IdM implementation. Part 3.1. It is clear that IdM is needed - what next? Goals, Objectives, Stakeholders
In the previous part of our series of articles, we told how to determine whether IdM is needed (i.e. access control) and whether to implement an IdM solution. We determined which signs indicate that it is, at a minimum, to think about this question. What's next?
There are several things that are important to define in order to get started on the IdM topic:
So let's go point by point.
')
Suppose it became obvious that with the IdM theme “ something needs to be done ”. What exactly? What functions to implement? What policies to introduce and control? And what do we expect from working with this topic in general: putting processes in order, establishing control and conducting an audit? Or maybe you need automation?
The first answer that comes to mind is that IdM should be the one that is in demand in your company.
Popular standards, codes of knowledge and generally accepted practices, be it ITIL, Cobit, ISO / IEC 2700x and others, do their best to convey to everyone the simple truth: you need to implement only what is appropriate for each particular company , in accordance with its mission, strategy, culture and organizational structure. It is necessary to take into account the effect of each service and system being implemented on a particular business, such as:
Let me remind you: IdM means a set of measures, processes and technical means, which means that not every company needs a complex and expensive technical IdM solution. Someone needs to build processes correctly, and not on paper, but actually working. Processes for the sake of processes, security for the sake of security and IT for the sake of IT are not needed, they should only perform the function assigned to them, which means help in achieving business goals.
What is the conclusion? We need to find the site, making changes on which, we will improve the lives of users and will benefit the business. We'll have to conduct a full study to understand what needs to be done. There is a natural: " Where to start "?
Start with three simple questions:
If the answer arises immediately - well. Answers to questions are useful to fix, just do not think that at this stage the definition of goals and objectives is completed. In the answers you stated only your point of view and exactly what came to mind at the moment of reading the questions. It is very important to know the opinions and needs of other participants in the process , as well as to more clearly understand their motives to engage in this project. And somehow fix this information.
Separately, we emphasize the fixation of research results:
If you just talk with a large number of people, each of which will inform and ask for something of their own, sometimes unexpected, you hardly remember who or what exactly said, suggested or asked. Do not rely only on your own memory. Write, if not formally on the forms of the organization, but simply - in a notebook. It's worth it.
Let us proceed to the process of gathering information , on the basis of which we define the goals and objectives for the development and implementation of IdM, and also understand the requirements for processes, measures and technical solutions.
The first thing to do is to read a business development strategy (if one exists). Sometimes it can only be a formal document, sometimes it is completely absent. If this is not the case, you need to go to the managers of the company and discuss what the most urgent needs of the business are, how the company’s development in the near future is, whether there are any particular expectations from the work of IT and IB services.
Such feedback collection is desirable to be carried out on a regular basis. On the one hand, this ensures contact with the management of the company, and you are not shocked by their “ suddenly arisen ” wishes or demands. On the other hand, the information received makes it possible to see the measure of satisfaction with the work of the subdivision and build a truly streamlined and harmonious system that works for the good of the business.
It is hardly necessary to expect that users will report and complain in terms familiar to the specialist. Get ready to hear something about “ quality ” and “ speed of work ” (which is often incomprehensible how it is measured), about “ cost reduction ”, “ usability ” and “ simplicity ”, and even “ so that it was beautiful and not irritated . " Or simply: “Go work!” You will have to deal with everything heard, but by making contact once, it will be easier to understand the wishes of the management in the future. Well, and: "Who does not try, that ..." (you know - what).
The second step is communication with users, IT / IB services, and business services involved in the process (for example, with the personnel department). It is necessary to understand what the process looks like through the user's eyes, to “pass through” it with them. To build a convenient service and provide security, you need to know your users:
In this case, each user is important. It is worth listening to the sorrows and difficulties of both ordinary users and middle managers and managers.
A similar approach is useful to apply in working with colleagues - IT and information security (on whatever side you are). It is advisable to seek advice and listen to the opinion of IT / IB specialists, and managers and performers . Managers know the general concept of IT / IB services: who is responsible for what, what are the plans for putting new systems into operation, what are the pitfalls, requirements of regulators, and much more, much more. At the same time, no one better than the administrator will tell and will not show you the whole process of granting and revoking access, creating accounts, working with users who have forgotten the password, as well as with those who call technical support with the words: “ Oh, I have something pushed, and everything disappeared ... ". They will also tell you how the forms in ServiceDesk or SED slow down their work and so much more interesting.
The third step is to work with interested business units.
