Selecting the Right Identity Governance Solution A BUYER S GUIDE

Size: px
Start display at page:

Download "Selecting the Right Identity Governance Solution A BUYER S GUIDE"

Transcription

1 Selecting the Right Identity Governance Solution A BUYER S GUIDE SECOND EDITION

2

3 CONTENTS Selecting the Right Identity Governance Solution A BUYER S GUIDE Smooth Sailing Ahead About this Guide Go the Distance Crafting a Long-Term, Sustainable Identity Strategy Sail to Win Taking on Real-World Business Challenges Know the Ropes Understanding Your Needs and Choosing Your Path Move Full Speed Ahead Selecting the Right Solution SailPoint IdentityIQ Navigating Today s Security and Compliance Demands The SailPoint Advantage A Unified, Sustainable Approach to Identity Governance Glossary 50 Resources 56 Contact SailPoint Your Partner for the Identity Governance Journey 60 3

4

5 Smooth Sailing Ahead About this Guide A successful identity governance strategy can move your organization toward sustainable compliance, reduced risk, improved service levels and lower operational costs. This guide is designed to help ensure a smooth, speedy journey all along the way. It covers everything from building a solid understanding of today s business goals, reviewing the available choices, and planning for and selecting a technology solution. Designed as a workbook, with checklists and targeted, detailed information, it s a practical tool that you can use to build a request for proposal (RFP) and conduct a side-by-side product analysis. In the pages that follow, we show how identity governance can be a powerful force for risk management and business improvement on several levels. We present typical concerns and issues that identity governance can address. We introduce you to pathways to implementing solutions. And we help you assess your functional priorities with checklists that can help make sure you don t overlook anything. As we wrap up, we provide a quick introduction to SailPoint IdentityIQ, our complete identity governance solution, a glossary of terms that can help you understand identity governance in still more detail, and a list of resources where you can find additional information. We hope you find reading this guide a useful step on your journey to identity governance. Give us a call when you re ready to move ahead! Kevin Cunningham President and Founder, SailPoint Selecting the Right Identity Governance Solution: A Buyer s Guide 5

6

7 Go the Distance Crafting a Long-Term, Sustainable Identity Strategy In the last few years, identity management market requirements and business priorities have evolved rapidly. For those of you living through these changes, it has become tougher than ever to make the right decisions about your strategy and technology choices. The answer to yesterday s technology demands may not be the answer to today s complex business challenges. Ten years ago, when automated provisioning solutions were first brought to market, organizations were focused on automating and streamlining user administration across systems and applications. Enterprises still seek these same benefits today operational efficiency, cost reduction, and business agility but these business drivers have been overshadowed in the last few years by the urgent need to address regulatory compliance mandates. In truth, organizations need to address both of these business requirements in a sustainable and cost-effective manner. Due to shrinking operating budgets and the need for more continuous compliance exercises, enterprises are searching for ways to reduce costs and access-related risks at the same time. Expensive episodic compliance exercises are giving way to continuous cost-sustainable compliance processes. Ian Glazer Analyst, Burton Group Market Profile: Identity Management 2010 May 17, 2010 Faced with today s multi-faceted challenges, the right identity management approach should be formulated with a long-term view in mind. Identity management must address immediate security, compliance, and service delivery requirements, but at the same time it must be part of a long-term strategy for business improvement. For example: By treating identity management as an extension of core business processes, organizations can ensure that IT and business users work together to manage organizational risks. As compliance becomes an everyday fact of business life, identity solutions can help improve not only the effectiveness, but also the efficiency, of an organization s compliance processes. With constant and continuous enforcement of access policy across all identity processes, organizations can achieve ongoing, sustainable compliance. As organizations move toward long-term, sustainable identity strategies, it s important not to lose sight of the fundamental challenges associated with identity management. Threats to business information and technology infrastructures haven t gone away and must be carefully managed. Compliance is a constant and growing requirement. And controlling access to sensitive data remains a high priority, so that questions like these continue to persist for IT and business leaders: Am I adequately safeguarding information assets and sensitive data? How can I prevent and detect fraud, misuse, or unauthorized access? Can I confidently attest to the adequacy of internal controls? Can I cost-effectively meet and prove compliance with regulatory requirements? Selecting the Right Identity Governance Solution: A Buyer s Guide 7

