Identity & Access Management Case Study & Lessons Learned. Prepared by Tariq Jan



Similar documents
1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Identity Lifecycle Management. Lessons Learned

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Establishing a Mature Identity and Access Management Program for a Financial Services Provider

How To Improve Your Business

State of Oregon. State of Oregon 1

RSA enables rapid transformation of Identity and Access Governance processes

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Identity Access Management Challenges and Best Practices

Identity and Access. Management Services. HCL Information Security Practice. Terrorist Sabotage. Identity Theft. Credit Card Fraud

Training Programs for Enterprise-Wide Change

Transforming FP&A: Combining Process Redesign & Technology to Deliver Insights

Supply Chains: From Inside-Out to Outside-In

Best Practices Report

Vulnerability Management

The Unique Alternative to the Big Four. Identity and Access Management

ADAPTABLE IDENTITY GOVERNANCE AND MANAGEMENT

Enabling Data Quality

Discussion Overview. Company Background. IAM Inertia. IAM at Chase. IAM Program Progress. IAM Tools Integration. Program Lessons Learned

Managed Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014

Sarbanes-Oxley Compliance for Cloud Applications

How To Transform Treasury

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Monitoring, Managing and Supporting Enterprise Clouds with Oracle Enterprise Manager 12c Name, Title Oracle

Building a sustainable CMDB

Enabling Agile, Efficient and Reliable Global HCM Through Integrated Payroll

1 Introduction to Identity Management. 2 Identity and Access Needs are Ever-Changing

TECHNOLOGY SOLUTIONS FOR THE INTERNAL AUDITOR

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Qlik UKI Consulting Services Catalogue

BI STRATEGY FRAMEWORK

Oracle Value Chain Execution

MAXIMIZING VALUE FROM SAP WITH SUPPLY CHAIN COLLABORATION IN A SOFTWARE-AS-A-SERVICE MODEL. An E2open White Paper. Contents.

SIEM Implementation Approach Discussion. April 2012

Obtaining Enterprise Cybersituational

Architecting BPM Through a Center of Excellence at Wells Fargo Bank Paul Tazbaz, Enterprise Architect, Wells Fargo, California, USA

Introduction to Change

<Insert Picture Here> Oracle Identity And Access Management

Qubera Solu+ons Access Governance a next genera0on approach to Iden0ty Management

Critical Database. Oracle Enterprise Manager Oracle Open World 2010 Presented dby Venkat Tekkalur. Prem Venkatasamy. Principal Technical Architect

Best Practices for Implementing Software Asset Management

IFRS 15: Implementation challenges

Distributed Agile Development in the Cloud

Automated User Provisioning

Field Service in the Cloud: Solving the 5 Biggest Challenges of Field Service Delivery

Service Integration &

It s 2014 Do you Know where Your digital Identity is? Rapid Compliance with Governance Driven IAM. Toby Emden Vice President Strategy and Practices

Key USP s. Multiple PCI level GRC tool

June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Oracle Fusion Project Portfolio Management CLOUD SERVICE. The New Standard for Project Portfolio Management

RSA Identity Management & Governance (Aveksa)

Auditing the Software Development Lifecycle ISACA Geek Week. Mike Van Stone Sekou Kamara August 2014

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

PM Services. Portfolio Strategy, Design and Build

Request for Information Integrated Portfolio, Project & Management Information System Technical Assistance Unit RFI: TAU/01

Building a Business Case for Supply Chain Execution in the Cloud

Project Implementation Process (PIP)

NetSuite The Sarbanes-Oxley Compliance Engine

2011 NASCIO Nomination Business Improvement and Paperless Architecture Initiative. Improving State Operations: Kentucky

Success Factors for Global Alignment and Targeting Platform. Pranav Lele

Minimizing ITSM cost of entry: HP Service Anywhere

QUICK FACTS. Consolidating Service Desks Post-Merger for a Leading U.S. Energy Supplier TEKSYSTEMS GLOBAL SERVICES CUSTOMER SUCCESS STORIES

Consolidated Edison Company of New York, Inc. Gas Supply Testimony of Peter Carnavos. Index of Exhibits and White Papers

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

Module 6 Essentials of Enterprise Architecture Tools

WHY ISN T EXCEL GOOD ENOUGH INTRODUCTION THE COMPARISON: EXCEL VS. PRIMAVERA S CONTRACT MANAGER EXECUTIVE SUMMARY MICROSOFT OFFICE EXCEL OPTION

Managing Third-Party. Service Providers. An Astea White Paper WHITEPAPER

Smart Choice Business Consulting Data Centre Migration Story Board

Security and HIPAA Compliance

How To Be Successful At Workday

BUSINESS INTELLIGENCE

Implementing End-to-End agile Portfolio Management. Thomas Haas

HR Technology Strategies that Work in Healthcare. Background

Identity and Access Management Point of View

National IT Project Management Methodology

Planning and Budgeting Cloud Service

Project Risk and Pre/Post Implementation Reviews

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

Managing Open Source Code Best Practices

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

How To Improve Your Business

IAM Open Discussion. Todd Rossin Managing Director

Transcription:

Identity & Access Management Case Study & Lessons Learned Prepared by Tariq Jan

Investment Bank Case Study Top 5 leading global financial services firm $116 billion in revenue $2 trillion in assets 220k + employees operating in 60 countries

