IDENTITY AND ACCESS MANAGEMENT PROJECT QUALITY ASSURANCE REPORT #3

Transcription

1 IDENTITY AND ACCESS MANAGEMENT PROJECT QUALITY ASSURANCE REPORT #3 JUNE 30, 2017

2 July 17, 2017 Heidi Geathers, Deputy Chief Information Officer Washington Technology Solutions 1500 Jefferson Building Olympia WA RE: Identity and Access Project Quality Assurance Report #3 June 30, 2017 Dear Ms. Geathers: Sightline, LLC was contracted by Washington Technology Solutions (WaTech) to provide Quality Assurance (QA) services to the Identity and Access (IAM) Project. Sightline s assessment of the IAM Project is based on the professional experience and judgment of its consulting team. This report was prepared independent of project participants and stakeholders. Thank you for the opportunity to provide QA services to the IAM Project. Please let me know if you have any questions or comments. Regards, Kathleen Nolte, Principal Sightline, LLC cc: Debbie Hoxit, Acting Enterprise Project Office Manager Blackhawke Marshall, Project Manager Kathy Pickens-Rucker, OCIO Consultant 855 TROSPER RD. SW, # , TUMWATER, WA SIGHTLINELLC.COM

3 EXECUTIVE SUMMARY Identity and Access Project The IAM project is progressing well towards implementation of a fully functioning identity and access management module. A small number of technical tasks remain to complete Phase 2 of the IAM project. Implementation of the Microsoft Identify Manager (MIM) that provides identity and access management lifecycle management is nearing completion. One component of the MIM is the Privileged Account Manager (PAM) which allows customers to identify a very small number of users who would have special access to some features. There are many security considerations that are still being discussed. This functionality will not hold up implementation of IAM and it is likely that a pilot with a customer could provide more information about how it works, including how security is maintained and managed. Additional work will be needed. Implementation of the Self-Service Password Recovery (SSPR) tool that allows users to reset their password when needed is in pilot at WaTech. Using the self-service feature requires users to complete set-up work (e.g., chose and answer security questions). WaTech Operations plans to push the SSPR application to all WaTech users on July 27 th. Staff will be required to complete the configuration work when they log onto the system the first time after this feature is turned on. Because this could cause an increase in phone calls to the support desk, WaTech might want to consider rolling out to smaller sub-groups, rather than a big bang approach. Business Implementation The project developed a roadshow to highlight features WaTech plans to implement through the Cloud Enablement Program (CEP). The first roadshows were held in June and were wellreceived by customer staff. The presentations provide technical and business views, although they are customized to the audience (e.g., technical audience members will be provided a more technical view of the offerings). While the roadshows and expansion of IAM to external agencies is not part of Phase 2, the work is integrally linked to the WaTech pilot, so we are highlighting some tasks and issues in this report. The roadshows have highlighted three risks the project will need to manage. So far, two agencies highlighted that they did not include the cost of needed licenses for cloud services in the agencies biennial budget. While the cost may not be prohibitive, agencies were concerned that it was unplanned. WaTech has not developed a costing model that will be used to charge agencies for the use of CEP services. Agencies are concerned that these costs might be prohibitive. Development of a chargeback model is planned for the coming biennium. As approved in the initial IAM project approval documentation, the IAM project is implementing a change in how new employees and exiting employees are managed in the Human Resource System (HRMS). The new process will create the Active Directory account automatically when a new employee is hired and entered in HRMS. This will require that the hiring authority and HR staff create an HRMS account prior to an employee beginning work. Customers are concerned that impacts related to changing Page 1