8 CRAFTING A LONG-TERM, SUSTAINABLE IDENTITY STRATEGY A Concern for the Entire Organization What makes the preceding questions particularly challenging is the fact that identity management today is more than a technology issue it s a business issue. To truly protect information assets from security threats and breaches, enforce corporate policy and meet compliance requirements, organizations must embrace a new approach to identity management with the needs of governance and compliance in mind. This evolution involves four critical shifts in your approach: Identity and access management is finally beginning to grow up and bridge some of the gaps between what the enterprise needs and what IT can do for them. In governance, risk and compliance management, for example, strong access controls coupled with access request, approval and review processes are needed by the business to enable them to fully realize value from their policies, guidelines and practices. This is particularly the case for managing risk. Those IAM solutions that provide the business bridge between IAM and GRC management staff will play a significant role in enterprise access needs of the future. Earl Perkins Research Vice President, Gartner, Inc. November 9, 2009 Better alignment of business and IT: Identity management must be viewed as a business issue as much as it is a technology issue. IT and business users need to work together to define policy and controls, monitor the effectiveness of controls, and better manage organizational risk. To this end, key identity business processes, including compliance and user lifecycle management, must be seamlessly integrated. Greater visibility and transparency: Organizations must adopt an approach that gives them centralized business intelligence over identity data. This means merging all critical sources of identity information into a single version of the truth for better accountability and oversight. Consistency and repeatability: It s more important than ever to apply centralized, automated controls and policy to key identity business processes. Adding consistency and repeatability will allow organizations to strengthen controls, work more efficiently, and sustain compliance over the long-term. Risk-based approach and prioritization: Organizations must optimize their time and resources by focusing internal controls and audits on the most critical areas. This ultimately reduces costs and preserves needed resources. An Imperative for Business Today Now, with the next generation of identity management solutions focused on these issues, organizations can enforce and verify that the right controls are in place to meet industry, regulatory and audit requirements. Organizations need identity governance, an integrated approach that embeds governance and risk management into core identity business processes. It s an approach that provides a business-friendly layer linking business users and processes to underlying technology and technical users. And, one that improves quality of information and decision-making for all stakeholders. 8

9 CRAFTING A LONG-TERM, SUSTAINABLE IDENTITY STRATEGY A Common Governance Model Traditional approaches to identity management treat governance and provisioning as separate activities, making it costly, complex and burdensome to enforce access controls, carry out compliance initiatives and carry on the day-to-day work of meeting increasingly demanding service level requirements. A more innovative and effective approach is required to streamline all of these efforts one that allows compliance and provisioning processes to leverage a common governance framework for roles, policy and risk management. Tools for Identity Governance Finding the right combination of risk-aware identity controls, compliance and user lifecycle automation tools, and personalized reporting and analytics tools will help you to better protect your organization and its critical assets. Identity governance solutions include the following key components: Data Aggregation and Correlation: Integrate identity data from disparate IT resources to create a foundation for identity governance. Access Certification: Automate and optimize the review and certification of user access privileges to save significant time and money. Role Management: Simplify business and IT role creation and lifecycle management activities. Policy Scanning and Violation Detection: Automatically scan users and their existing access for violations of defined business policies to ensure that audit and legal requirements are met across all critical application environments. Risk Modeling: Analyze, manage and mitigate risk with visibility into key risk metrics. Track progress over time and provide quantifiable proof of enhanced security and reduced risk to the business. Access Request and Identity Lifecycle Management: Centralize self-service access request and automated lifecycle event processes. Password Management: Enable users to securely reset their own passwords on multiple systems without help desk involvement. Automated Provisioning: Automate changes to user access within connected IT resources based on access requests, role model changes or remediations from certifications. Reporting and Analytics: Put identity and access data within easy reach of your business and technical users through configurable dashboards, reports, and ad hoc queries. 9

10

11 Sail to Win Taking on Real-World Business Challenges Identity governance has become a strategic imperative for organizations of all sizes. Companies ranging from large, multi-national enterprises to smaller growing businesses must address increasing requirements to protect and govern access to critical applications, systems and databases within the IT environment. Identity governance plays a critical role in enabling organizations to inventory, analyze and understand the access privileges granted to their employees and to be ready to answer the critical question: Who has access to what? At the same time, today s fast-paced environment demands faster and higher levels of service delivery. New employees and contractors come on board daily, and they need access to enterprise resources right away. Current users responsibilities change, or their relationship with the enterprise ends, and the organization needs to quickly modify or revoke their access. For IT staff, the challenge becomes how to meet service-level demands while enforcing policy and security, maintaining stringent controls and addressing compliance requirements. Because there are many different business drivers for identity governance, you may wonder how and when to put the different components of a solution in place. The answer depends on your business priorities and the immediate challenges facing your organization. As a first step, you should step back and assess your most urgent issues. You have to understand what you want your identity governance solution to help you achieve. Here are some common business goals that can help you determine your own unique priorities: Lower the cost of compliance Improve delivery of access to the business Reduce the cost of delivering access across the enterprise Address shortcomings with existing provisioning systems Eliminate audit deficiencies and improve audit performance Manage access risk during mergers, acquisitions, divestitures and layoffs So let s begin by looking at the business drivers for identity governance the goals organizations most frequently hope to achieve with their implementation. Selecting the Right Identity Governance Solution: A Buyer s Guide 11

