Why Identity Management Projects Fail
Identity and Access Management pitfalls to avoid:
Taking from different experiences, these challenges came at various stages of Identity Management projects. The key to avoiding these are consensus, communication, ownership, and commitment.
-Lack of Key Stakeholder and Executive Sponsorship involvement.
-Don’t reduce risk through reducing scope - Steady, measured, low-risk progress over two years is better than high-risk initiatives over 6 months
-Ownership of the issues
-The strategy is everyone’s job.
-Failure to address political issues immediately when they arise.
-Lack of consensus, support, ownership, and commitment within the organization.
-Don’t set unachievable expectations.
-Understand that there is a point of diminishing return.
-Failure to estimate cost of ongoing service to include support and maintenance.
-Return on investment should not be measured on the entire investment.
-Don’t try to win all at once.
-Failure to set measurable, achievable goals for quick wins
-Lack of education within the organization about the strategic importance of the solution.
-Lack of definition of what a role is and how to manage it.
-Failure to carefully assess the readiness of the organization.
-Don’t reduce cost through reducing business workflow analysis.
-Don’t look at Identity and Access Management as an IT type of project.
-Clearly define and document the responsibilities and commitments of the different business units within the organization.
-Don’t expect to operate IAM without organizational changes.
-Don’t expect to operate IAM without reengineering some business process.
-Don’t exclude any organizational stakeholder or conflicting agendas.
-Wanting a “quick fix” - Very tempting to desire a fast technical solution to solve control ailments (Example: “SOX in a box”)
-Understand technology can’t fix broken processes
-Overstated claims or assertions to elevate ones objective to project sponsors
-Improper evaluation of vendor features and legitimacy
-If the current manual process isn’t adequate, simply automating it will not help
-Creating electronic versions of paper forms that don’t require sign-off
-Aggregation must be considered: 10 customer records, or 10 million?
-Failing to measure properly - some things are difficult to measure
-In the case of audit, the metrics must indicate the effectiveness of control operation
-Misleading dashboards: Does a green light really mean that all is well and there are no issues. Red light does not tell you where the problem is.
-Auditors don’t look at dashboards, but underlying evidence
-Lack of documented procedures for provisioning, access controls and/or their processes
-Understanding compliance issues are process issues first
-Lack of clear define for business, technical, and functional requirements
-Define your architecture
-Invest in technology purchases – pay for support and maintenance
-Carefully leverage SOX and other compliance activities and knowledge to your advantage
-Agreed upon ID creation process and standards to include global unique identification
-Failure to build identical test/production structure and data content
-Provisioning connector challenges with custom developed systems
-No single technology can address Identity and Access Management
-If the current manual process isn’t adequate, simply automating it will not help. -nor will adding technology for its own sake. (e.g. Biometric sensor on a glass door)
-Obtaining accurate people data – data cleansing project
-Lack of data mapping requirements via provisioning connectors to other systems
-Conflicting or competing technologies.
Taking from different experiences, these challenges came at various stages of Identity Management projects. The key to avoiding these are consensus, communication, ownership, and commitment.
-Lack of Key Stakeholder and Executive Sponsorship involvement.
-Don’t reduce risk through reducing scope - Steady, measured, low-risk progress over two years is better than high-risk initiatives over 6 months
-Ownership of the issues
-The strategy is everyone’s job.
-Failure to address political issues immediately when they arise.
-Lack of consensus, support, ownership, and commitment within the organization.
-Don’t set unachievable expectations.
-Understand that there is a point of diminishing return.
-Failure to estimate cost of ongoing service to include support and maintenance.
-Return on investment should not be measured on the entire investment.
-Don’t try to win all at once.
-Failure to set measurable, achievable goals for quick wins
-Lack of education within the organization about the strategic importance of the solution.
-Lack of definition of what a role is and how to manage it.
-Failure to carefully assess the readiness of the organization.
-Don’t reduce cost through reducing business workflow analysis.
-Don’t look at Identity and Access Management as an IT type of project.
-Clearly define and document the responsibilities and commitments of the different business units within the organization.
-Don’t expect to operate IAM without organizational changes.
-Don’t expect to operate IAM without reengineering some business process.
-Don’t exclude any organizational stakeholder or conflicting agendas.
-Wanting a “quick fix” - Very tempting to desire a fast technical solution to solve control ailments (Example: “SOX in a box”)
-Understand technology can’t fix broken processes
-Overstated claims or assertions to elevate ones objective to project sponsors
-Improper evaluation of vendor features and legitimacy
-If the current manual process isn’t adequate, simply automating it will not help
-Creating electronic versions of paper forms that don’t require sign-off
-Aggregation must be considered: 10 customer records, or 10 million?
-Failing to measure properly - some things are difficult to measure
-In the case of audit, the metrics must indicate the effectiveness of control operation
-Misleading dashboards: Does a green light really mean that all is well and there are no issues. Red light does not tell you where the problem is.
-Auditors don’t look at dashboards, but underlying evidence
-Lack of documented procedures for provisioning, access controls and/or their processes
-Understanding compliance issues are process issues first
-Lack of clear define for business, technical, and functional requirements
-Define your architecture
-Invest in technology purchases – pay for support and maintenance
-Carefully leverage SOX and other compliance activities and knowledge to your advantage
-Agreed upon ID creation process and standards to include global unique identification
-Failure to build identical test/production structure and data content
-Provisioning connector challenges with custom developed systems
-No single technology can address Identity and Access Management
-If the current manual process isn’t adequate, simply automating it will not help. -nor will adding technology for its own sake. (e.g. Biometric sensor on a glass door)
-Obtaining accurate people data – data cleansing project
-Lack of data mapping requirements via provisioning connectors to other systems
-Conflicting or competing technologies.
posted by Matt Graves at 8:21 AM
0 comments