4 Identity and Access Project business processes could be significant and they will need more time and support to make the changes. Agencies may be expecting more organizational change management support than WaTech is able to provide. I. QUALITY ASSURANCE RISK DASHBOARD The QA Risk Dashboard provides an assessment of project risk areas that have the greatest potential for impacting or delaying the project in accordance with the OCIO Policy 132 Project Quality Assurance and Standard Minimum Project Quality Assurance Activities. Assessment Areas Overall Project Health Governance Risk Level DR Quality Assurance Risk Dashboard Summary Comments The IAM project is progressing well with most of the technical tasks complete. Other communications and stakeholder management tasks are remaining. Overall, the project schedule has Phase 2 of the IAM project completing in August WaTech is currently piloting the Self-Service Password Reset (SSPR) functionality and it is reportedly going well. Additional tasks to reach out to customers are also in progress and offering valuable feedback that can be incorporated into the next phase, which includes roll-out to partner agencies and customers. A project steering committee is meeting monthly to discuss IAM specifically. Many of the same individuals are also members of the Cloud Enablement Program (CEP) steering committee. This provides useful interaction given how closely entwined the various projects are. The project has a project sponsor and technical sponsor who are capable and well positioned to direct the work and remove roadblocks that may arise. The current project manager is moving the project forward as appropriate. The project manager reports to the Enterprise Project Office (EPO) manager who retired in June. An interim EPO manager has been named to support project needs. Page 2

5 Identity and Access Project Assessment Areas Minimized Scope Time Cost Quality Human Resource Risk Level YELLOW Comments The technical implementation of IAM within the WaTech environment appears to be well defined, and well understood among project staff. Scope is not as clearly understood by businesses. For example, some agencies are interested in implementing cloud products (e.g. Office 365) but do not understand that they will need IAM as a foundational piece. Information has been shared with agency chief information officers, but there is little evidence this has trickled down to business users and decision makers. A high-level project work plan is in place and updated with input from technical staff on a regular basis. Based on the current schedule, IAM Phase 2 tasks will conclude in August Although most work was to be completed within the biennium, some milestones related to training and documentation will not complete until next biennium. These dates are not in sync with the final investment plan. The funding provided to the project appears to be sufficient for the staffing and infrastructure needed to complete Phase 2 of the project. Funding for future work is contingent on the state s budget which was approved on June 30. At the end of the month, WaTech was just beginning to analyze the budget and impacts to the IAM project (Phase 3) and the Cloud Enablement Program as a whole. The project recently revised its testing approach to ensure that all testing would be accomplished outside the production environment. Testing strategies appear to be informal. While risks to IAM are decreasing because most technical tasks are nearing completion, staff resources remain constrained. As WaTech continues with other Cloud Enablement Program projects, it is likely that resource constraints will continue. The team may need additional resources to complete needed external stakeholder work and to develop model processes, templates, etc. Page 3

6 Identity and Access Project Assessment Areas Stakeholder Communications Integration Risk Risk Level YELLOW Comments The project s communication with external stakeholders has just begun with a series of roadshows with interested agency partners. Developing a clear understanding of agency needs and potential impacts to agencies of a new approach to identity management could have implications for Phase 3. There does not appear to be consistent planning and readiness at the customer level as they have not planned for potential costs or business process changes. It will be important for WaTech to provide templates and guidance for future IAM implementations, which could take considerable time to develop. Agencies may be expecting more support than WaTech can provide. The team has been working with the WaTech Human Resources department to work through process changes related to the Human Resources System (HRMS). While impacts to WaTech as a result of the changing HRMS business process are minimal, this will likely be a bigger issue at the individual agency level. This issue is increasing risks for the project and customers interested in moving services into the cloud. The Phase 2 Project Plan outlines the project s communications strategy. The strategy outlined is robust as it pertains to the technical stakeholders. Additional strategies targeted to business sponsors are needed. Customers will need to clearly understand impacts to business processes. The roadshows are a first step in increasing knowledge and information. The IAM cloud solution requires several tools to be integrated in order to provide an entire solution. The importance of some of the foundational tools such as IAM is not widely understood by customers. WaTech can increase this knowledge by developing strong communications that educate customers about the needs and uses of each of the tools. The project has laid out a structured and sound approach to risk management in the Phase 2 Project Plan. According to that document, risk identification and management is a shared responsibility of all team members. This approach includes a structured approach to identifying risks, maintenance of a risk log so that all team members have access and input into risk management, and processes for escalating risks. It is unclear whether the team is adhering to these defined processes. Page 4