12 TAKING ON REAL-WORLD BUSINESS CHALLENGES Compliance is expensive. I need to get my costs under control. Lower the Cost of Compliance Compliance can be complex, difficult and, as a result, costly. Meeting the various industry and regulatory mandates requires auditors to regularly review and certify user access privileges. This leaves many companies constantly battling with error-prone and inefficient processes such as manually generating access reports and manually remediating inappropriate user access privileges. Symptoms that you need to cut compliance costs include: Building or leveraging multiple, homegrown solutions to handle audit and compliance needs; Hiring a full-time staff or consultants to handle compliance projects like access certifications and SoD policy enforcement; and Using inefficient tools like spreadsheets and to drive manual compliance processes. Getting better control of your identity and access data, including centrally defining policy and automating your access certification process, means replacing expensive paper-based and manual processes with automated tools. Not only can you significantly reduce the cost of compliance, you can also establish repeatable practices for a more consistent, auditable, reliable and easier to manage access certification effort. If you struggle to effectively implement compliance processes and integrate them into your systems and infrastructure, identity governance might be the launching pad you need to improve your effectiveness and reduce the costs of sustainable compliance. I can t seem to keep up with the incoming requests for managing user access across the organization. There s got to be a better way! Improve Delivery of Access to the Business Given the fast-paced environment of business today, IT organizations are challenged to improve service delivery across identity management processes. Users cannot wait days, or weeks, for access to systems required to perform their job duties. Similarly, organizations cannot tolerate huge gaps in deprovisioning access when a user changes positions or is terminated. Changes to user access must be performed in near-real time, while remaining a controlled, visible, and auditable process. The current state of identity management in most organizations makes it almost impossible to provide consistent and effective service levels to the business due to the following challenges: Heavy utilization of manual access request and change processes; Inability to apply preventive audit controls to ensure access is granted according to pre-established policy; and Lack of coordination between service-level requirements across disparate provisioning processes. If you re ready to discover an easier, more cost-effective way to deliver access to the business, identity governance can provide the solution. By providing an integrated approach that leverages business-friendly self-service access request tools and automated lifecycle event triggers, identity governance can streamline the delivery of user access across your organization. It also provides a framework for managing changes to user access based on a pre-defined and pre-approved governance model to ensure that changes are made according to policy. 12

13 TAKING ON REAL-WORLD BUSINESS CHALLENGES Requesting new access or even changing a user s existing access is a daunting task in our company. To add access to a single system can take an extraordinary effort to accomplish. Reduce the Cost of Delivering Access across the Enterprise Managing the complex relationships between thousands of users and millions of access privileges continues to be a daunting and expensive task for most organizations. Changes to user access are initiated, approved and implemented using fragmented, disjointed processes. Coupled with the fact that in most organizations, the processes and tools used to request or change user access are highly manual, the result is inefficient and costly execution of access requests and changes. Does your organization wrestle with the following problems when fulfilling access changes across enterprise IT systems? Multiple front-end processes are used by the business to request new or change existing access privileges; Manual processes are required to facilitate changes to user access; and Different provisioning/deprovisioning processes are used for different applications. If these situations sound familiar, it s time to take a different approach. By centralizing your approach to delivering access across disparate IT resources, you can reduce the costs associated with managing the initiation and fulfillment of access requests and changes. By empowering end users (employees and managers) to manage access through self-service, business-friendly tools, you can reduce the workload on Help Desk and IT Operations teams. Automated identity lifecycle events can be used to reduce the number of self-service requests initiated by business users, by automatically triggering changes to access based on changes to identity attributes (e.g., employment status and manager changes). In addition, by selectively automating the entire process for certain resources, including the last mile fulfillment process, additional cost savings can be generated. Help! The provisioning solution we ve deployed is not meeting our expectations with regard to compliance and is not sustainable for our future needs. Address Shortcomings with Existing Provisioning Systems Many organizations have invested in a user provisioning solution only to find that it does not meet their needs, or more importantly, in the case of Sun Identity Manager, will no longer be supported in the future. It may be time to reevaluate your options if you find yourself facing these issues with provisioning: Your project is behind schedule and over budget; You lack the necessary coverage for applications; You have compliance weaknesses related to ineffective off-boarding processes, entitlement creep, separation-of-duty (SoD) violations, and more; and You still can t answer the question who has access to what? If you re ready to migrate away from your existing provisioning platform, you will want to make sure you invest in a technology that will address your current provisioning challenges while also integrating with what you have in place today for a smoother transition. The new solution must be able to balance core user provisioning requirements add, change, delete user accounts and password management with user-friendly interfaces and processes that empower business users to request and manage access. And most importantly, it must offer an integrated approach to identity governance. Governance and compliance should be handled as an integral component of identity management. 13

