Workshop: The Gartner ITScore Maturity Model of...
-
Upload
trankhuong -
Category
Documents
-
view
218 -
download
2
Transcript of Workshop: The Gartner ITScore Maturity Model of...
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Ant Allan
Brian Iverson
Workshop: The Gartner ITScore Maturity Model of IAM
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Why Is Maturity Assessment so Difficult?
• Lack of hard metrics
• Tendency toward subjectivity
• Trying not to look bad
• Trying not to look too good
• Never been done
• Nobody seems to care
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Understand the Challenges
• Staff resistance
• Cultural and political realities
• Lack of skills
• Blips in process performance
• Bureaucracy
• Too academic and quantitative
• Scope creep
• Inappropriate automation
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Introducing the Gartner ITScore for IAM
Level 1 Initial
Level 2 Developing
Level 3 Defined
Level 4 Managed
Level 5 Optimizing
Governance is ad hoc and
informal
Tools put in place on a piecemeal
basis
An IAM vision is defined
An IAM architecture is
defined
Tactical priorities set
based on certain
business drivers
Technology redundancy is
likely
An IAM governance structure is
defined
The IAM PMO is established
Multiyear projects are aligned with vision and strategy
IAM performance targets are actualized
Performance is continuously monitored
Transforma-tional value
Discrete technology projects
Business value is tactical
Responsibilities are poorly defined
Key stakeholders are actively
involved in the IAM program
IAM architecture aligned with
EA
The IAM program is dynamic and
adaptive to changes in business conditions
"ITScore for Identity and Access Management" G00249408. July 2013
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
"In a Nutshell"
Level Description
1 Smart people "doing the right thing" —
no documentation.
2 Working to document "the right thing."
3 Documentation complete. Beginning
to define reasonable and meaningful metrics.
4 Metrics in place. Reporting and adjusting as
necessary.
5 A security-conscious culture exists.
LOB managers "own" identity governance.
There are processes for continuous evaluation
and improvement.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
The Key Indicators of Maturity
• Management processes:
- Governance
- Planning and budgeting
- Architecture
- Operational processes and controls
• People/Organization:
- Program management
- Roles and responsibilities
• Technology/Tools
• Business culture:
- Business alignment and engagement
- Business value
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
0
1
2
3
4
5Governance
Planning and Budgeting
Operational Procesessand Controls
Architecture
Program ManagementRoles and
Responsibilities
Technology/Tools
Business Alignment andEngagement
Business Value
Where Are You Now?
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
0
1
2
3
4
5Governance
Planning and Budgeting
Operational Procesessand Controls
Architecture
Program ManagementRoles and
Responsibilities
Technology/Tools
Business Alignment andEngagement
Business Value
Plan for Improvement Across All Key Indicators
Current state Planned state Desired state
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Plan for Continuous, Incremental Improvement
1 2 3 4 5
Current state
Desired state
Planned improvement
project
Further improvements
TBD
Planned state
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Workshop Agenda
Review characteristics
of each maturity level
for each dimension.
Estimate your maturity
in each dimension
based on these.
Collate results.
Discussion
and wrap-up.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Management Processes: Governance
Level Description
1 Governance is ad hoc and informal with no executive sponsorship.
2 IAM governance is subsumed within information security governance, with no formal
distinction between IAM activities and information security activities.
3
An IAM governance structure is defined and accepted. This may be wholly or partly
independent of the information security governance structure; the key thing is that IAM is
recognized as a distinct initiative to be governed. There is an executive sponsor for IAM.
4 The IAM governance structure is fulfilled and refined. IAM planning and budgeting are
performed across the entire organization at a strategic level.
5 IAM governance structures are continually optimized.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Management Processes: Planning and Budgeting
Level Description
1 At best, responsible managers and administrators have only a conceptual awareness of IAM
and its capabilities.
2
Responsible managers have identified certain business drivers, and set tactical priorities for
IAM focused on individual business units (BUs) and particular functions; however, there
probably has been no check for coherence across these silos.