7 Identity and Access Project Assessment Areas Procurement / Vendor Standard Infrastructure Formal Methodology = Risk is the same = Risk is decreasing = Risk is increasing Risk Level YELLOW Comments The project had difficulty securing appropriate Azure licenses, but this issue is now resolved. The project manager is responsible for overseeing all IAM Phase 2 procurement and vendor management activities. The IAM cloud solution is new to WaTech so staff are learning new tools. This is resulting in some increased risk. As the solution matures, risks related to newer technology should decrease. The project is being implemented in a hybrid Agile approach. Multiple work streams are occurring simultaneously and they are making use of some agile processes, although each work stream is being addressed in a waterfall lifecycle approach. Some more standard agile artifacts and tools are not currently being used, such as creation of a defined project backlog, use of burn up and burn down charts, established product owner role, etc. Assessment area is at LOW risk for impacting scope, schedule or budget Assessment area is at MODERATE risk for impacting scope, schedule or budget Assessment area is at HIGH risk for impacting scope, schedule or budget II. PROJECT PROGRESS FOR THE MONTH OF JUNE 2017 Phase 2 of the IAM project is progressing well towards implementation of a fully functioning identify and access management module in WaTech. WaTech has engaged experienced, professional technical staff for this project. As the state s central service agency for technology, WaTech has an enterprise-wide view, and is responsible for setting technology policy for the state and access to technology leaders at all state agencies. Technical Implementation Progress is either complete or under way on all of the work streams. The team successfully migrated WaTech employees to the IAM Cloud environment. Using WaTech as the pilot allows the team to learn and apply lessons during the migration process. It also allowed them to determine processes that will support customer agencies that migrate during the next biennium. A small number of technical tasks remain to complete the IAM project. Implementation of the Microsoft Identify Manager (MIM) that provides identity and access management lifecycle management is nearing completion. One component of the MIM is the Privileged Account Manager (PAM) which allows customers to identify a very small number of users who would have special access to some features. This would be an administrative function that is time-limited and narrowly focused. There are many security considerations that are still being discussed. This functionality will not hold up implementation of IAM and it is Page 5

8 Identity and Access Project likely that a pilot with a customer could provide more information about how it works, including how security is maintained and managed. Additional work will be needed. Implementation of the Self-Service Password Recovery (SSPR) tool that allows users to reset their password when needed is in pilot at WaTech. Using the self-service feature requires users to complete set-up work (e.g., chose and answer security questions). Because of this, WaTech chose to implement self-service on a voluntary basis. About 18% of WaTech staff have opted in and there have been only minor issues reported. WaTech plans to fully implement this option July 27 th. Staff will be required to complete the configuration work when they log onto the system the first time after this feature is turned on. Because this could cause an increase in phone calls to the support desk, WaTech might want to consider rolling out to smaller subgroups, rather than a big Bang approach. Other than the Enterprise Active Directory (EAD) Steering Committee members, few customers are aware that this feature is available. WaTech has begun communicating these features through the road show process. User self-service is a substantial improvement that will benefit customers at large. However, there needs to be good documentation and instructions prepared so that support lines are adequate to meet the demands. Business Implementation The project developed a roadshow to highlight features WaTech plans to implement through the CEP. The first roadshows were held in June and were well-received by customer staff. The presentations provide technical and business views, although they are customized to the audience (e.g., technical audience members will be provided a more technical view of the offerings). While the roadshows and expansion of IAM to external agencies is not part of Phase 2, the work is integrally linked to the WaTech pilot, so we are highlighting some tasks and issues in this report. The roadshows have highlighted three risks that the project will need to manage in future phases. WaTech has been engaged for some time with the EAD which is comprised of agency CIOs. Information related to license fees and business impacts have been highlighted during these meetings but it does not appear that this information has trickled down to business or agency budget staff. So far, two agencies highlighted that they did not include the cost of needed licenses for cloud services in the agencies biennial budget. While the cost may not be prohibitive, agencies were concerned that it was unplanned. WaTech has not developed a costing model that will be used to charge agencies for the use of CEP services. Agencies are concerned that these costs might be prohibitive. Development of a chargeback model is planned for the coming biennium. As approved in the initial IAM project approval documentation, the IAM project is implementing a change in how new employees and exiting employees are managed in the Human Resource System (HRMS). The new process will create an Active Directory (AD) account automatically when a new employee is hired and entered into HRMS. This will require that the hiring authority and HR staff create an HRMS account prior to an employee beginning work. This allows new employees access to on their first Page 6