14 TAKING ON REAL-WORLD BUSINESS CHALLENGES We failed an audit. I need a tool that can help us get back into compliance quickly! Eliminate Audit Deficiencies and Improve Audit Performance Identity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the form of control deficiencies or material weaknesses. Here are some of the most common identity risks auditors are looking for: Orphan accounts: Access that remains active for employees or contractors after termination due to failure to remove privileges; Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles resulting in employees with access beyond their job requirements; Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions or the ability to perform conflicting duties; Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users are managed using manual processes and are very difficult to audit; and Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make business decisions about what access is required to perform a specific job function. If you ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity governance solution will improve your visibility into risky or noncompliant areas and automate your processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively analyze risk, make more informed decisions and implement the appropriate controls in an automated and more sustainable fashion. Further, aligning user access with job functions through an enterprise role model can further strengthen user access controls by providing valuable business context around how specific sets of access map to the underlying business function being performed by an individual. The result? Less chances of negative audit findings or failing another audit. More chances of seeing audit performance improve over time. We just bought another company. How can I validate their identity controls before the transition is completed? Manage Access Risk during Mergers, Acquisitions, Divestitures and Layoffs Businesses change. And, today they are changing substantially. More than ever before, you have to quickly add, manage or remove access for dozens, hundreds or thousands of individuals at a time. In fact, in today s complex business environment, one of the most significant challenges to successfully assimilating one organization into another is the ability to integrate IT environments in a timely manner. Large numbers of users must often be provisioned in one set of systems while other users are deprovisioned in a different set. Especially in a layoff, heightened uncertainty among employees can lead to the need to increase security and scrutiny of user access privileges to limit the risk of inappropriate behavior. And, to add to the challenge, acquired companies must meet Sarbanes-Oxley and other compliance requirements of the acquirer in a relatively short timeframe. 14

15 TAKING ON REAL-WORLD BUSINESS CHALLENGES The speed at which many mergers, acquisitions, divestitures and layoffs occur makes the efficiency, automation and comprehensive capabilities of an identity governance solution all the more important to successfully establishing control and auditability of identity and access. It s never too early to start planning for a change in the size of your organization. In today s economy, events that force downsizing through a layoff or present opportunities for restructuring by shedding business units can come at you quickly. But if you don t have the right visibility into your access privileges and rely on manual processes, you may not be able to act quickly enough. Taking Stock Once you ve evaluated your business drivers for identity management, you ll be in a better position to prioritize your investments. If you re like most organizations, you have more than one motivating factor, so the key is identifying your one or two most important business imperatives. Moving ahead without prioritizing may cause you to spend precious resources in the wrong direction, inhibiting your ability to meet your most critical needs in a timely manner. The good news is that investing in an identity governance solution will enable you to realize some quick wins, while at the same time strengthening your organization for the long-term. Depending on your business priorities, these immediate results could save you money and reduce the compliance burden on IT; improve your audit performance; improve the efficiency of identity business processes like access request and delivery; or improve your company s ability to execute on a merger or divestiture. Whatever path you choose to embark on first, you should avoid taking on every business problem on day one. Best results are achieved by taking a stepwise approach where your project is focused on the business units, departments, or applications that align with your business goals whether they are corporate agility, operational efficiency, service-level improvement, or regulatory compliance. 15

16

17 Know the Ropes Understanding Your Needs and Choosing Your Path Now that you ve identified your goals, you ll want to consider the steps you need to take to achieve them. The illustration below shows the possible steps and pathways to implement identity governance from the most basic to the most advanced. In practice, you have several pathways to choose from, and you can prioritize these based on the unique business requirements of your organization. Charting Your Course for Successful Identity Governance Aggregate & Cleanse Data Build Governance Model Automate Compliance Management Automate User Lifecycle Management Fullfill Access Changes Aggregate & Correlate Identity Data Build Policy Model Access Certifications Access Request Management Policy Detection & Remediation Event-Based Lifecycle Management Conduct Baseline Access Certification Build Role Model Build Risk Model Automated Provisioning Help Desk Manual Methods Steps 3 and 4 are interchangeable depending on your priorities. Figure 1. The key to success is defining manageable, measurable steps that give you a strong foundation on which to build upon for future identity governance projects which path you take depends upon your priorities. Selecting the Right Identity Governance Solution: A Buyer s Guide 17

