IAM Projects

ISIM deployment phases

Phase I.
At the end of this phase:
the existing users might be able to change their passwords
Existing user can be modified, added and deleted (suspended) using ITIM

1. Install server and agents.
2. Reconcile all machines for 100% Inventory
3. Determine most accurate existing data source (i.e., RACF, NT, W2K, UNIX, LDAP)
4. (optional) Determine Organizational Structure (i.e., OranizationUnits will be RACF Default Group)
5. Filter Reconciled data from most accurate source and massage data to create feed
6. Filter this feed data against other systems reconciled data to identify collisions (not unique)
7. Correct the userids in the feed file to make them unique
8. Load the feed to create "people" records
9. Run reconciliation of most accurate source to complete Phase I.

Phase II.

1. Intergate with External Feed.

Define Provisioning>Server>Remember the placement rule goes here

2. Define Roles and Provisoning Policies.

Define local Attributes (extend_schema.pl)
Define Identity Policy (Default_identity_Policy_OPCOPerson)

3. Define Workflows.

Phase III.

1. Monitor
2. Maintain
3. Improve
4. Sustain

Reasons IdM projects fail

• Boiling the ocean - e.g. onboarding too many apps
• Grabbing the low hanging fruit - picking the easy projects - means the impact will not be big enough to notice and get further support
• Failing a victim to analysis paralysis
• Viewing the project as a solely an IT initiative

To avoid:

• Get executive sponsorship
• Create cross-functional teams - involve business unit manages
• Keep thing simple - deliver simple message to users
• Document decisions. There are a lot of calls to make, You will need to know why you made them.

IAM RFI Sample questions

Yes You believe you can satisfy the requirement. Use the explanation to explain how the requirement is satisfied, to explain assumptions and exceptions.
No You cannot satisfy the requirement. Use the explanation column to explain what you do or can do as an alternative, if applicable.
Partial You partially satisfy the requirement. Please be specific about what portion of the requirement is met and what portion of the requirement that is not met.

