IVI Framework Viewer

Identity Management

B7

Manage identities, and their authentication, authorization, roles, and privileges so that data and IT assets are protected from inappropriate and unauthorized access.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Identity Management at each level of maturity.

2Basic
  • Practice
    Put in place a system that requires all users to log in using a unique and traceable identity.
    Outcomes
    • All applications/systems require users to log in with a unique identity, but provisioning is either manual or semi-automated.
    • User records can be duplicated across multiple applications, and users can have different credentials for different applications.
    Metrics
    • # of invalid logins.
    • # of credentials required to get access to all systems.
3Intermediate
  • Practices
    • Implement a single sign-on service that is based on the user's role and security level within the organization.
    • Use a central repository that automatically changes access levels to reflect any changes to the user's role or security level.
    Outcome
    There is a fully documented and semi-automated identity management process in place, that is based on roles and data security classifications.
    Metric
    % of users whose access levels do not match their role/security level.
4Advanced
  • Practices
    • Put in place a centralized federated sign-on service for access across the organization.
    • Have real time auditing and reporting of any security breaches and compliance issues.
    Outcomes
    • A fully automated identity management system is in place based on roles and data security classifications.
    • The system is linked with other systems to ensure that changes occur automatically — e.g. when someone leaves or changes role.
    • Any security breaches or compliance issues are acted upon in real time.
    Metric
    # of compliance/security issues detected.
5Optimized
  • Practices
    • Integrate and fully automate all identity management systems and processes across the extended business ecosystem.
    • Use proactive monitoring and reporting to take the appropriate actions on any issues.
    Outcomes
    • The identity management system is fully integrated and proactive.
    • Multiple dashboards monitor organizational roles — for example, how many external users are currently active per application, what internal users are using what applications over a given period, and so on.
    Metric
    # of improvements detected and implemented.