18 UNDERSTANDING YOUR NEEDS AND CHOOSING YOUR PATH Let s look at each of the steps in Figure 1 more closely: Step 1: Data Preparation The starting point for any identity governance project should be to understand the current state of user access within the organization by centralizing your identity data. This stage involves creating a single repository for user and access information by extracting data from your authoritative source (or sources) and all target resources, then performing initial access reviews to clean up that data. Data aggregation and correlation: This aggregation and correlation process resolves the inconsistencies between the various sources of identity data, creating an enterprisewide view that enables you to implement appropriate controls and better manage risk. At this stage, you ll gain visibility to accounts that do not correlate to users in authoritative sources (orphan accounts and system/service accounts) and you can remove those accounts or assign them to owners for ongoing management. Baseline access certification: Once you ve aggregated and correlated your identity data, your next step should be to perform an initial data cleanup certification on the centralized identity data. At this stage, your data/application owners and people managers should review the access privileges for all users. These initial certifications should be used to establish a reliable baseline of data. It s not unusual for organizations performing a baseline certification to find that between 10 and 25 percent of user access privileges are inaccurate or inappropriate and should be revoked. After revocations are performed, this cleansed data will be utilized by other identity governance functions, including ongoing access certifications, policy enforcement, role management, and risk analytics. Step 2: Governance Model Development This step focuses on defining the policy and controls you will use to ensure that all identity management processes are performed in accordance with your organization s business policies and risk management strategy. The governance model covers important components such as roles, access policies, and risk. While each model provides distinct benefits to the organization, the creation and deployment of the specific models can align with overall project priorities. Many organizations start with policy management and define the most critical access policies which protect against significant risks to the business. Next, roles typically are generated to simplify how access is assigned to users, as well as reviewed within access certifications. Finally, the risk model enables you to start tracking and monitoring risk across enterprise resources and users. You can prioritize the importance of these components, described in more detail below, and adjust the project accordingly. Policy model: As part of configuring the controls environment for your identity governance solution, you will need to define the identity policies required to meet corporate and regulatory requirements across all critical resources. Identity policies that can be defined at this stage include SoD rules that prevent users from holding toxic combinations of roles or entitlements and other access policy rules that can enforce access policies such as no user can hold more than one account on a resource or employees in location ABC cannot have access to the following applications. 18

19 UNDERSTANDING YOUR NEEDS AND CHOOSING YOUR PATH Role model: Roles are an important component of identity governance because they make it easier for business staff to review and approve user access privileges and ensure low-level access rights or entitlements adhere to business policies. The process of building a role model and creating roles can be pursued incrementally based on your individual organization s needs. Many companies begin by focusing on a defined set of departments or applications based on compliance or other business drivers. Once you ve defined the scope of your role project, role mining can be used to build candidate roles by searching and analyzing your correlated identity data using parameters such as department, cost center, or manager. Once roles have been created, they can be leveraged by many components of identity governance, including access certifications, policy enforcement, and user lifecycle management. Risk model: Developing an identity risk model empowers you to better assess, manage and control threats to security posed by users and their access privileges. Most conventional approaches require you to manually evaluate each user or application individually. However, a risk-based approach can automatically categorize people and applications and assign privileges accordingly. For example, a person with simple readonly privileges and no access to critical applications would likely be considered low risk while a person who has numerous policy violations who has not been certified recently or who has access to key applications would be a high risk. With a risk model, you can calculate risk scores for each person and resource under management in order to prioritize compliance efforts on those areas that matter most and more efficiently remediate risk. Steps 3 and 4: Your Choice Based on Organizational Priorities Once you have consolidated your identity data and built the appropriate components of a governance model for identity management, you have some choices about where you go next. Your next step will depend on a range of factors: the compliance issues you face, the need to improve administrative efficiency, the need to keep up with the demands of a dynamic business environment, etc. The reality is that needs are unique to every company, so deciding on the right path to identity governance will be up to you. There are two major directions you can take: focus on compliance automation or focus on user lifecycle management and automated provisioning. Step 3 or 4: Compliance Management If audit deficiencies and the high cost of compliance are top of mind issues in your organization, then you may want to focus on compliance automation as a next step after completion of the governance model. There are two major components of compliance automation: Access certifications: Once you ve established a baseline of accurate identity data and built key components of your governance model, it s time to focus on automating key compliance activities like access certifications. Access certifications make it easy to perform regularly scheduled access reviews by application or data owners, people managers, or a combination of both or to review user access based on detected events, such as a job or manager change. Building on policy, role, and risk models you ve established, certification reports will clearly highlight detected roles, policy violations, user risk scores and any changes from the previous certification (new users, new roles, or new entitlements). This information enables your reviewers to quickly focus on areas of potential risk and make better decisions. 19

