Workshop: The Gartner ITScore Maturity Model of...

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

Ant Allan

Brian Iverson

Workshop: The Gartner ITScore Maturity Model of IAM

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Why Is Maturity Assessment so Difficult?

• Lack of hard metrics

• Tendency toward subjectivity

• Trying not to look bad

• Trying not to look too good

• Never been done

• Nobody seems to care


Understand the Challenges

• Staff resistance

• Cultural and political realities

• Lack of skills

• Blips in process performance

• Bureaucracy

• Too academic and quantitative

• Scope creep

• Inappropriate automation


Introducing the Gartner ITScore for IAM

Level 1 Initial

Level 2 Developing

Level 3 Defined

Level 4 Managed

Level 5 Optimizing

Governance is ad hoc and

informal

Tools put in place on a piecemeal

basis

An IAM vision is defined

An IAM architecture is

defined

Tactical priorities set

based on certain

business drivers

Technology redundancy is

likely

An IAM governance structure is

defined

The IAM PMO is established

Multiyear projects are aligned with vision and strategy

IAM performance targets are actualized

Performance is continuously monitored

Transforma-tional value

Discrete technology projects

Business value is tactical

Responsibilities are poorly defined

Key stakeholders are actively

involved in the IAM program

IAM architecture aligned with

EA

The IAM program is dynamic and

adaptive to changes in business conditions

"ITScore for Identity and Access Management" G00249408. July 2013


"In a Nutshell"

Level Description

1 Smart people "doing the right thing" —

no documentation.

2 Working to document "the right thing."

3 Documentation complete. Beginning

to define reasonable and meaningful metrics.

4 Metrics in place. Reporting and adjusting as

necessary.

5 A security-conscious culture exists.

LOB managers "own" identity governance.

There are processes for continuous evaluation

and improvement.


The Key Indicators of Maturity

• Management processes:

- Governance

- Planning and budgeting

- Architecture

- Operational processes and controls

• People/Organization:

- Program management

- Roles and responsibilities

• Technology/Tools

• Business culture:

- Business alignment and engagement

- Business value


0

1

2

3

4

5Governance

Planning and Budgeting

Operational Procesessand Controls

Architecture

Program ManagementRoles and

Responsibilities

Technology/Tools

Business Alignment andEngagement

Business Value

Where Are You Now?


0

1

2

3

4

5Governance

Planning and Budgeting

Operational Procesessand Controls

Architecture

Program ManagementRoles and

Responsibilities

Technology/Tools

Business Alignment andEngagement

Business Value

Plan for Improvement Across All Key Indicators

Current state Planned state Desired state


Plan for Continuous, Incremental Improvement

1 2 3 4 5

Current state

Desired state

Planned improvement

project

Further improvements

TBD

Planned state


Workshop Agenda

Review characteristics

of each maturity level

for each dimension.

Estimate your maturity

in each dimension

based on these.

Collate results.

Discussion

and wrap-up.


Management Processes: Governance

Level Description

1 Governance is ad hoc and informal with no executive sponsorship.

2 IAM governance is subsumed within information security governance, with no formal

distinction between IAM activities and information security activities.

3

An IAM governance structure is defined and accepted. This may be wholly or partly

independent of the information security governance structure; the key thing is that IAM is

recognized as a distinct initiative to be governed. There is an executive sponsor for IAM.

4 The IAM governance structure is fulfilled and refined. IAM planning and budgeting are

performed across the entire organization at a strategic level.

5 IAM governance structures are continually optimized.


Management Processes: Planning and Budgeting

Level Description

1 At best, responsible managers and administrators have only a conceptual awareness of IAM

and its capabilities.

2

Responsible managers have identified certain business drivers, and set tactical priorities for

IAM focused on individual business units (BUs) and particular functions; however, there

probably has been no check for coherence across these silos.

3

The chief information security officer (CISO), or IAM leader, has defined an IAM vision aligned

with the enterprise's strategic business goals. A five-year strategic plan has been defined and

accepted. A one-year plan to address the most urgent strategic goals is underway.

