It is becoming increasingly important that organisations constantly manage and control employee access to information and systems within the organisation.
Philip Yazbek, industrial psychologist from consulting firm Bizmod, says that the responsibility of governing and protecting information and data lies with the organisation, and as such an identity access management and governance (IAMG) protocol needs to be in place.
An IAMG project should not be under-estimated, it is time consuming and complicated, warns Yazbek. “I strongly recommend creating a dedicated project team, as internal access management teams rarely have the capacity and expertise to manage an IAMG project on their own.”
Yazbek outlines five points to consider when addressing an IAMG project:
* Structure the project around identity, physical and system access – this includes system roles, segregation of duties and revoking excess access. The COBIT 5 methodology and ISO 9001 standards should form the basis for governance and set the standard against which the project can be measured. A holistic approach that includes assessing data, processes, technology, and most importantly, employees.
* Implement a data clean-up – before implementing a technology solution, a data clean-up is required. Declutter the system roles and prioritise access against roles. System roles need to be aligned to business roles, with an understanding for entitlements granted. Legacy systems often create complexity, because systems don’t talk to each other and access is not always linked to the users’ identity. This makes it difficult to identify and control what access rights a user may have. An understanding of the system landscape is vital.
* Apply a phased approach – all the company data needs to be assessed for sensitivities and repaired without detrimental effects to the business. This may be an extensive process and if not correctly managed may result in harming the day-to-day functioning of the business. Blindly revoking user access can also be disastrous.
* Work with a reputable technology partner – after completing the data clean up, understanding the system landscape and how access rights are structured, the next step is to appoint a technology partner.
* Get all stakeholders involved and on board – ultimately it is the people within the organisation that will ensure the overall success of the project. Therefore a solid change management programme is required that will help to ensure that everyone is on board – technical teams and actual users.
“Lastly, I recommend including a change management team in the IAMG project team. These team members can manage communication and people challenges throughout the project, helping to ensure the overall success,” says Yazbek.