20 UNDERSTANDING YOUR NEEDS AND CHOOSING YOUR PATH Policy violation detection and remediation: After the policy model is defined, you can put in place controls to automatically scan and analyze your identity data to quickly detect any violations, such as SoD violations. Based on these scans, detailed reports can be generated, showing a summary of violations grouped by application, department, or geography. In addition, you can customize how policy violations are handled once they are detected. For example, low-severity violations can be summarized in reports, whereas high-severity alerts can automatically trigger notifications to managers for immediate remediation. Alerts can include a detailed description of the rule violated and the source of the rule (e.g., Sarbanes-Oxley or HIPAA), and recommendations for compensating controls. Step 3 or 4: User Lifecycle Management If your organization struggles with inefficient and/or non-compliant processes for granting new access privileges or making changes to existing privileges for employees, contractors, and partners, then it may make sense to focus on user lifecycle management as your next step after completing work on the governance model. There are three major components of lifecycle management: Self-service access request: Once you have an identity governance model in place, you have the means to build efficient and compliant access request management capabilities. Centralized access request management allows managers and end users to conveniently request new access or make changes to existing access privileges within the constraints of your pre-defined identity policy and role models. It also provides an efficient, more accurate way to view existing access and remove access as needed, as well as to create and edit identities. Password management: Using the same business-friendly user interface, users and/or their approved delegates can change or reset passwords across target systems. Allowing end-users to proactively manage password changes can significantly reduce help desk calls. Event-based lifecycle management: To further streamline user onboarding, offboarding, and other job changes within the enterprise, you can add event-based lifecycle management to automatically trigger access changes based on HR or other authoritative feeds. For example, when an employee s status changes from active to terminated, a trigger launches a change request for all of the user s access privileges. Or when an employee is promoted, resulting in a job title change, a lifecycle event triggers the assignment of a new business role to replace the user s current role. Event-based lifecycle management builds upon and leverages the work you ve done to implement the governance model in step 2 by ensuring compliance with defined business policy for roles, entitlements, and risk guidelines. 20

21 UNDERSTANDING YOUR NEEDS AND CHOOSING YOUR PATH Step 5: Access Fulfillment The final step in deploying identity governance involves the fulfillment of access changes on target resources, such as applications, databases and systems. In other words, this phase of the project is focused on ensuring that all changes triggered by compliance remediations, access requests, password changes or lifecycle events are successfully implemented within your IT environment. You should take a very practical approach to this phase of the project and consider all possible solutions and processes for last mile provisioning, including automated provisioning systems, help desk systems, and even manual methods for change. Bear in mind that it s not always cost-effective to automate all access changes; sometimes using application administrators to implement needed changes is the optimal approach. The critical requirement is to implement a closed-loop capability that confirms whether or not all changes have been made, no matter what the method. There are two approaches that can help you determine which provisioning methodology best fits your IT resources: an ROI analysis and a risk analysis. The ROI analysis can help you identify systems where there are a significant number of users on the target system and/ or a high number of changes to users and accounts. The risk analysis can help you identify systems where any lag time between an access change request (e.g., termination of access or revocation of privileges) could put the enterprise at an increased level of risk. The combination of these two metrics can help you prioritize your resources for automating last mile change management. 21

22

23 Move Full Speed Ahead Selecting the Right Solution With your goals and general approach established, it s time to move ahead to evaluating solutions. You ll want to look at the specific attributes of various identity governance offerings and determine whether they can provide the functionality you need to accomplish your goals and whether they can deliver the business and technical benefits of true governance that your organization requires. The following pages contain lists of qualifying questions that will help you evaluate products and plan for a successful implementation of identity governance. We provide questions on the following topics: Identity Governance Business Case Data Aggregation and Correlation Access Certification Policy Management Role Management Risk Modeling Access Request and Identity Lifecycle Management Password Management Automated Provisioning and Help Desk Integration Reporting and Analytics Architecture and Platform Configuration and Administration Requirements Because an identity governance solution should be designed to enable you to begin at the stage that is appropriate for you based on your business and IT goals and your existing identity management implementation all sections may not be relevant to your needs. Feel free to apply the questions to your product evaluation that are most appropriate to your organization. Note: The lists are divided for ease of use into subsections that reflect activities in the deployment paths we have previously discussed in this guide. Selecting the Right Identity Governance Solution: A Buyer s Guide 23