3
The chief information security officer (CISO), or IAM leader, has defined an IAM vision aligned
with the enterprise's strategic business goals. A five-year strategic plan has been defined and
accepted. A one-year plan to address the most urgent strategic goals is underway.
4
The IAM leader continually reviews the IAM vision and strategy to ensure continued alignment
with the enterprise's strategic business goals. IAM planning and budgeting are performed
across the entire organization at a strategic level.
Multiyear technology and other projects are reviewed and, if necessary,
replanned to align with the current vision and strategy.
5 The IAM leader periodically reviews and optimizes the vision and strategy.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Management Processes: Architecture
Level Description
1 No explicit architecture.
2 No formal architecture.
3 A technology-focused IAM architecture (within the context of the enterprise's information
security architecture) is defined.
4
The IAM architecture has technology, information and business views, and is fully aligned
with the enterprise architecture. IAM is architected for choice, with a catalog of standard
technologies and artifacts.
5
The IAM architecture is likely to be embedded within the enterprise architecture. Standard
technologies and artifacts are continually reviewed, and suboptimal choices are removed or
replaced.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Management Processes: Operational Processes and Controls
Level Description
1
Processes are ad hoc and informal, varying across silos and with minimal automation. IAM
activity is driven by the immediate needs of specific business problems and tasks. Competent
managers and administrators may achieve some consistency in the way IAM activity is
performed.
2
IAM processes are semiformal, driven by a top-down approach and tied to individual BUs and
target systems. Operational processes focus on discrete parts of IAM, particularly identity and
coarse-grained entitlement administration.
3 Comprehensive IAM processes are formalized and consistent across BUs and target
systems.
4 Formal IAM processes are integrated across BUs and target systems, and are fully aligned
with relevant IT, business and partner processes.
5 IAM processes established as business processes are continuously optimized.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
People/Organization: Program Management
Level Description
1 No "IAM program" has been identified.
2
Individual technology projects will have CISO or BU management sponsorship
and their own project teams. Liaison among BUs, project teams and information security is
informal.
3
The IAM program management office (PMO) is established with a charter
to manage the IAM program. As for governance, this role may be subsumed
within the information security PMO, or may be discrete.
4
The IAM program has active involvement of key stakeholders, and the PMO functions as a
liaison between information security, data center operations, application development, HR,
finance, legal and compliance, and all lines of business.
5 The work of the PMO is continually optimized.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
People/Organization: Roles and Responsibilities
RACI = responsible, accountable, consulted and informed n
Level Description
1 Basic roles may have emerged informally. Responsibilities are poorly defined
and scattered across the organization.
2
An informal inventory of IAM skills is initiated on a per-project and per-process basis. The
IAM leader defines a high-level organization chart showing roles and links between IAM and
business decision makers, as well as links within IT for IAM.
3
IAM roles are defined, but the RACI matrix may not yet be fully populated. Participants' skills
and training needs are defined. Resource allocation planning
is established to meet new operational and project needs in the coming years.
4
IAM roles are well-defined and aligned across the enterprise, and the RACI matrix is fully
populated. Organization charts accurately reflect the roles of IAM-relevant personnel within IT
and across the enterprise. Proactive skill development is underway.
5 The RACI matrix and skill development program are continually reviewed
and refined.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Technology/Tools
Level Description
1
No explicit infrastructure design. There may be some use of target-specific productivity tools
(that is, "bottom up" IAM), but these will have been selected and implemented on a piecemeal
basis and with inconsistent success.
2
No formal infrastructure design. IAM technologies have been selected and implemented
independently by individual BUs or for discrete target systems. Technology redundancy is
likely, in some cases with multiple instances of the same class of product. No provisions are
made for growth or change consistent with business objectives or history.
3
An infrastructure design (aligned with the architecture) is defined. Projects to rationalize and
consolidate earlier IAM investments are underway, along with "new" IAM technology selection
and implementation, as set out in the one-year plan.
4
The IAM infrastructure is smoothly integrated with the information security infrastructure — to
ensure the highly effective use of complementary technologies (such as security information
and event management, identity-aware networking, and context-aware data loss prevention)
— and the IT service management (ITSM) infrastructure.
