthkw=IAM Foundations, Part 1: So You've Been Handed an IAM Program ... Now What?



http://www.gartner.com/document/1419016?ref=QuickSearch&sthkw=IAM Foundations, Part 3: Developing Your IAM Plan

Documents

IAM Program Management and Governance: Building Firm ...postachio-files.s3-website-us-east-1.amazonaws.com/74979e29af749f... · The Gartner ITScore for IAM Level 1 Initial Level 2