Identity Management
Manage identities, and their authentication, authorization, roles, and privileges so that data and IT assets are protected from inappropriate and unauthorized access.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Identity Management at each level of maturity.
- 2Basic
- Practice
- Put in place a system that requires all users to log in using a unique and traceable identity.
- Outcomes
- All applications/systems require users to log in with a unique identity, but provisioning is either manual or semi-automated.
- User records can be duplicated across multiple applications, and users can have different credentials for different applications.
- Metrics
- # of invalid logins.
- # of credentials required to get access to all systems.
- 3Intermediate
- Practices
- Implement a single sign-on service that is based on the user's role and security level within the organization.
- Use a central repository that automatically changes access levels to reflect any changes to the user's role or security level.
- Outcome
- There is a fully documented and semi-automated identity management process in place, that is based on roles and data security classifications.
- Metric
- % of users whose access levels do not match their role/security level.
- 4Advanced
- Practices
- Put in place a centralized federated sign-on service for access across the organization.
- Have real time auditing and reporting of any security breaches and compliance issues.
- Outcomes
- A fully automated identity management system is in place based on roles and data security classifications.
- The system is linked with other systems to ensure that changes occur automatically — e.g. when someone leaves or changes role.
- Any security breaches or compliance issues are acted upon in real time.
- Metric
- # of compliance/security issues detected.
- 5Optimized
- Practices
- Integrate and fully automate all identity management systems and processes across the extended business ecosystem.
- Use proactive monitoring and reporting to take the appropriate actions on any issues.
- Outcomes
- The identity management system is fully integrated and proactive.
- Multiple dashboards monitor organizational roles — for example, how many external users are currently active per application, what internal users are using what applications over a given period, and so on.
- Metric
- # of improvements detected and implemented.