9 Identity and Access Project day of work. The team documented the current WaTech business process steps associated with new employee onboarding, but it was time consuming and there were few people who understood the entire process. This current business process was then changed to meet the capabilities of the new system. WaTech is a small agency so the number of employees involved in the pilot process is small and the impacts are also small. However, it is likely that impacts to other customers could be significant and they will need more time and support to make the changes. At least one agency asked what kind of organizational change management (OCM) support WaTech planned to offer them. There is an expectation that this support will be forthcoming, which is not planned. WaTech will need to ensure that adequate support is available to support the customers so that the transition is smooth. This support may be in the form of guidelines, tools, templates or communications, or there may be a need to add OCM staff to the project team who can provide hands-on support. Project Controls Project controls are adequate for Phase 2 of the IAM project but may need to be improved for the larger CEP if that moves forward. It is particularly important to ensure that dependencies and resources constraints are considered in a project plan. The CEP requires concurrent implementation of multiple work streams that rely on support from the same people. Understanding these resource constraints allows the project manager to more accurately develop a sustainable and realistic work plan. The project plan is updated regularly and provides insight into remaining tasks. Other controls are informally managed. Page 7

10 III. Identity and Access Project PROJECT INITIAL TIMELINE AND MILESTONES The chart below reflects key project tasks and activities that are either under way or concluding in the current month. It is not intended to provide an exhaustive list of all project activities currently under way. Milestones, Start and Finish dates have been updated to reflect the Master Schedule and are subject to change as the Master Schedule is revised. Milestone Update Governance Policies Planned Start Date 1/24/2017 Security Design Review 9/2/2016 MFA Requirement Determination As Built Final Design 10/26/2017 Implement MIM 10/7/2016 Privileged Account (PAM) Azure Active Directory (AAD) Planned Finish Date 7/25/2017 8/8/2017 7/14/2017 7/17/2017 5/16/2017 6/16/2017 7/21/2017 7/24/2017 7/21/2017 7/24/2017 1/6/2017 7/21/2017 1/6/2017 6/13/2017 QA Assessment EAD policies are progressing well. HRMS and OCIO policy changes are not complete. Security Design Review is in progress. In progress but delayed due to a resource conflict. Integration with ADFS is complete in pre-production. Work is under way. Remaining work includes documenting the design. Task is in progress. In progress but delayed due to resource conflicts and the need for a pilot agency. In progress. Work is underway with State HR to determine method for adding employees to AAD. Schedule needs to be updated. Training 3/14/2017 7/5/2017 Training is nearly complete. Project Close 2/21/2017 Grayed out tasks are complete 8/8/2017 8/22/2017 Documentation is under development. Page 8

11 Identity and Access Project Findings and Recommendation Summary Findings Recommendations Date Offered 1 There is a lack of clarity about the scope of Phase 2. 2 The team is implementing a change to HRMS that has not been fully vetted with decision makers or communicated to agency customers. 3 Project staff resources are being drawn off to other projects. Clarify which customer-facing artifacts are expected to be delivered from Phase 2 of the IAM Project. Determine a strategy for implementing the HRMS changes and develop corresponding communications and instructions for customers to complete the revised business process. Protect project staff resources during the remaining two months to focus on completing the IAM implementation. Date Closed Comments 4/30/2017 Documentation is under development but it is not yet available for review. 4/30/2017 The strategy has been developed. Documentation is under development but it is not yet available for review. 4/30/2017 5/31/2017 Most technical tasks have been completed so this recommendation is no longer needed. Page 1