5 The IAM infrastructure design is continuously reviewed, and suboptimal elements are
removed or replaced.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Business Culture: Business Alignment and Engagement
Level Description
1 IAM activity has no measurable business value. Business stakeholders are concerned only if
actions are tardy or erroneous.
2
Business value is tactical and tied to specific processes. Efficiency improvements are a
commonly identified goal, but performance targets are poorly defined. In some cases, failed
audits or new regulatory compliance initiatives may have prompted hasty investment in
technology to provide effectiveness improvements.
3
IAM performance targets are defined and achieved. There are sustained and quantifiable
improvements in efficiency and effectiveness tied to information security and the enterprise's
critical business imperative to manage governance, risk and compliance (GRC).
4
IAM performance targets are actualized and refined. There are sustained, quantifiable
improvements tied to not just GRC management, but also all the enterprise's critical business
imperatives to attract and retain customers; build an innovative and agile organization;
maximize performance, profitability and competitiveness; and so on.
5
The value IAM delivers to information security, GRC management and other critical business
imperatives is continually optimized. Performance is continuously monitored by the leadership
team, and changes are instituted as needed to promote business agility and competitive
advantage.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Business Culture: Business Value
Level Description
1
IAM activity has no measurable business value. If target-specific productivity tools are in use,
then potential efficiency benefits may have been used to justify acquisition, but actual
efficiency benefits are not tracked.
2
Direct business value is typically low — slightly improving processes (for example, improved
user experience) that will be difficult to translate into increased revenue
or cost savings. Inordinate attention is paid to the justification of technology
projects based on IT drivers, rather than business drivers.
3
Direct business value is typically moderate — providing incremental, but significant,
improvements to established processes that will result in increased revenue or cost savings
for an enterprise.
4
Direct business value is typically high — IAM enables new ways of performing horizontal or
vertical applications that will result in significantly increased revenue
or cost savings for an enterprise.
5 Direct business value is potentially transformational — IAM enables new ways of doing
business across industries that will result in major shifts in industry dynamics.
35%
35%
39%
27%
44%
28%
55%
47%
28%
12%
45%
40%
32%
50%
41%
38%
22%
34%
37%
61%
19%
22%
23%
22%
13%
26%
18%
15%
28%
23%
1%
3%
4%
1%
1%
7%
3%
3%
5%
3%
1%
1%
1%
1%
1%
1%
2%
1%
3%
1%
0% 20% 40% 60% 80% 100%
IAM level
Bus. align & engage
Architecture
Governance
Op. process & controls
Plan & budget
Program mgmt.
Roles & response
Tech. & tools
Bus. value
Level 1 Level 2 Level 3 Level 4 Level 5
Number of respondents = 304 cumulative end users
ITScore IAM — Discipline Score Distribution
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
ITScore IAM Scores by Industry Group
Number of respondents = 216 end users
The bar indicates the group median
Boxes indicate the middle 50% of scores
Each upper tail indicates the top 25% of the scores
Each lower tail indicates the bottom 25% of the scores
Note: There are statistically significant differences between industry groups, particularly financial services vs. other industries, adjusting for company size.
Industry group — collapsed
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Best Practices to Drive IAM Program Improvements
• Learn from your security and risk management, operations and service management colleagues.
• Don't work in isolation.
• Improve one level at a time (or half a level).
• Implement an iterative, ongoing maturity process.
• Measure, measure, measure: Evaluate progress quarterly.
• Have realistic objectives: Not all programs have to reach Level 5.
• Don't lose track of your aims and objectives.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
ITScore for Identity and Access Management
Ant Allan, Earl Perkins (G00249408)
Roundup of Identity and Access Management
Research, 1Q13
Ray Wagner (G00247952)
Hype Cycle for Identity and Access Management
Technologies, 2013
Gregg Kreizman (G00247866)
Agenda Overview for Identity and Access
Management, 2013
Earl Perkins, Gregg Kreizman (G00245842)
For more information, stop by Gartner Research Zone.