4

The IAM leader continually reviews the IAM vision and strategy to ensure continued alignment

with the enterprise's strategic business goals. IAM planning and budgeting are performed

across the entire organization at a strategic level.

Multiyear technology and other projects are reviewed and, if necessary,

replanned to align with the current vision and strategy.

5 The IAM leader periodically reviews and optimizes the vision and strategy.


Management Processes: Architecture

Level Description

1 No explicit architecture.

2 No formal architecture.

3 A technology-focused IAM architecture (within the context of the enterprise's information

security architecture) is defined.

4

The IAM architecture has technology, information and business views, and is fully aligned

with the enterprise architecture. IAM is architected for choice, with a catalog of standard

technologies and artifacts.

5

The IAM architecture is likely to be embedded within the enterprise architecture. Standard

technologies and artifacts are continually reviewed, and suboptimal choices are removed or

replaced.


Management Processes: Operational Processes and Controls

Level Description

1

Processes are ad hoc and informal, varying across silos and with minimal automation. IAM

activity is driven by the immediate needs of specific business problems and tasks. Competent

managers and administrators may achieve some consistency in the way IAM activity is

performed.

2

IAM processes are semiformal, driven by a top-down approach and tied to individual BUs and

target systems. Operational processes focus on discrete parts of IAM, particularly identity and

coarse-grained entitlement administration.

3 Comprehensive IAM processes are formalized and consistent across BUs and target

systems.

4 Formal IAM processes are integrated across BUs and target systems, and are fully aligned

with relevant IT, business and partner processes.

5 IAM processes established as business processes are continuously optimized.


People/Organization: Program Management

Level Description

1 No "IAM program" has been identified.

2

Individual technology projects will have CISO or BU management sponsorship

and their own project teams. Liaison among BUs, project teams and information security is

informal.

3

The IAM program management office (PMO) is established with a charter

to manage the IAM program. As for governance, this role may be subsumed

within the information security PMO, or may be discrete.

4

The IAM program has active involvement of key stakeholders, and the PMO functions as a

liaison between information security, data center operations, application development, HR,

finance, legal and compliance, and all lines of business.

5 The work of the PMO is continually optimized.


People/Organization: Roles and Responsibilities

RACI = responsible, accountable, consulted and informed n

Level Description

1 Basic roles may have emerged informally. Responsibilities are poorly defined

and scattered across the organization.

2

An informal inventory of IAM skills is initiated on a per-project and per-process basis. The

IAM leader defines a high-level organization chart showing roles and links between IAM and

business decision makers, as well as links within IT for IAM.

3

IAM roles are defined, but the RACI matrix may not yet be fully populated. Participants' skills

and training needs are defined. Resource allocation planning

is established to meet new operational and project needs in the coming years.

4

IAM roles are well-defined and aligned across the enterprise, and the RACI matrix is fully

populated. Organization charts accurately reflect the roles of IAM-relevant personnel within IT

and across the enterprise. Proactive skill development is underway.

5 The RACI matrix and skill development program are continually reviewed

and refined.


Technology/Tools

Level Description

1

No explicit infrastructure design. There may be some use of target-specific productivity tools

(that is, "bottom up" IAM), but these will have been selected and implemented on a piecemeal

basis and with inconsistent success.

2

No formal infrastructure design. IAM technologies have been selected and implemented

independently by individual BUs or for discrete target systems. Technology redundancy is

likely, in some cases with multiple instances of the same class of product. No provisions are

made for growth or change consistent with business objectives or history.

3

An infrastructure design (aligned with the architecture) is defined. Projects to rationalize and

consolidate earlier IAM investments are underway, along with "new" IAM technology selection

and implementation, as set out in the one-year plan.

4

The IAM infrastructure is smoothly integrated with the information security infrastructure — to

ensure the highly effective use of complementary technologies (such as security information

and event management, identity-aware networking, and context-aware data loss prevention)

— and the IT service management (ITSM) infrastructure.

5 The IAM infrastructure design is continuously reviewed, and suboptimal elements are

removed or replaced.


