Introduction to Governance

Welcome to section two of our course. Section two relates to governance. And governance is a critical aspect of identity and access management. If we think about the individual transactions that take place within identity and access management, we need to know what should be allowed, what should be permissible, and what should be prohibited. Governance allows us to set a posture for our security and our access management policies. It helps provide a mechanism for senior management to input their requirements, their mission, their vision for the organization, and how that should impact and be reflected in our approach to security. Governance also provides us with the tools to help enforce the policy, not just to shape it.

So we look at how we maintain that approach to identity and access management. With the example we gave of physical access to a building, what happens if somebody tries to circumvent that process? How do we know what the correct process is? So governance is critical to identity and access management. A typical governance committee would be comprised of both business and technical resources. And its purpose would be to oversee the identity and access management processes, to create and maintain identity and access management standards, and also the policies. To help prioritize the organization’s tasks and goals. Remember, we have a finite set of resources, time being a constraint.

We want to make sure we’re putting the right things in at the right time, doing the right things in the right order. So we want to make sure that identity and access management provides an effective and appropriate service to the business. And its aim is to support the function of the business, remember. We want to make sure that our implementation is consistent with our position with regards to risk and that it supports any compliance requirements that we may have. And these compliance requirements may be internal or external. They may be standards that we’re required to meet. A governance body helps to find the policy.

And we could look at things like the provisioning, deprovisioning of credentials, separation of duties where that’s appropriate, and so on. So a business is involved. We’ve got stakeholders helping provide support to those processes, letting us know what works well for them, what doesn’t work. And we have the appropriate representation from the IT function and also from a security function. Certain supporting members could be tasked with defining the policies or the processes. Typically we look at the policies as being defined by, and certainly being sponsored by, the senior management group and the procedures being written typically at a much more junior level. So the first thing we need with regard to identity and access management is a mandate.

This typically comes from our chief information officer or a position of senior leadership within the organization. We want to make sure that we have the necessary senior level commitment, that we have the appropriate funding, and the appropriate permissions to access resources, that we have a governance structure in place.

At this point, typically, we would ask the CIO or the senior management team for their vision, ask them to sponsor and adopt the identity and access management program. Do bear in mind that an effective identity and access management program will likely change the way people work. If we’re introducing something like multi-factor authentication, that has an impact on the processes that people use day-to-day to access services. So this is where we need that sponsorship. We need people within the organization to know that this is being led top-down.

Ideally we make sure, through the mandate, through the senior management involvement, that we have a good strategic fit, that we can promote the business value of the program, so why we are doing this, why is this good thing. If we’re changing the way people work, we have to be able to justify that.

Technical architectures will be affected. Our approach to technology will be affected, of course, if we’re changing the way people manage systems, the way systems operate in terms of credentials. And finally compliance, which is a big section relating to governance. The compliance, as we’ve said, can be external. When we’re looking at external compliance, this can be regulatory, something like PCI DSS, which is voluntary, or it can be statutory. It can be a legal requirement to meet certain minimum standards.