24 SELECTING THE RIGHT SOLUTION Identity Governance Business Cases Ask the following questions to understand how the solution under consideration can help you to solve your current business problems related to governance of user access within the enterprise. Be sure to ask for example case studies and conduct reference calls for confirmation. Identity Governance Business Case Requirements SailPoint Other Vendor Does the software help address your most pressing identity governance challenges today? Does the solution address common detective identity controls required by regulatory mandates such as Sarbanes-Oxley, HIPAA and Basel II? Does the solution reduce the complexity of creating an enterprise governance model? Does the solution help to proactively enforce pre-established business policies for how access should be granted within the enterprise? Does the vendor provide customer case study examples demonstrating how the solution has reduced the cost of compliance? Can the vendor provide specifics on how customers using the solution have leveraged identity risk metrics to improve the effectiveness of preventive and detective identity controls within their organization? Does the solution have a unified architecture? Is the solution comprised of a single application or a set of integrated applications? If integrated, what level of synchronization is required between each component? Can the solution quickly deliver a return on investment? 24

25 SELECTING THE RIGHT SOLUTION Data Aggregation and Correlation Consolidating and correlating your identity and access data is an essential step in laying the foundation for your identity management initiatives no matter where in the process you stand. In evaluating tools that offer this important first step in your project, be sure you find one that meets the following criteria. Data Aggregation and Correlation Requirements SailPoint Other Vendor Can the solution collect user access privileges from various applications and platforms (e.g., AD, SAP, Mainframes, UNIX and other applications with different file formats)? Does the solution support the collection of data using agent-less connectors? Are the following import options supported: CSV files? XML files? Flat files? Does the solution support automatic discovery of flat-file or database schemas? Does the solution support modeling fine-grained permissions such as operational rights on database tables and file shares? Can updates to user and access data be scheduled within the application to support regular refresh of information? Does the software support the definition of custom schemas for each connected application? Can the application derive the employee/manager relationship from an authoritative identity source, such as the central HR application? Can the application support multiple authoritative sources for identity data? Does the software create a single view of each user within the enterprise and their associated access privileges? Are all user entitlements, roles, policy information and activity data viewable within the context of an individual identity? Does the solution enable automated correlation of user account information using a wizard-like interface that can be operated by non-technical users? Does the application provide a user interface for performing manual correlation of user account privileges? Can an approval be associated with manual correlation of accounts? Does the application provide a way to designate accounts as privileged or system accounts? Can this designation be accomplished from the user interface? Does the solution include an entitlement glossary and the ability to associate contextual metadata with each entitlement e.g., business-friendly description, data owner, and account type? Can business-friendly descriptions and other metadata be imported and associated with low-level IT entitlements? Are both automated and manual updates to entitlement metadata supported? Does the solution support importing and evaluating activity data from target systems? Does the import provide filtering of activity data to ensure only the desired data is included? Can activity data be mapped back to a known identity based on unique correlation rules? 25

26 SELECTING THE RIGHT SOLUTION Access Certification These questions are designed to ensure that the solution you select is best suited to improve the efficiency and accuracy of your certification process and to help you meet goals for corporate accountability and compliance. Access Certification Requirements SailPoint Other Vendor Does the access certification feature support both technical and business user needs within the tool? Does the application enable business users to create and manage periodic access reviews across the enterprise? Does the solution support managing different certification use cases by different user types out-of-the-box e.g., manager certifications, application owner certifications, data owners? Can the solution create certifications for individual entitlements, such as group memberships, and assign them to the appropriate data owners? Can user access certifications be setup to auto-generate on a periodic cycle? Does the application enable a continuous certification environment where users and their associated access privileges are constantly monitored for changes and any change precipitates a review? Does the solution support automated report routing to the appropriate certification recipients? Can automatic notifications be generated and sent out to certifiers when a new certification is created? Does the application support the ability to send reminder notifications periodically during an active certification? Can identity attributes such as HR data and user risk profiles be used to automatically define populations of users for certification? Does the application highlight privileged user accounts and other high-risk accounts (e.g., service accounts) during the certification process? Do the user certification screens highlight/identify changes in user entitlements and/or business roles since the last certification or new users not previously certified? Does the reviewer have the ability to bulk certify/approve a particular entitlement for all users in a certification and can this feature be disabled? Does the solution support filtering of users during a certification to simplify and speed completion (e.g., filter users by customer-defined attributes, entitlements, business roles)? When certifiers review a user s access privileges, can they approve, revoke or allow exceptions? Are the certifier options configurable? Can certifiers reassign a specific user or users within a certification to another employee to complete the certification process? Does the application support delegation of users to another certifier? Can specific certification line items be delegated to another certifier for completion? Can the solution support certification of multi-tiered applications by allowing business users to only sign-off at the high-level business application account level? Can the solution automatically generate a certification based on detected changes to a user s access (e.g., user changes departments, job roles)? Can these change events be defined and managed through the user interface? Does the solution support review and resolution of existing policy violations directly within a certification? 26