Business Culture: Business Alignment and Engagement

Level Description

1 IAM activity has no measurable business value. Business stakeholders are concerned only if

actions are tardy or erroneous.

2

Business value is tactical and tied to specific processes. Efficiency improvements are a

commonly identified goal, but performance targets are poorly defined. In some cases, failed

audits or new regulatory compliance initiatives may have prompted hasty investment in

technology to provide effectiveness improvements.

3

IAM performance targets are defined and achieved. There are sustained and quantifiable

improvements in efficiency and effectiveness tied to information security and the enterprise's

critical business imperative to manage governance, risk and compliance (GRC).

4

IAM performance targets are actualized and refined. There are sustained, quantifiable

improvements tied to not just GRC management, but also all the enterprise's critical business

imperatives to attract and retain customers; build an innovative and agile organization;

maximize performance, profitability and competitiveness; and so on.

5

The value IAM delivers to information security, GRC management and other critical business

imperatives is continually optimized. Performance is continuously monitored by the leadership

team, and changes are instituted as needed to promote business agility and competitive

advantage.


Business Culture: Business Value

Level Description

1

IAM activity has no measurable business value. If target-specific productivity tools are in use,

then potential efficiency benefits may have been used to justify acquisition, but actual

efficiency benefits are not tracked.

2

Direct business value is typically low — slightly improving processes (for example, improved

user experience) that will be difficult to translate into increased revenue

or cost savings. Inordinate attention is paid to the justification of technology

projects based on IT drivers, rather than business drivers.

3

Direct business value is typically moderate — providing incremental, but significant,

improvements to established processes that will result in increased revenue or cost savings

for an enterprise.

4

Direct business value is typically high — IAM enables new ways of performing horizontal or

vertical applications that will result in significantly increased revenue

or cost savings for an enterprise.

5 Direct business value is potentially transformational — IAM enables new ways of doing

business across industries that will result in major shifts in industry dynamics.

35%

35%

39%

27%

44%

28%

55%

47%

28%

12%

45%

40%

32%

50%

41%

38%

22%

34%

37%

61%

19%

22%

23%

22%

13%

26%

18%

15%

28%

23%

1%

3%

4%

1%

1%

7%

3%

3%

5%

3%

1%

1%

1%

1%

1%

1%

2%

1%

3%

1%

0% 20% 40% 60% 80% 100%

IAM level

Bus. align & engage

Architecture

Governance

Op. process & controls

Plan & budget

Program mgmt.

Roles & response

Tech. & tools

Bus. value

Level 1 Level 2 Level 3 Level 4 Level 5

Number of respondents = 304 cumulative end users

ITScore IAM — Discipline Score Distribution


ITScore IAM Scores by Industry Group

Number of respondents = 216 end users

The bar indicates the group median

Boxes indicate the middle 50% of scores

Each upper tail indicates the top 25% of the scores

Each lower tail indicates the bottom 25% of the scores

Note: There are statistically significant differences between industry groups, particularly financial services vs. other industries, adjusting for company size.

Industry group — collapsed


Best Practices to Drive IAM Program Improvements

• Learn from your security and risk management, operations and service management colleagues.

• Don't work in isolation.

• Improve one level at a time (or half a level).

• Implement an iterative, ongoing maturity process.

• Measure, measure, measure: Evaluate progress quarterly.

• Have realistic objectives: Not all programs have to reach Level 5.

• Don't lose track of your aims and objectives.


Recommended Gartner Research

ITScore for Identity and Access Management

Ant Allan, Earl Perkins (G00249408)

Roundup of Identity and Access Management

Research, 1Q13

Ray Wagner (G00247952)

Hype Cycle for Identity and Access Management

Technologies, 2013

Gregg Kreizman (G00247866)

Agenda Overview for Identity and Access

Management, 2013

Earl Perkins, Gregg Kreizman (G00245842)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/2540215?ref=QuickSearch&sthkw=G00249408









Workshop: The Gartner ITScore Maturity Model of...

Documents

Transcript of Workshop: The Gartner ITScore Maturity Model of...