1. I AM SPE Identity Access management – Phase 1-2 (Governance structure, request portal, data governance, access certifications)
March 2014

2. Executive Summary
Deloitte 11 week study of SPE’s IAM Program (Sept Jan 2013)
Benchmarked progress against the 2004 Roadmap and Industry practices
Assessed and documented Current state and future requirements and objectives
Assessed and documented the current environment with respect to infrastructure, policies, procedures, processes, constraints, and risks
Key Findings:
Undefined Governance and Ownership of Workforce types
Full time employees are owned by P&O and globally managed in Workday (all other workforce types lack centralized ownership and tracking)
Recurring audit issues stemming from inconsistent processes and lack of governance (application controls, asset management and reconciliation, physical security controls)
Decentralized Onboarding/Offboarding Process
Lack of a standard process for onboarding and offboarding for multiple user types and across the regions
On average it takes 3-4 weeks to onboard a new joiner
Lack of an authoritative source for identity data
Inconsistent and inaccurate data
Manual entry of identity data across applications leads to audit issues (there is no clear number of identity stores)
Detailed Process Work and Program/Project Planning (Jan Oct 2013)
Designed the approach for future state Identity LifeCycle Management, including Global Template
Comprehensive assessment for all workforce types and scenarios (new hire, change/update, termination, rehire)
Recommended a phased project approach – Phase 1 and 2 are ready for greenlight

3. Request application access Request privilege access
IAM Proposed Solution
ServiceNow “Launch in Context” with SailPoint
Default
access
Workday
SailPoint IIQ
AD/Outlook
Onboarding
Create in authoritative source
Automatic
create in IDM
P & O & Backlot Admins
Notify manager to initiate further requests
Manager
Create Non-FTE user
Request Access
Manager & Badge
ServiceNow
Access Request Portal
Systems
Applications
Assets
Automated
Provision Access
Request application access
Request
Request privilege access
ServiceNow
Manual
Manager
Request assets
Certify Access
Access Review Tool
Provisioning Teams
Revoke access
Generate certification events
Terminate Access
Application Admins/ Mangers
Default access
terminated
AD/Outlook
Off-boarding
Workday
Terminate in authoritative source
Automatic
Terminate
in IDM
Pinnacle (devices), Provance (desktop access), etc.
P & O
Backlot Admins
Terminate Non-FTE user
Notify manager to collect physical assets
Manager & Badge
Manager

4. Financial Summary
Year One Project Costs
Five-Year Summary and Payback
Software:
$82,500
Five-Year Total Cost:
$3,338,277
Hardware: $0
Five-Year Total Benefit:
$11,406,875
Internal Labor:
$159,676
Five-Year Net Benefit:
$8,068,599
External Labor
$1,802,366
Internal Rate of Return:
56%
Inception Funding (FY14):
$190,000
Net Present Value at 10%:
$4,087,668
TOTAL
$2,139,962
Payback in Months:
15.8
FY1 Project Benefits
Funding by Fiscal Year
Hard $ Benefits
FY15
$2,139,951
(cost reduction, cost avoidance, and operational efficiencies)
$791,021
FY16
$345,270
$2,485,221
Depreciation:
Ongoing Costs:
$842,750
** Five-Year Benefit is a total of the Quantifiable Business and IT Benefits explained in the slides to follow

5. Benefits Cost Reduction / Avoidance Risk Mitigation
Operational Efficiency
Eliminated data entry into the multiple systems (i.e. Ariba, Notes, , paper forms)
Time savings across multiple groups including: GAA, Regional Admins, Desktop Support (i.e. multiple service now tickets that are manually created will be auto-generated)
Reduction in turnover costs due to streamlining onboarding process (based on AberdeenGroup’s 2009 ‘Onboarding Benchmark Report’)¹
Automation of IT Consultant On-Boarding (Lotus Notes Star and IT Facilities & Admin replacement, as well as PPM)
Automated Ariba COFA approval will be trigged by IAM solution (closed loop)
Cost Reduction / Avoidance
Elimination of Support /Maintenance for end of life solution (throwaway customizations)
Cost for additional future assessment
Risk Mitigation
Audit findings
Consolidation of access requests, approvals /workflow, enabling closed loop for audit
¹85% of new hires decide, within the first six months, whether or not they will stay with their new employer. (2% decrease in turnover due to streamlining onboarding, ~400 new Regular employees from ‘12-’13, avg. $40,000 salary, using conservative 1x salary to replace employee is $1.4M)

6. Competitive Analysis
Recent studios implemented the following: Paramount Pictures -Microsoft/ ServiceNow
Other SailPoint customers: RBS, BNP Paribas, Fidelity, Wellpoint, Bank of America, JP Morgan Chase, MGM Resorts, Cardinal Health, Adobe, ING DIRECT, Sallie Mae, OfficeMax, Exxon Mobil, UBS, UPS, Travelers, New York Life
Scotia Bank, Exxon and Anadarko Petroleum Foundation use SailPoint and ServiceNow (“Launch in Context”)

7. Governance/Data Governance
IAM SPE Timeline Q4
FY14 Q1
FY15 Q2 Q3
FY16
Jan
2014
Feb
Mar
Apr
May
Jun
Jul
Aug
Sept
Oct
Nov
Dec
2015
June
July 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Project Kickoff
Phase 0
Planning
Design
Implementation
Hypercare
Greenlight
Phase I
Project Kickoff
Planning
Design
Development
SIT
UAT
Cutover
Go Live
Governance/Data Governance
Change Management
Design
Phase II
Development
SIT
UAT
Cutover
Go Live
Hyper
Care

8. Appendix

9. Security, Risk and Compliance Considerations
Multiple SEHS audit issues resolved by automated provisioning/deprovisioning to OnGuard
Active badge accounts that should have been terminated due to termination in IDM
Mismatched badge accounts to IDM accounts due to manual errors
Badge accounts are active in Onguard but terminated in IDM
Accounts are terminated in IDM for users who return as badge-only and the IDM account is never reactivated (out of sync)
Cost /time associated with manual access reviews will decrease due to automated certifications (required per SOX compliance). Historically deficiencies have been reported year to year for inaccurate or incomplete user reviews. Resolves deficiencies FY13: C ,C , C
Audit issues related to Privileged Account Management will be resolved. Per GISS Monitoring, Section 3 - critical information systems and related events should be monitored. Per SOX, resolves deficiencies: C , , , C20531.
Audit issues surrounding Access Control will be resolved. Per GISS, Access Control, SPE systems (SOX and non-SOX) should be appropriately restricted. IAM will provide a record of critical sox. vs. non-sox systems to enforce proper access control, including terminations in a timely manner. Relates to findings: SOX C40131 and C40133, etc.

10. Scope and Benefits By Phase