Client Profile: Top 5 leading global financial services firm $116 billion in revenue $2 trillion in assets 220k + employees operating in 60 countries Case Study Problem Statement/Key Pain Points: Failed provisioning, leavers & transfers process and tools Ongoing exposure to audit deficiencies Heavy reliance on Inconsistent, ad-hoc & manual processes and multiple homegrown tools Cost of maintaining a compliant environment; Lines of business within the firm proceeding down different paths and making respective investments in certification tools, processes and support teams Inability to enforce preventive controls No control / visibility on privileged users; orphan or rogue accounts Huge gaps between business and IT groups leading to inconsistent and disjointed business user experience

Case Study Approach: Engagement of key stakeholders within the firm Requirements agreed for a 3 year strategy and roadmap 9 month firm-wide proof of concept to evaluate internal and external tools Buy vs. build analysis to select strategic tool Off shore team established to support product implementation and operate tasks Implementation / Achievements Loaded user data for 220k+ users (employees and contractors) Aggregated user entitlements by building feeds to 60% of application estate 400 application instances (1,200 data sources) with corresponding infrastructure (DB, Platform) certified Over 104k deletes raised for inappropriate access within 9 months 40% reduction in user support calls due to friendly user interface and ease of certification 60% reduction in operational cost and increase of number of applications certified by 150% Internal and external audit approval on process and implementation RBAC rollout of M&A applications Automating and consolidating compliance controls including: access recertification and SoD Policy enforcement and risk management by using policy violations and rules

Lessons Learned - What went well Project Sponsorship Engagement of a steering committee and working group consisting of LOB, Audit and other key stakeholders across the firm. Proof of Concept and Tool Selection Requirements evaluated against a 3 year road map & strategy. Governance Internal Audit team engaged during POC and governance audit on program delivery. Sign-off from audit prior to go-live and at the end of each recertification cycle. Weekly status reports to AD teams for on-boarding status of applications. Real-time dashboards / reports to LOB / Audit on certification status. 100% close out on each certification cycle. Program team / Vendor relationship 1 team, 1 goal mentality from internal and external resources. Vendors helpful and flexible in accommodating last minute changes, customization requests and providing support for infrastructure set up. Pilots 5 pilots to ensure all process related, customization, reporting and dashboard bugs and issues captured and resolved prior to Go-Live.

Lessons Learned - What went well Clean-Up Substantial number of deletes identified as part of recertification cycle. Application change management Create a tracker on status of all incoming feeds and identify / communicate breaks to appropriate parties. Process / Cert experience Well defined, robust and scalable process for on boarding, testing and roll-out to production. Data presented at entitlement level with clear English descriptions. S.O.D /policy violations identified upfront as part of cert cycle. Knowledge Gain Knowledge transfer during program roll out allowed internal team to take on responsibility of all activities from a build, test and operate perspective. Schedule & Delivery Exceeded expectations of LOB by delivering 20% applications above forecast and delivered within timelines and allocated budget. Reduction in calls to support team during cert cycles.

Lessons Learned - What didn t go well External factors Reduction in project funding due to financial crisis led to freeze on headcount hire. Internal resources utilized did not have appropriate skill set. Due to merger priorities for AD and other teams changed leading to a delay in turning around program requests. Application & Environment complexities Underestimated complexities of applications, internal infrastructure support processes and AD build team effort. Addition of db and os layers within the cert added additional dependencies and complexities to the overall program. Infrastructure set up Time taken to install and set-up infrastructure to meet program and tool requirements. Removal of inappropriate access Huge dependency on provisioning teams to remove inappropriate access within the required window of time and accuracy. Required program team to very closely manage and track status of deletes through the end to end process. Scope Management Applications prioritized for on-boarding constantly changing due to AD teams not being able to supply information on time; applications on-boarded decommissioned without notice; new merger applications added with RBAC complexities, LOB driven last minute inclusions.

Lessons Learned - What I would do differently Project Resourcing Ensure resources with appropriate skill set and experience are assigned to deliver program. Infrastructure Sizing Ensure infrastructure is sized to accommodate minimum of 12 months requirements upfront and performance tested with all reports / dashboards / cert loads prior to Go-Live. Identify all external factors and internal dependencies. Outsourced IT, hardware delivery or internal processes that may delay roll-out. Work more actively with Infra support teams to ensure timely availability of infra requirements and support Scope / Escalation Keep it contained and push back if required to ensure success of program. Ensure you have a contingency of applications in pipeline. Reduce number of reports / custom requests for initial stages of program. Reach out to senior management sooner regarding concerns with non-timely or lack of response from stakeholders.

Lessons Learned - What I would do differently AD Commitment & Engagement Considering the complexity and dependencies involved in this space, full engagement of AD teams with a committed completion date would be a great benefit. Maintain a better application inventory by ensuring AD teams provide accurate and accountable status of applications to be on-boarded. Funding Continuous program of work and funding. This is not a one off program with a start stop date. This will require funding and commitment from senior stakeholders and we need to ensure our steering committee members have the support to maintain the momentum of the program throughout the delivery of the defined program against the roadmap / strategy. Other Centralise the security admin team and ensure increase in accountability and reporting to key stakeholders. Ensure provisioning and movers & leavers program of works are governed by 1 program office. Look to move towards user centric view from app centric view as part of roadmap. Allow more time in schedule to test patches / bug fixes.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information