Access Control M 1 Does your solution provide role-based access?
Access Control K 2 Does this solution include role mining capabilities to derive roles from user entitlements?
Access Control K 3 Does your solution support rule mining to define access rules?
Access Control K 4 Does your solution support entitlements and usage analytics to define roles?
Access Control K 5 Does your solution support entitlements and usage analytics to define rules?
Access Control M 6 Can the solution automatically create a request for provisioning based on individual attributes (position, department, job title)
Access Control M 7 Can the solution automatically assign access based on individual attributes (position, department, job title)
Access Control K 8 Does the solution have functionality to make access level recommendations based on individual attributes?
Access Control M 9 Does your solution support a recertification or access review process?
Access Control M 10 Can access review be designated for review by someone other than the supervisor (e.g. role owner or data access owner)?
Access Control M 11 Can access review be triggered automatically?
Access Control M 12 Can access review be scheduled?
Access Control K 13 Does system provide a test environment where recertification campaigns can be simulated before being released?
Access Control K 14 Does the recertification process highlight users with elevated privileges?
Access Control M 15 Does the recertification process highlight policy violations?
Access Control M 16 Does the system provide notifications if reviews have not been completed?
Access Control M 17 Does the system have the ability to escalate to designated individuals if a review has not been completed?
Access Control M 18 Does solution provide the ability to review policy violations during the recertification process?
Access Control M 19 Does solution provide the ability to resolve policy violations during the recertification process?
Access Control K 20 Can the system flag policy violations based on usage data?
Access Control M 21 Does the solution provide the ability to generate mass access updates based on specific criteria (i.e. department, location)?
Access Control K 22 Does the system allow reviewer to do mass approvals on certification reviews?
Access Control K 23 Can the system restrict the ability for mass approvals for specific roles?
Access Control K 24 Can the system restrict the ability for mass approvals while performing an access review?
Access Control K 25 Does the solution provide risk-based access recertification (e.g. only review users that have high risk access)?
Access Control M 26 Can solution support a quick termination process where access must be removed immediately?
Access Control M 27 Can solution support the scheduling of access removal at a specific date and time?
Access Control M 28 Can solution provide notifications/access review when contractor or temp employee access is about to expire?
Access Control M 29 Can solution automatically de-provision access after a set period of inactivity?
Access Control M 30 Can solution automatically suspend access after a set period of inactivity?
Access Control K 31 Can the solution retain individual identity but deprovision all access to support potential situations of contractors returning on future projects or rehires?
Access Control M 32 Does the solution support workflows for approval by supervisors, role owners or business content owners?
Identity Store M 33 Can the solution manage a diverse internal user population (employees, contractors, temp labor, interns, etc.)?
Identity Store K 34 Can the solution manage external user populations (retail customers, vendor partners, etc.)?
Identity Store M 35 Does the solution provide out of the box functionality to support name changes (i.e. change in login id)?
Installation K 36 Do you provide integration and installation services?
Installation I 37 Do you partner with a third party for integration and installation support?
Integration M 38 Do you provide out of the box connectors to Active Directory?
Integration M 39 Do you provide out of the box connectors to MVS Mainframe?
Integration M 40 Do you provide out of the box connectors to Oracle HR?
Integration M 41 Do you provide out of the box connectors to SAP?
Integration M 42 Do you provide out of the box connectors to Unix-based systems?
Integration M 43 Do you provide out of the box connectors to CICS?
Integration M 44 Do you provide out of the box connectors to cloud based systems?
Integration M 45 Do you provide out of the box connectors to SaaS systems?
Integration M 46 Does your solution provide tools to allow creation of custom connectors for home grown or other systems not covered by out of the box connectors?
Integration I 47 Is there a specific skill set required to create custom connectors?
Integration M 48 Does the solution interface with ServiceNow?
Integration M 49 Will solution generate incidents, tickets or workflow in ServiceNow?
Integration M 50 Do you support federation of identities?
Integration M 51 Does the product interface with Mobile Device Management Solution (AirWatch or Afaria) to control access and manage mobile devices?
Maintenance K 52 Do you maintain a product roadmap that is shared with customers?
Maintenance K 53 Do you have scheduled upgrades?
Maintenance K 54 Does the tool have a way to safely transition in upgrades, changes, or security patches?
Maintenance K 55 Does the tool have a way to safely back out upgrades, changes, or security patches?
Maintenance K 56 Do you have a change management process or support team to assist customers with changes resulting from upgrades?
PAM D 57 Does your solution include a Privileged Access Management (PAM) tool?
PAM I 58 Do you partner with a specific Privileged Access Management provider?
PAM I 59 If you offer a PAM, does it include ability to define a profile based on specific roles or behaviors and search for ids matching those profiles?
PAM I 60 Does PAM functionality support account assignments for temporary users?
PAM I 61 Does PAM offer monitoring or session recording functions?
Platform I 62 Is your offering an on-premise solution?
Platform I 63 Is your offering a hosted solution?
Platform I 64 Is your offering a cloud based solution?
Platform I 65 For a hosted or cloud option, do you provide the hosting environment?
Platform I 66 If not, do you have separate hosting partners? If so, please identify the service provider.
Platform I 67 Is your offering a hybrid approach of on-premise and cloud/hosted?
Platform I 68 Is the solution dependent on any other service providers?
Reporting M 69 Does solution offer logging and reporting on all access changes?
Reporting M 70 Does the solution offer ability to create custom reports?
Reporting K 71 Can the user create report preferences?
Reporting K 72 Can the user create personally customized reports?
Reporting K 73 Does solution offer an identity risk score based on access provided to the individual?
Reporting M 74 Does solution offer out of the box reports or dashboard to identify high risk users?
Reporting M 75 Does solution offer out of the box report or dashboard to show status of workflow requests?
Reporting M 76 Does solution offer out of the box report or dashboard to show status of access reviews?
Risk Management M 77 Does the solution provide Segregation Of Duties (SOD) analysis?
Risk Management M 78 Is SOD analysis provided across the enterprise (will it evaluate cross system risks)?
Risk Management K 79 Does the solution have internal SAP SOD analysis capabilities?
Risk Management K 80 Does the solution interface with SAP Access Control to determine SODs and risks?
Risk Management M 81 Does the solution provide risk analysis and/or simulation during the request process?
Risk Management K 82 Does the solution automatically scan to detect policy violations or SODs?
Risk Management M 83 Does the solution provide automatic notification of SOD violations when identified?
Risk Management M 84 Does the solution provide escalation to specified individuals of SOD violations when identified?
Risk Management M 85 Does the solution provide the ability to accept a risk with controls as a mitigation function?
Risk Management M 86 Does the solution provide the ability to accept a risk with monitoring as a mitigation function?
Risk Management K 87 Does the solution detect SOD violations based on usage (transactions performed)?
Risk Management K 88 If the solution can detect SOD violations based on usage (transactions performed), can mitigating controls be applied?
Self Service M 89 Does the product offer a self-service portal?
Self Service M 90 Is the self-service portal appropriate for general business users?
Self Service K 91 Can the self-service portal be customized for content and available transactions?
Self Service M 92 Can a user search for roles or access based on key words?
Self Service M 93
Can a user search for roles or access based on phrases?

Self Service M 94 Can system display user friendly descriptions of roles or access types?
Self Service M 95 Can a user model access based on another user?
Self Service M 96 Can a user model access based on a position?
Self Service M 97 Can a user model access based on a template?
Self Service M 98 Can a user specify start/end dates for access?
Self Service M 99 Can system be configured to restrict the roles available for user requests (based on individual attributes like position, department, etc.)?
Self Service M 100 Does the system allow the end user to set up delegation of approval authority?
Self Service M 101 Does the solution scale to address changes in user population?
Self Service M 102 Does the solution scale to support additional target systems?
Self Service M 103 Does the solution support interfacing with multiple systems for creation of identities (e.g. HR systems for Hallmark subsidiaries or input from contract employee partners)?
Self Service M 104 Does the solution support interfacing with multiple systems for update of individual information (e.g. HR systems for Hallmark subsidiaries or input from contract employee partners)?
SIEM K 105 Can the solution interface with a Security Incident and Event Management (SIEM) tool?
Single Sign on K 106 Does the solution offer single sign on capabilities across systems and applications?
Single Sign on K 107 Does the solution offer an enterprise password reset function for end users and administrators?
Single Sign on K 108 Can single sign on be restricted to only specific applications?
Single Sign on K 109 Can single sign on be restricted to only specific systems?
Single Sign on K 110 Does the solution provide single sign on for SAP?
Single Sign On K 111 Does the solution support multi-factor authentication?
User Experience K 112 Does the product provide a consistent user experience across PCs and MACs?
User Experience M 113 Does the product provide identical functionality for PC and MAC users?
User Experience K 114 Does the product provide a user experience for mobile devices that is consistent with the PC and MAC interface?