The most often interested in restoring order with access control are the following:
It is useful to communicate with the head of each unit (starting from the top of the hierarchy, going down its steps). Believe me, learn a lot of new and unexpected. For example, this: some employees may be without access for a week or two, because the immediate supervisor on leave (on the sick-list) cannot sign the form, and therefore the employees who have lost access work under the unblocked “registration” of an already dismissed specialist ... (This is the real scenario).
In addition, it is important to remember the divisions that involve third-party specialists in their systems (most often IT, but business units can also function with similar scenarios): employees of partner companies, employees of third-party contractors (outsourcing, integrators , software developers, technical support, etc.). They also need to build a dialogue, understand how they are working, what, to whom and how provide access .
The fourth step brings us closer to the finish line - analysis of the information collected.
If at this moment you are still full of determination and ready for accomplishment, then continue.
Collected and recorded information (I repeat: be sure to write and document everything, this will greatly facilitate your life!) You need to refresh your memory, analyze and formulate the main problems and suggestions that have been identified.
Try to reflect the goals , objectives , involvement in the process and the benefits of each of the parties to work on the IdM theme.
What could be the goals and objectives? I will give here some examples, they should be taken not as a dogma, but as a direction for reflection:
Purpose: implementation of access control for all company employees.
Some tasks:
Purpose: development and introduction of a new procedure for granting access rights to partner A companies to systems A and B.
Some tasks:
Objective: To make changes to domain policies to ensure compliance with corporate security standard requirements.
Some tasks:
Purpose: automation of the procedure for creating accounts in the company's information systems.
Purpose: the introduction of a procedure for coordinating the granted access rights.
Purpose: development and commissioning of IdM solutions based on existing access control procedures.
When working with access control, a goal need not be global. It is better to go to the desired state gradually: if the goals that are defined seem unattainable, then the plan is not sufficiently detailed, time and resources for the project are calculated. Another is valuable - that the end justifies the means, i.e. was "alive", claimed in your company.
If there is an opportunity, it is worth presenting the results of your research to a group that will potentially deal with IdM.
Why - "potentially"? Because the decision that this topic needs to be addressed, at this stage has not yet been made by the top management of the company. If you come up with the idea of ​​implementation immediately to the top management, you may be faced with the fact that some of the key managers or employees will argue that “ everything is fine ”, because she / he does not want to participate in the IdM implementation project (“ Well, what are you ... Well, you have to do something, get used to the changes ... Now, if everything would magically transform itself! ”). As a result, such characters at best will not do anything, at worst - obviously and implicitly sabotage your good undertakings.
What is the way out of this situation? Enlist the support. It is important to understand who is interested in the project and discuss with them the potential benefits of implementation, as well as the options and conditions for their participation. But just a conversation in the “Let's Give IdM Introduce!” Series will not help. Before you go to each potential project participant and ally, you need to prepare arguments that will help convey exactly how IdM implementation (i.e., access control processes and procedures and technical solutions accompanying them) will make life easier for everyone you communicate with. .
It is useful to show the benefits of introducing IdM, and - most importantly! - describe the degree of involvement and the role of each participant . Most people scare uncertainty. One should not deliberately diminish or exaggerate the importance, role or work of each of the participants. It is useful to warn what and how to change. This is the way all parties are prepared to participate in the project.
There are several things that are important to define in order to get started on the IdM topic:
- Targets and goals. Parties concerned.
- What approaches and practices should be used when introducing an employee access control system, what procedures and processes to introduce, how to embed the necessary operations in the company's business activities?
- What technical solutions to use (starting from domain policies and ending with IdM solutions) and how to determine what functionality is needed?
- To whom to go for technical solutions?
- How to form and justify the budget? (This is the most interesting and burning topic)
- Presentation to management.
- What should be considered when starting a project?
So let's go point by point.
')
1. Goals and objectives. Parties concerned.
Suppose it became obvious that with the IdM theme “ something needs to be done ”. What exactly? What functions to implement? What policies to introduce and control? And what do we expect from working with this topic in general: putting processes in order, establishing control and conducting an audit? Or maybe you need automation?
The first answer that comes to mind is that IdM should be the one that is in demand in your company.
Popular standards, codes of knowledge and generally accepted practices, be it ITIL, Cobit, ISO / IEC 2700x and others, do their best to convey to everyone the simple truth: you need to implement only what is appropriate for each particular company , in accordance with its mission, strategy, culture and organizational structure. It is necessary to take into account the effect of each service and system being implemented on a particular business, such as:
- User friendliness (in this case internal) and business continuity. (In many cases, these are inextricably related concepts: if a bank operator can hardly make a payment because of a terrible interface and ill-considered functions, how many customers will spit out of the queue and go to another bank?).
