Download presentation
1
IdM Governance in Higher Education
Dave Muehling Director, Consulting 1 April 2010
2
Governance is Overwhelming!
Higher Education may not be able to use common business patterns Funding models can become a roadblock Governance models differ, even within the Higher Education space itself The Culture of Higher Education is unique It is often difficult to assign ownership Membership in governing bodies is often fluid and diverse DAVE
3
Why Talk About Governance Now?
The Generation Y and “Z” effect Technologies role in research and education Regulation and Compliance: FERPA, HIPAA, PCI Technology overload: Stacking the deck Social Networking Mobility The “my.Device” dilemma Federation DAVE
4
What Is IdM Governance? What is Governance? Governance sets policy, establishes authority and responsibility, and implements accountability Comprises structures, rules, power and influence, funding mechanisms, enforcement mechanisms, and appeals processes University executives and steering committees define policies Localized working groups implement policy via processes IT automates some of these processes through technology DAVE
5
Effective Governance Foster communication Achieve high data quality
A strong governance team helps institutions Foster communication Achieve high data quality Promote application inter-operability Avoid undue risk Bring together different constituent groups Enforce regulatory compliance Supports the autonomy amongst the schools Provide better service
6
Effective Governance Build value Create transparency
Goals of governance Build value Create transparency Allows management to understand whether the risks the institution is taking are prudent and to know how effectively its value-creation and loss-limitation activities are functioning so that these activities can be adjusted if they are not doing the job To achieve executives’ governance goals of building value and creating transparency, institutions must continuously perform two governance tasks Turn policies into processes Measure success - create evidence of its actions
7
Effective Governance Sponsorship Ownership Core Team
A strong governance team requires Sponsorship Maintain focus Manage relationships Overcome roadblocks Provide stewardship throughout the life of the IdM initiative Ownership An individual or group should be accountable for the decisions made and the actions taken Has enforcement capabilities to go along with the accountability Core Team Responsible for day-to-day direction Right mix is critical to making effective decisions
8
Effective Governance What happens if an institution does not have effective IdM governance? Redundant identity data propagated across application silos Diminished oversight as to how identity data is being used as propagation “propagates” Duplicitous application development to handle authentication or authorization Potential misuse of sensitive identity data due to insufficient controls Little end-to-end auditability Of identities and access privileges across all resources Of the applications and systems using an institution’s identity data and how that data is used
9
Governance IdM Framework model includes governance DAVE
10
Types of IdM Governance Models
Formal Hybrid Model Shared Central ownership with steering committees and working groups throughout the institution Centralized Model All governance stems from strong central ownership with centralized committees and groups Explicitly De-Centralized Model All governance stems from individual committees and working groups that act in an independent fashion No Clear Governance Model DAVE
11
Levels of Governance Maturity
Level 5 – Optimizing Continuous process improvement is enabled by quantitative feedback from the process and from testing innovative ideas and technologies Level 4 – Managed Both the process and end-products are quantitatively understood and controlled using detailed measures Level 3 – Defined The process for both management and engineering activities is documented, standardized, and integrated into an organization-wide process and used by all projects DAVE Level 2 – Repeatable The necessary process discipline is in place to repeat earlier successes on projects with similar applications Level 1 – Initial Few processes are defined, and success depends on individual effort talent and heroic effort
12
IdM Governance Framework
Business Initiatives & Processes Technology Strategy & Usage Growth Management Federation Legislation Guiding Principles Policy Management Model System Architecture and technical Standards Enforcement Processes Recovery Monitoring Administrative and End User Guidelines and Procedures Business Drivers Governance Documents policy, principles, control environment Management Model – content management, security management, operational impact Operations Documenting administrative and end-user guidelines and procedures Administering access controls, monitoring, and recovery processes Business Requirements Architecture Design the infrastructure Develop technical standards and processes Factors determining the Business drivers User Profile extensions
13
Governance Governance Process – it is iterative!
14
Governance The IdM strategy should be published and reviewed on an annual basis (“evidence of its actions”) The review process should evaluate the strategy with respect to four key areas: Enhancement to existing services New services Operational efficiency Cost reduction
15
Governance High level governance process example for an institution to consider (“operationalization”) Any department, application owner or business project team requiring new services or extensions to existing services provided by the IdM infrastructure must provide the following: Business purpose Description of the processes Written assurance that the data being used will be protected to the full extent of the institution’s data usage policy
16
Where To Begin? Understand that individual initiatives will have priorities and objectives that don’t align directly to others A governance body should, therefore, Rationalize common requirements and capabilities Arbitrate the needs of different initiatives Acknowledge and accommodate the current state Establish the point of convergence Foster and manage the migration DAVE
17
Governance Business processes that impact the IdM infrastructure
The governance team and working groups develop: Business processes that impact the IdM infrastructure Service-level-agreements Operations and maintenance issues Enterprise (University) standards Application integration guidelines Privacy guidelines Data-usage guidelines Schema extensions University role definitions and usage Authentication and authorization rules Address operational issues Budget and funding DAVE
18
Governance Executive stakeholder(s) IT Security and/or Privacy
A “typical” IdM Governance Team would be comprised of decision-making representatives from the following departments: Executive stakeholder(s) Delegate but maintain responsibility IT Security and/or Privacy IT Architecture Operations and Support (e.g., Infrastructure) Administrative Systems HR Information Systems Registrar Application Development Internal Audit DAVE
19
Where / How To Start Evaluate existing policies and processes during initial analysis and release Start making governance decisions now to be ready for future requirements Iterative process –Create, Validate, Finalize Executives, legal, IT, privacy, & security validate any decisions If needed, form sub-teams to work offline and present recommendations DAVE
20
How To Measure Success Leverage management frameworks (CobiT, ITIL, etc.) Key Goal Indicators Business-driven measurements of what needs to be accomplished Lag indicators that can only be measured after the fact Examples: CISO / CPO agreement and signoff, having operations on budget and on schedule, availability of systems and services Key Performance Indicators Short, focused measurements of how well a given process is performing Examples: reduce # of support incidents, satisfaction of stakeholders By clearly defining key goal and performance indicators, institutions can establish benchmarks to determine effectiveness of governance model
21
Summary Governance should start at the top
Governance tasks should be delegated, but authority is still held at the executive level In order for governance to work you need to: Have a minimum level of control at the top level Have to determine scope of compliance Have to determine execution of compliance Have to create the processes, audit points and architectures that will support the decisions being made One size does not fit all – define and adopt a governance model that best fits with the institution’s principles and culture
22
Q&A
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.