General Question 1 Do you have a SOC 2 report? If so, please send a copy.
General Question 2 What out of the box connectors are available for provisioning/deprovisioning?
General Question 3 Describe the level of integration with SAP for SOD analysis (both preventive and detective).
General Question 4 If your solution has a PAM feature, what systems/applications does it support?
General Question 5 Can we get access to documentation on the tool before and after implementation?
General Question 6 Is there an archive feature?
General Question 7 If there is an archive feature, is it configurable?
General Question 8 Does your support model utilize any off-shore resources?
Maintenance 9 If your proposal includes hosting any portion of the solution, what is your standard maintenance window?
Maintenance 10 How often does the vendor update software required to use the tool (browser, database, OS, etc.)
Maintenance 11 What is the frequency of major releases/upgrades?
Maintenance 12 What is the frequency of minor releases/upgrades?
Maintenance 13 What is the frequency that patches are generated?
Maintenance 14 What is the frequency of EOL of products?
Access Control 15 What are your federation capabilities with other systems?
PAM 16 What are your capabilities for providing Privileged Access Management?
Use Case - Demo Requests
Category UC # Use Case How Supplier will Address
Access Review 1 Generate periodic review of access by role/business owner
Access Review 2 Generate periodic review of access by supervisor
Access Review 3 Generate review of contractor accounts based on a set access end date
Access Review 4 Demonstrate system alert when users attempts to create access outside of the IDM tool.
Administration 5 Demonstrate common administrative tasks (add roles, create a workflow, etc.).
Configuration 6 Demonstrate how to connect to additional systems.
PAM 7 Demonstrate ability to allow temporary checkout of privileged accounts.
PAM 8 Demonstrate the process to automatically update passwords on privileged accounts.
PAM 9 Demonstrate the ability to record or log activity during the use of privileged accounts.
PAM 10 Demonstrate how to scan a system looking for a specified user profile.
PAM 11 Demonstrate the use of Password Vaulting (e.g. local administrator accounts)
PAM 12 Demonstrate the management of application service accounts (e.g. application accounts embedded within scripts)
PAM 13 Demonstrate the use of privilege escalation (e.g. just in time escalation, fine grained elevated access)
Provisioning 14 New Employee added to Hallmark HR System – user account provisioned
Provisioning 15 Employee status change in Hallmark HR System – access updated based on changes to supervisor, department or other attribute
Provisioning 16 Employee termination generated based on changes in Hallmark HR System
Provisioning 17 Employee termination process to support removal of access immediately.
Provisioning 18 Employee termination process to support removal of access at a set date and time.
Provisioning 19 Provision a new contractor through a feed from 3rd party (i.e. Fieldglass)
Provisioning 20 Provision a new contractor through a manual input process.
Provisioning 21 Deprovision a contractor through a feed from 3rd party (i.e. Fieldglass)
Provisioning 22 Deprovision a contractor through a manual input process.
Provisioning 23 Supervisor or requester uses portal to request new access for an individual.
Provisioning 24 Supervisor or requester uses portal to request a change to access for an individual.
Provisioning 25 Workflow for access request requiring approval by supervisor, role owner, training department or other functional owner.
Provisioning 26 Manage temporary access requests for vendors and short term project resources.
Provisioning 27 Demonstrate the ability to reuse an identity for a rehired employee or returning contractor without any of their previous access still available.
Provisioning 28 Ability to provision where access request leverages SAP Access Control.
Provisioning 29 Ability to deprovision where access request leverages SAP Access Control.
Provisioning 30 Show risk analysis where the tool is using SAP Access Control to determine the risk.
Provisioning 31 Ability for central role requester or service desk to create a request instead of the user or user manager.
Provisioning 32 Demonstrate a mass update where all users with a specific attribute (i.e. department, location) receive an access update.
Reporting 33 Reporting on who has access to specific data assets and the associated level of access
Reporting 34 Reporting to confirm SLAs are being met for provisioning and de-provisioning activity.
Risk Analysis/Mgmt 35 Conduct SOD analysis during access request process and periodic review
Risk Analysis/Mgmt 36 Create a mitigation where an identified risk is accepted but monitored
Risk Analysis/Mgmt 37 Demonstrate the integration of a SIEM tool with IDM (e.g. suspend access).
Technical support 38 Request generates incident in ServiceNow for other support teams.
Technical support 39 Support multiple systems through single sign on function.
Technical support 40 Segmentation – demonstrate the ability to service subsidiaries or specific business entities separately.