The ability to control access to networks, applications and data is central to security, compliance and risk management. Regulatory pressure requires organizations to protect the integrity, privacy and security of critical information, including customer data and corporate records. Any company that fails to meet generic privacy and governance regulations such as Sarbanes Oxley, HIPAA, Gramm Leach Bliley and any industry specific privacy mandates such as the PCI (Payment Card Industry) standard that might apply faces fines, loss of customer and shareholder confidence and even criminal prosecution. So it comes as little surprise to find out that interest in Identity Management (IDM) technologies has increased significantly.
Identity management encompasses a wide variety of business processes and technologies, such that organizations rarely attempt to tackle the whole problem at once. User provisioning is a critical piece of the IDM puzzle and is usually the first component to be deployed. Broadly speaking, user provisioning encompasses the systems by which organizations can securely and efficiently add, create, and delete users from its systems; provision resources; and in some cases enable users to self-manage there accounts, profiles and entitlements. In deploying such a system, the CIO is presented with many decision points that can have a significant impact on implementation outcomes. Here are the Seven Habits of CIOs who have successfully implemented IDM:
Habit #1 – Classify your enterprise data
Enterprise data contains many secrets worthy of protection but plenty that doesn’t; necessitating a structured approach for classifying data, assessing risks and determining a plan for securing it. In most cases the process of assessing risk comes down to understanding the probability of occurrence, and forecasting the impact of a breech in the event the threat materializes.
The protection of critical data calls for strong controls while non-critical data requires less protection. Controls come in the form of access entitlements within applications, the workflow processes for granting and approving those entitlements, strong audit processes, and the protection of the data itself through the use of encryption. Classifying and prioritizing enterprise data will determine the importance and level of investment required and will assist in determining where IDM efforts should be initially focused.
Habit #2 - Take a phased approach to implementation