My experience with formal technology planning spans over 20 years. As an external consultant, I have the advantage of being objective, and can offer fresh insights as inputs to planning and strategy development. However, as an outsider, coming into an organization to perform planning can be difficult because I often lack an understanding of the infrastructure, software and procedures in place.
As a result, the planning methodologies I have used have always included an assessment phase — a set of tasks in the project that is primarily concerned with collecting information about the environment. This has worked well when doing large project planning, IT strategy work and program development.
Assessments are also a vital part of Code Technology’s work in identity management. An IAM Assessment can be delivered on its own, or as part of an identity strategy project. The approach we have formulated for IAM Assessments is a little different than the generic IT information gathering. Identity management assessments need to be structured to address key components that impact IAM design and delivery.
If you’ve followed this blog for any length of time, you’ll know that I regularly reference the Pan-Canadian Identity Management and Authentication (IdM&A) Framework. This framework has provided an excellent structure for assessment and strategy development work.
My approach, then, is to leverage the framework in the development of an IAM assessment. Without the structure and completeness of this framework it would be difficult to ensure everything was covered.
The heart of the assessment is information gathering: infrastructure, applications, identity stores, policies, processes, etc. Analysis of the environment is then performed using the seven Pan-Canadian IdM&A components:
- Legal –Under what legal agreements and legislation does the organization operate?
- Privacy – How well does the environment match to privacy obligations?
- Security – Does the current environment meet or exceed information security standards?
- Trust – What trust arrangements (if any) exist between federated organizations?
- Assurance – What processes and technology exist to ensure information assets are protected to the appropriate level of assurance?
- Identity – How are identities organized and managed? What identity attributes are stored and utilized?
- Service Management – How robust and flexible is the current environment? How will it need to be supported?