- Financial component (the service should not be a burden).
- System reliability (SLA with the possibility of system downtime for no more than 1 hour per month is very much in demand for some systems).
- The level of information security should be sufficient . Those. No need to try to build a SOC in a company that sells cakes, "just to try." In this case, one should not neglect the simplest decisions and policies in a company where significant and expensive information is found, for example, in a bank. In this case, we will consider IB in the IdM paradigm.
Let me remind you: IdM means a set of measures, processes and technical means, which means that not every company needs a complex and expensive technical IdM solution. Someone needs to build processes correctly, and not on paper, but actually working. Processes for the sake of processes, security for the sake of security and IT for the sake of IT are not needed, they should only perform the function assigned to them, which means help in achieving business goals.
What is the conclusion? We need to find the site, making changes on which, we will improve the lives of users and will benefit the business. We'll have to conduct a full study to understand what needs to be done. There is a natural: " Where to start "?
Start with three simple questions:
- What do we want?
- Why do we want this?
- Why do we need it?
If the answer arises immediately - well. Answers to questions are useful to fix, just do not think that at this stage the definition of goals and objectives is completed. In the answers you stated only your point of view and exactly what came to mind at the moment of reading the questions. It is very important to know the opinions and needs of other participants in the process , as well as to more clearly understand their motives to engage in this project. And somehow fix this information.
Separately, we emphasize the fixation of research results:
- Consider in advance how you will conduct a survey and record the answers.
- Prepare questionnaires and templates to fill out.
- Create a convenient form of the protocol or table of the accounting results.
If you just talk with a large number of people, each of which will inform and ask for something of their own, sometimes unexpected, you hardly remember who or what exactly said, suggested or asked. Do not rely only on your own memory. Write, if not formally on the forms of the organization, but simply - in a notebook. It's worth it.
Let us proceed to the process of gathering information , on the basis of which we define the goals and objectives for the development and implementation of IdM, and also understand the requirements for processes, measures and technical solutions.
The first thing to do is to read a business development strategy (if one exists). Sometimes it can only be a formal document, sometimes it is completely absent. If this is not the case, you need to go to the managers of the company and discuss what the most urgent needs of the business are, how the company’s development in the near future is, whether there are any particular expectations from the work of IT and IB services.
Such feedback collection is desirable to be carried out on a regular basis. On the one hand, this ensures contact with the management of the company, and you are not shocked by their “ suddenly arisen ” wishes or demands. On the other hand, the information received makes it possible to see the measure of satisfaction with the work of the subdivision and build a truly streamlined and harmonious system that works for the good of the business.
It is hardly necessary to expect that users will report and complain in terms familiar to the specialist. Get ready to hear something about “ quality ” and “ speed of work ” (which is often incomprehensible how it is measured), about “ cost reduction ”, “ usability ” and “ simplicity ”, and even “ so that it was beautiful and not irritated . " Or simply: “Go work!” You will have to deal with everything heard, but by making contact once, it will be easier to understand the wishes of the management in the future. Well, and: "Who does not try, that ..." (you know - what).
The second step is communication with users, IT / IB services, and business services involved in the process (for example, with the personnel department). It is necessary to understand what the process looks like through the user's eyes, to “pass through” it with them. To build a convenient service and provide security, you need to know your users:
- Their habits (for example, accounting staff may be in the habit of calling "admin Vasya" and not making an application in an incomprehensible ServiceDesk).
- Their needs (for example, access is needed urgently, deadlines are on, verification has come, and there is no one time to reconcile).
- Their requirements (for example, everything should be clear and transparent, be carried out on time).
- Their difficulties (if you need to collect 10 signatures on paper to get access to the network folder where photos from the corporate party are stored, then the process obviously works somehow wrong ...), etc.
In this case, each user is important. It is worth listening to the sorrows and difficulties of both ordinary users and middle managers and managers.
A similar approach is useful to apply in working with colleagues - IT and information security (on whatever side you are). It is advisable to seek advice and listen to the opinion of IT / IB specialists, and managers and performers . Managers know the general concept of IT / IB services: who is responsible for what, what are the plans for putting new systems into operation, what are the pitfalls, requirements of regulators, and much more, much more. At the same time, no one better than the administrator will tell and will not show you the whole process of granting and revoking access, creating accounts, working with users who have forgotten the password, as well as with those who call technical support with the words: “ Oh, I have something pushed, and everything disappeared ... ". They will also tell you how the forms in ServiceDesk or SED slow down their work and so much more interesting.
