Stakeholders at the Governance Phase

When we’re considering identity and access management from any perspective, we should be aware of our stakeholders. And we will revisit through the core stakeholders. But we definitely want to involve our stakeholders during the governance phase. We can identify four types of stakeholders. We have process owners. These are business owners who manage individual processes. But these processes may or may not be affected by our identity and access management implementation. But in likelihood, because of the pervasiveness of technology, they will be impacted in some way. We have a system or application owner as a potential stakeholder. These may be business unit leaders. These may be people from the IT function. But typically, they have responsibility for an individual system or an application.

They will want to be aware of the implications for how their lives change and the lives of their users change. If we have a silo-based line of business application that has its own user repository, and we are hooking that into a single sign-on system, what does that mean? Does it mean that it becomes more accessible through external services? Does it mean that we have to change our processes for how we provision and manage users?

Data owners and executive sponsors are our final stakeholders. Data owners own our information assets. They they’re the people responsible within our organization for our information assets. And our executive sponsors we’ve referenced already as being potentially the chief information officer. But we want somebody from the board level within our organization to help provide that drive for the program, to provide the support for us. So the business area leads we typically want to be involved, partly because they have the best understanding of their business. From an information governance or an information security perspective, we will understand our specialisms.

But we will not know the end user business environment, very rarely will we know the end user business environment as well as those stakeholders. So it’s important that we include them in the process. This will also help with getting buy-in. The ultimate output of an identity and access management solution. I’ve seen this implemented in an out-of-the-box solution. You guys have probably had similar experience, where somebody implements something, it’s rolled out, and you’re told this is the new system. If you cannot influence how it’s deployed, how it’s configured, it feels as though you have a very low level of ownership. And also, it’s going to be more problematic in the way it works.

It’s less likely to meet your needs as a business. So this is about gaining buy-in very, very early on in the implementation cycle. People like HR administrators can help us when we look at joiners, movers, and leavers as a process for creating, changing, managing, and deprovisioning credentials. We actually want people within the business to help support that process. And we can look at automated provisioning dovetailing in HR processes, finance processes, and payroll processes. So this can help everybody. This can be supportive to us, as well as to the end users as well. Typical questions we’d ask here start to outline processes. How do you do something?

Lots of how questions when we’re looking at first engaging stakeholders relating to an implementation. As we move into a business-as-usual cycle, we still want that engagement, that active engagement, with our stakeholders. And here, we’re starting to say is the system still fit for purpose? Is everybody compliant in the way they’re operating to our identity and access management system? Are things working? Are there problems? A typical cycle, a review cycle will also include an examination of our risk position. Risk isn’t static. We perform a risk assessment when we start the process. But we need to continue to revisit that.

And what we’re looking for is the likelihood of occurrence, the impact and any controls, and what impact they have on our service standards. So our data onus, we want to be engaged, partly because we’ve said already the potential for fines, but also because identity and access management, it relates, as we said in the first section, to accessing of assets. Now, when we think of assets, we typically think about financial assets. Quite often, the end game for our assets relates to information. So our data owners are key in this.

We want to identify some really good representatives from the business who are responsible for perhaps our sensitive data, some of our data that is large in terms of breadth, or some of our data which has a higher risk profile.