The Business Case for Governance

As part of governance, we also want the business case, and this typically helps us with the justification, the visibility of the business value to the organization. Here, we’re looking at providing support to show that it improves our operational efficiency. Even if some of the processes that we’re defining as part of our identity and access management process policy implementation are more onerous, overall we’re looking to prove that they’re more efficient because they reduce the likelihood of us being fined or losing information. So we want to stress here the business drivers for what we’re doing. Typical examples include avoiding financial loss, avoiding fines, and avoiding damage to reputation. This can be difficult to quantify.

If we look at the attack that Sony had, with regard to the Playstation network. That had some tangible financial impacts, but something that’s very hard to put a financial value to is the loss of reputation, the damage to the reputation. If we have customers losing faith in our organization, whether we’re a government, whether we’re an enterprise, it creates problems for our brand. Will people reuse our service? Will people trust us in the future? Typical regulatory compliance, then, we’ve said things like PCI DSS for credit card payments, Sarbanes-Oxley in the United States for financial. We have the European Union General Data protection requirements, which updates the data Protection Directive, which are applicable across the whole of Europe.

It’s a very, very broad remit. And again, must do this if you’re holding personally identifiable information, have to do this, or you can be fined. In terms of the costs, will this help us in terms of some of our support costs? With identity and access management, we may be reducing our cost overheads through the reduction in licencing. If we manage our Joiners-Movers-Leavers processes better, then we can actually help to manage costs down for the organization. Some of the technologies that we’ll look at later in this course, reference technologies like solutions like single sign-on, federated identity management, and they can really help improve people’s access to services.

So it’s not all about processes changing to be more onerous; we can actually make things easier for people. This can form part of our business case that we put forward. When we’re considering the business case, we may also want to consider the service standards, the service level agreement, what kind of time scales are we looking at? And there are some really good models of documentation, that we’ll look at later in the course, and standards that relate to identity and access management that can provide a very helpful starting point. These effectively provide a best practice approach.

This is where much of the work has been done for us by others, and we have a common set of standards, a common set of terms, a common taxonomy that we can reference when implementing an identity and access management solution.