The third step is to work with interested business units.
The most often interested in restoring order with access control are the following:
- Human Resources Department. Here it is important: for new employees to quickly organize a workplace, dismissed to block access, properly respond to the leave of specialists, etc ... (We will talk about the processes in the following articles.)
- Units where there are a lot of employees who need to get started quickly (for example: tellers, call center, cashiers, etc.).
- Work with sensitive information , access to which should be issued according to strict rules and constantly monitored.
It is useful to communicate with the head of each unit (starting from the top of the hierarchy, going down its steps). Believe me, learn a lot of new and unexpected. For example, this: some employees may be without access for a week or two, because the immediate supervisor on leave (on the sick-list) cannot sign the form, and therefore the employees who have lost access work under the unblocked “registration” of an already dismissed specialist ... (This is the real scenario).
In addition, it is important to remember the divisions that involve third-party specialists in their systems (most often IT, but business units can also function with similar scenarios): employees of partner companies, employees of third-party contractors (outsourcing, integrators , software developers, technical support, etc.). They also need to build a dialogue, understand how they are working, what, to whom and how provide access .
The fourth step brings us closer to the finish line - analysis of the information collected.
If at this moment you are still full of determination and ready for accomplishment, then continue.
Collected and recorded information (I repeat: be sure to write and document everything, this will greatly facilitate your life!) You need to refresh your memory, analyze and formulate the main problems and suggestions that have been identified.
Try to reflect the goals , objectives , involvement in the process and the benefits of each of the parties to work on the IdM theme.
What could be the goals and objectives? I will give here some examples, they should be taken not as a dogma, but as a direction for reflection:
Purpose: implementation of access control for all company employees.
Some tasks:
- obtaining up-to-date information on all employee accounts and access rights in each of the information systems,
- receiving reports containing information for comparing the access rights of employees in information systems.
Purpose: development and introduction of a new procedure for granting access rights to partner A companies to systems A and B.
Some tasks:
- design and approval of a new procedure,
- training of stakeholders and users
- introduction of a new procedure for use.
Objective: To make changes to domain policies to ensure compliance with corporate security standard requirements.
Some tasks:
- detection and elimination of non-compliances with the corporate standard,
- development and implementation of a mechanism for controlling compliance of domain policies with a corporate standard.
Purpose: automation of the procedure for creating accounts in the company's information systems.
Purpose: the introduction of a procedure for coordinating the granted access rights.
Purpose: development and commissioning of IdM solutions based on existing access control procedures.
When working with access control, a goal need not be global. It is better to go to the desired state gradually: if the goals that are defined seem unattainable, then the plan is not sufficiently detailed, time and resources for the project are calculated. Another is valuable - that the end justifies the means, i.e. was "alive", claimed in your company.
If there is an opportunity, it is worth presenting the results of your research to a group that will potentially deal with IdM.
Why - "potentially"? Because the decision that this topic needs to be addressed, at this stage has not yet been made by the top management of the company. If you come up with the idea of ​​implementation immediately to the top management, you may be faced with the fact that some of the key managers or employees will argue that “ everything is fine ”, because she / he does not want to participate in the IdM implementation project (“ Well, what are you ... Well, you have to do something, get used to the changes ... Now, if everything would magically transform itself! ”). As a result, such characters at best will not do anything, at worst - obviously and implicitly sabotage your good undertakings.
What is the way out of this situation? Enlist the support. It is important to understand who is interested in the project and discuss with them the potential benefits of implementation, as well as the options and conditions for their participation. But just a conversation in the “Let's Give IdM Introduce!” Series will not help. Before you go to each potential project participant and ally, you need to prepare arguments that will help convey exactly how IdM implementation (i.e., access control processes and procedures and technical solutions accompanying them) will make life easier for everyone you communicate with. .
It is useful to show the benefits of introducing IdM, and - most importantly! - describe the degree of involvement and the role of each participant . Most people scare uncertainty. One should not deliberately diminish or exaggerate the importance, role or work of each of the participants. It is useful to warn what and how to change. This is the way all parties are prepared to participate in the project.
UPD. Read on:
Source: https://habr.com/ru/post/341796/
All Articles