Based on feedback received from nearly 100 IAM projects (and counting), it's abundantly clear to us that organizations that have taken the up-front time to set-up an IAM Governance Body prior to detailing the specifications of the solution are typically far more successful than those that have chosen to 'play it by ear.' Unfortunately, too many organizations shy away from establishing an IAM Governance Body because of its 'large company stigma'.
This article aims to lay out the practical few first steps that can be taken to form the IAM Governance Body for your IAM Program, regardless of the size of your organization. (Based on our experience, the scope of the project is a better indicator of the need for an IAM Governance Body than company size.)
An IAM Governance Body is a grouping of individuals that are collectively responsible for creating organizational policies, establishing authority to see those policies to fruition, and ultimately the execution of those policies. It goes beyond simple executive sponsorship in order to create a process for defining the appropriate policies, process and execution team for your company's IAM Program. Here are four guidelines that could provide your organization some direction while thinking about IAM Program Governance:
Do I Really Need a Governing Body?
The first step is to ask yourself if you really need a Governance Body. The answer is pretty simple: if the project is long enough to require a vision and a roadmap, then it's probably not appropriate to call it a project. You most likely have an IAM Program on your hands that will become a permanent feature of your organization. If this is the case, establishing a Governance Body will be a tremendous help.
Defining an IAM Governance Framework
We've put together an IAM Governance Framework that is practical and has worked for many organizations. We've purposefully kept it simple yet flexible. It is meant only as a framework for organizations to adopt and adapt based on their specific requirements.
In Identropy's IAM Governance Model Framework, Key Members of the Governance Body define policy (such as Provisioning/ Deprovisoining Policy, Separation of Duties Policy, Recertification Policy, Authentication/Authorization Policy, SLAs, Enterprise Standards, etc.), while Supporting Members provide feedback regarding the policy as well as implement/enforce it. Certain supporting members may be tasked with the responsibility of defining/re-engineering processes in order to implement the policies laid out by the Governance Body.
Based on our experience, the optimal time for defining who's who in your IAM Governance Body is towards the end of an IAM workshop, but prior to the development of Functional Specifications for how the IAM system will work. At this point in time, your organization has laid down a vision and roadmap for your IAM Program, delineated its scope, and have identified drivers and related key use cases - although detailed requirements would yet to have been defined. That is the opportune time to communicate roles and responsibilities to your stakeholders in relation to the IAM Program, specifically the Key Members of the Governance Body.
Recruiting Supporting Members
As the Functional Specifications are being drawn up, it will be important to recruit the appropriate Supporting Members. If the Key Members are the legislative component of the Governance Body, the Supporting Members compose (albeit not exclusively), the executive component. Process Stakeholders are a special type of Supporting Member that works closely with the Key Members in order to define the business processes necessary to make the IAM Policies come to life. The PMO (or its equivalent in your organization) will be tasked with implementing the policies and process suggestions provided by the Key Members and the Process Stakeholders.
It is also the Supporting Members' responsibility to educate their respective constituencies regarding SLAs and process changes, enlist executive aid where necessary, and put the IAG policies into action.
Meetings & Maintenance
During the Functional Specifications phase of the Program, it will be important for the Key Members of the IAM Governance Team to provide support in the form of promptly making the appropriate policy decisions as needed. Because of this, we suggest a lean body (2-3 members should suffice) to meet weekly or bi-weekly with the Functional Specifications Core Team as various IAM Policy questions arise.
Towards the end of the Functional Specifications phase, the technical Supporting Members of the Governance Body should be identified in preparation for the Technical Requirements & Design phase of the Program. It will be their responsibility to work with the Key Members in order to define operational issues, identity data management policy, and other technical standards within the organization.
The IAM Framework defined above is a centralized model. Although we've come across companies where this structure needs to be shifted due to the decentralized nature of the organization, we've found that in most cases, this framework is effective. Based on your organizational needs, you should make the necessary adjustments that makes sense for your organization.