Removing unathorised access to data was the driver for financial institution, ING Direct Australia, to implement an identity and access management control system in 2011.
Speaking at the Gartner Security and Risk Management Summit in Sydney, ING Direct Australia head of IT performance, Anthony Sestanovic, told delegates that prior to the implementation of SailPoint IdentityIQ, the bank had too many users with unverified access to core banking systems. This problem needed to be solved in order for it to comply with the Australian Prudential Regulatory Authority (APRA) regulations covering access rights.
After going to tender and selecting IdentityIQ, which was implemented by service provider ,First Point Global, it rolled out the access management control system, which included 30 Sarbanes-Oxley (SOX) applications covering access rights, to 1200 users.
According to Sestanovic, within two months of the project commencing, ING Direct Australia had implemented a system which enabled it to enforce access control related business policies and processes to better manage risk and remove the possibility of a rogue employee gaining access to financial records.
“We were able to gain visibility into user access privileges and remove error-prone manual processes for user access reviews,” he said.
In addition, management also had access to the system so they could now view which staff members had appropriateness access rights to banking applications.
“The information about a user is clear and the reviewer can approve or reject access [by the staff member] to certain systems,” he said.
Since the system went live in February 2011, the bank has integrated 90 more SOX applications and conducted annual reviews of the identity and access management system as new staff members join the organisation and need to be approved to have certain access.
According to Sestanovic, ING Direct Australia learnt nine lessons from the identity and access management implementation.
The importance of upfront analysis
According to Sestanovic, enterprises should not jump into “just do it mode” with IT projects but take time with the implementation. “Prototyping and iterative development are valuable for gathering and refining detailed requirements, and ensuring that functionality, and business value, is delivered as early as possible,” he said.
Secure project sponsorship
Senior executive sponsorship was critical as identity governance offering often spans many business areas that need to commit to identity and access management.
Engage business users
“Get buy-in from the top and drive the program top down,” Sestanovic said. “Select champions from the business who will work with you on testing the functionality and enhancements of the system.”
Establish a governance committee, working group
“This allows different business units to share and leverage work and will accelerate enterprise level deployment,” he said.
Use a small team for delivery
According to Sestanovic, IT executives should avoid engaging different organisations or teams and dividing the design, build and test responsibilities between them. “The technical delivery works best if dedicated and centralised.”
Secure commitment of subject matter experts
These experts should include application support, technical infrastructure, information security and risk managers because systems such as identity and access management affect the whole business, he said.
Employ a technical project manager
“This technical project manager should have a deep knowledge of governance, risk management and compliance,” Sestanovic said. Ideally, this person should also understand the company’s environment and be able to guide the implementation team through company standards and policies.
Engage audit and compliance
Engage an auditor to work with the company as early as possible and be a joint stakeholder in the program.
Stick to your guns
Sestanovic said that IT staff needed to hold true to the scope and the problem they were trying to resolve.
“It is easy to give into the temptation of taking short cuts just to get the project implemented. This project took us over a year to implement,” he said. “Stay focused and work through the challenges, the benefits will come.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia