2. 2
What are the business drivers for
better Identity Management?
• Process efficiency
– cost-savings on duplicated processes and systems
• Good information governance
– knowing who has access to what!
• Joined-up learning environments
– with library resources, research data,…
• National standards (UK Access federation)
• International standards (parallel education
federations now in most developed countries)
3. 3
Who is the IdM Toolkit for?
Answer A:
• University & college ICT directors, CIOs etc
– …who would go to jail for really bad IdM
– …or at least have to explain to someone why they’ve
been kicked out of the UK federation
Answer B:
• Their staff who are either:
– Already quite good at the technicalities – but could do
with some guidance on what’s expected; OR
– Suddenly tasked with becoming the local expert in
IdM - and a bit scared
4. 4
What’s in the Toolkit? [1]
• Introduction to Identity Management
– Defines basic terms and concepts of Identity Management used or assumed
elsewhere. Should be read by anyone using the Toolkit.
• Identity Management governance and policies
– Describes the roles, structures and policies required for Identity Management
and how they relate to Identity Management systems and processes. Useful for
Chief Information Officers or Directors responsible for IT, and staff who need to
draft or apply institutional policies.
• Identity Management systems, components and functions
– The technical components and functions of Identity Management systems in an
academic institution. Good background reading for IT service managers and
staff, and anyone discussing Identity Management with potential system
suppliers.
• Defining institutional requirements
– Functional requirements for each component of an Identity Management system,
which may be useful in defining the objectives of an in-house implementation
project or in detailed specifications to suppliers.
• Discovering and Auditing current institutional Identity Management
– A detailed guide to finding out the state of Identity Management in an institution
with a comprehensive audit (based on work of the JISC Identity Project which
developed and tested IdM audits in several universities).
5. 5
What’s in the Toolkit? [2]
• Gap analysis
– Explains how to establish the current and desired states of affairs for Identity
Management, gives a list of common gaps in FHE institutions, and suggests
ways for developing a strategy.
• Institutional Roadmap
– Producing an overall roadmap or programme plan. Prioritising major deliverables
and milestones by achievability, cost and institutional impact.
• Designing and Managing an Identity Management project
– Project management issues particular to implementing Identity Management,
including key institutional benefits of improved Identity Management for use in an
institutional business case.
• Selecting supplier solutions
– Where commercial procurement of systems or components is required, this
section aims to help understand the IdM system solutions available, produce
procurement criteria, and construct tender documents.
6. 6
Other useful things you’ll find at the
bottom of the toolbox
• Identity Management Glossary
• Providing network access for 'walk-in' users
• Identity Management Policy checklist
• Measuring user security behaviour
– How to run the “Passwords for Chocolate” test on your campus
7. 7
Auditing Identity Management
in a university or college
• What is meant by an IdM audit
• How to propose an IdM audit to senior
management
• Project-managing an audit
• Finding the Identity Managers
• Finding out how IdM is done
• Analysing the information collected
• Presenting the results of an IdM audit
8. 8
What's an IdM audit, and why do one?
What: An IdM audit is a comprehensive detailed study
of an organisation's identity management systems
and procedures. The aim is to find out how identity
management is carried out, even if some of the
practitioners do not realise they are identity
managers.
Why: Know where you are (many institutions probably
don't), before deciding which direction you need to
go!
Limitations: Not quantitative in the same way as a
financial audit. May decide to outscope paper-based
processes
9. 9
Making the business case
for an IdM audit
• To be useful an IdM audit can be a
substantial job, needing project
management and proper justification
• The IdM Toolkit includes an outline
business case template based on the OGC
recommended structure
10. 10
Managing an IdM audit as a project
Who should be involved
Senior staff (project board)
Key Researcher
Preparation
KR knowledge gaps – technical or
organisational?
Project planning
12. 12
Stage 1 checklist
a member of senior management backing the
audit
a board that will oversee the project and are
agreed on scope, aims and methods
a key researcher who is freed-up from other work;
and familiar (enough) with the technicalities of
IdM and the peculiarities of the institution
a timetable and project plan
a plan for the organisation of material collected by
the audit
13. 13
Discovering where IdM goes on,
and who does it
• 'Obvious' processes
• Local knowledge (starting with the project
board)
• Good internal publicity
• Gathering documentation
14. 14
Stage 2 checklist
A long list of contacts (suspects?)
A catalogue of documentation
(found so far)
15. 15
Investigating IdM processes
• Prioritising contacts
• Arranging interviews
• (more) Internal PR
• Capturing information from interviews
• Template interview questions from the IdM
Toolkit
• Organising and storing interview material
16. 16
Stage 3 checklist
a short list of further contacts for
interview
a collection of interview recordings
and transcripts/notes
17. 17
Analysing and presenting findings
Executive summary
Methodology
Context: general description of the organisation
How identity information is managed
Integration of IdM systems and processes
Security and access control
Legal compliance and governance of IdM
Conclusions and recommendations
18. Where to get it:
www.Identity-Project.org
How to contact us:
JISC-IDENTITY-MANAGEMENT@JISCmail.ac.uk