Methodology

Typical Project Methodology

Step 1 -Project Initiation

The initial activity is to establish the project schedule and complete the project planning activity.  This will involve determination of the stakeholders and agreement on the detailed scope of the overall project.  A Working Group of staff who will work on the project team is formed and a Steering Group of management personnel is then formed.  A communications mechanism for the project will be established, such as a project wiki and a series of formal documented minutes.

Step 2 -Identity & Access Management Briefing 

Depending on the scope of the project, ICA conducts an initial education workshop with stakeholders that will focus on the current status of the identity & access management sector.  It will review opportunities in the market and instruct on how to build a business case to support identity & access management facilities within the organisation.  The latest trends and developments including federation, provisioning, role & entitlement management, virtual & meta directories as well as the current development in entitlement management will be addressed; the Working Group plus selected key personnel should attend this session. In some circumstances, this session can be repeated for wider access groups.

Step 3 -Environmental Scan & Research

This stage will capture the current state of the identity and access management environment within the organisation.  The existing IAM environment will be documented as a starting point for the Roadmap. The environmental scan will identify the main identity management repositories used in throughout the organisation. How they are used, what information is stored, who owns the authoritative data sources, who has responsibility for keeping the data up to date within them,  and who can authorise identity deletion.  The governance check and balances are also addressed with a review of the identity attestation & governance being carried out within the organisation.

The scan will be based on direction from IT Services and contacts within the departments.  A review of pertinent documentation provided to the Consulting team will also be conducted. As part of this activity, a review of access management tools currently used by the organisation will be undertaken with comment on options regarding their use in future identity management initiatives.

Key Person Interviews

Key persons will be interviewed to understand their use of identity information and current processes used to provision identity stores and resolve inconsistencies.  Representatives from the key departments and agencies that create or consume Identity data will be included in the interview schedule.

The main identity stores in the organisation and their schemas will be identified.  The attributes that comprise the identity stores or directories and ownership of the main attributes will be identified and documented.  Representatives from HR and various Administration Services departments will assist in the identification of the major provisioning processes for staff and contractors and representatives from IT Services will assist in the documentation of security processes, access control and authentication requirements.   A Facilities & Services representative will assist in the identification of the processes required in provisioning building and security services.

A representative from Administration will advise on access control requirements for HR and legal services as well as audit and reporting services.  Telephone interface requirements will also be determined.   The department responsible for Audit will also be interviewed.

In general ICA expects to undertake up to 20 key person interviews.  In some cases these are conducted via teleconference link for distributed organisation premises, or on site.

All meetings minutes are recorded using a standardised interview process and a central project register maintained identifying areas for further study.

Workshops

Some initial workshop sessions are then be convened depending on the size of the organisation.  At each session, we discuss and map on an electronic whiteboard or “butchers paper” in a war room process, the steps for provisioning and de-provisioning people and other identity data across the enterprise.

The key output from these workshops is IDEF0 charts used to show data flow, system control, and the functional flow of Identity & Access Management lifecycle processes for all provisioning and de-provisioning processes, plus any Role Management, Identity Attestation and Governance processes.

Reporting

The output of Step 3 is a document known as the environmental scan report which is an inventory of the main repositories of identity management information and their provisioning mechanisms, synchronisation processes used in the organisations are also documented.  A role Audit using an automated Role discovery tool may be conducted to identify roles defined in various applications and clearly indicating the core IAM environment that will be addressed in the Roadmap.  This will complete the description of the “as is” situation.

At this stage a summary report will also be prepared for the Intranet project wiki to ensure that all staff feel involved in the on-going project.

 A meeting with the project sponsor will then occur before proceeding to the next stage.

Step 4 -Strawman Model Workshops

Stage 4 will workshop the existing flow processes for provisioning and de-provisioning and any other key findings from Stage3 (the environmental scan process ) by using the IDEF0 charts and documents prepared which document the identity management provisioning and data usage within the organisation and will report on their adequacy (or otherwise) to meet the organisation’s requirements.  The process maps will be used to understand the current processes and to indicate where redundant loops can be eliminated and where excessive waiting times can be reduced.  This activity will also identify areas in which cross-organisation cooperation can be achieved and specific deficiencies in the current IAM environment that are causing excessive administrative involvement.

Step 5 - Roadmap Development

The final stage is to develop and document the Roadmap.  This will be a multi-part document that indicates the current level of maturity within the organisation’s identity management environment mapping a path from the “as is” state, documented in Stage 2 and the desired “to be” state identified in Stage 3. 

This final stage will also advise on an appropriate suite of products to meet the organisation required IAM architecture taking into account any existing supplier strategies.  Each component of the desired environment will be addressed.