27 SELECTING THE RIGHT SOLUTION Access Certification (cont.) These questions are designed to ensure that the solution you select is best suited to improve the efficiency and accuracy of your certification process and to help you meet goals for corporate accountability and compliance. Access Certification Requirements (cont.) SailPoint Other Vendor Does the solution provide user activity data on specific applications/ transactions during certifications, enabling reviewers to evaluate access based on usage? Does the solution support the ability to define rules by application to identify former employees as an identity attribute? Does the solution optionally support bulk remediation for all former employees access privileges prior to beginning an access certification, thereby reducing the workload of reviewers? Does the access certification process support a challenge period to allow users to contest a pending remediation decision before it is implemented in the environment? Does the solution support the definition and assessment of remediation periods, allowing the compliance solution to track the remediation activity within the target system? Can work items assigned to a manager or application owner be automatically forwarded if the person leaves the company during an access certification? Does the application display each user s risk profile within the certification report as additional context for reviewers? Can the software support the integration of entitlement descriptions into a certification to provide users with a business-friendly translation of complex IT information? Can users configure the certification report display based on their individual preferences (e.g., display/hide columns, sort columns, move columns)? Does the solution provide the history of certification decisions previously made on entitlements and roles? Is this historical information included in active certifications to help reviewer determine the appropriateness of access? Does the solution provide visibility to certification activities (e.g., completion status) on a user s dashboard? Does the solution provide an administrative dashboard to track aggregated certification metrics across the enterprise and certification campaigns? 27

28 SELECTING THE RIGHT SOLUTION Policy Management With constant changes in user entitlements across multiple, heterogeneous enterprise applications, businesses often struggle to address separation-ofduty and user access violations that expose the organization to risk. The following questions can help you identify a solution that can enable you to simplify policy definition and automate policy scanning and remediation. Policy Management Requirements SailPoint Other Vendor Can the application support the ability to define policy violations within and across applications/resources? Does the solution support the ability to define and enforce access policy, including SoD policies between individual roles, between individual entitlements, and between roles and entitlements? Can SoD policy support multiple sided exclusions? For example, A, B, or C conflicts with any of D, E, or F Does the solution support policies around activity-based data (e.g., accessing a critical system after hours triggers a violation)? Can risk-based policies be created in the application to support notification/ alerting when user risk profiles change? Does the application support the definition of account or identity attribute business policies? Does the system provide a business-friendly UI for defining and editing access policies? Can basic policies be expanded using a scripting or programming language interface? Does the solution provide a common policy repository that is leveraged by all identity processes? If more than one repository is needed, does it synchronize between them? Does the application automatically scan and detect policy violations? When policy violations are detected, does the application automatically notify responsible parties? Are the policy violations escalated if not addressed in a defined period of time? Does the application support execution of a business process or workflow when policy violations are detected, allowing varying responses based on criteria such as the calculated risk of the violation? Does the solution provide a business-friendly user interface for managing policy violations by both business managers and compliance administrators? Are policy violations clearly highlighted during access reviews to allow for rapid remediation? When addressing policy violations, is flexibility provided to allow different actions, based on the type and circumstances of the violation? Can revocation recommendations be stored in conjunction with each policy rule and exposed to the user when viewing policy violations? N/A 28

29 SELECTING THE RIGHT SOLUTION Role Management The following questions can help you determine whether the solution under evaluation can manage the entire role lifecycle to accommodate change and keep the quality and reliability of the role model in place. Role Management Requirements SailPoint Other Vendor Does the solution provide features which simplify the implementation of an enterprise role model made up of business and IT roles? Can the solution import roles using manual or automated interfaces? Does the solution support the ability to read or import organizational hierarchy information? Does the solution support a hierarchical role model with n levels? Does the solution support custom types of roles? Can role types be configured directly within the user interface? Can role engineering define additional metadata attributes on a role? Does the solution provide a mechanism for combining business roles and IT roles into a common role model? Does the business role model support the notion of required and optional IT role associations to enable the principle of least privilege? Does the solution support the creation of both business roles (top-down) and IT roles (bottom-up)? Does the solution support automated mining of both business roles (top-down) and IT roles (bottom-up)? Does the solution have the ability to define roles in plain business language? Does the solution facilitate collaboration between business and technical users in the definition and management of roles? Does the solution support role mining to discover potential roles using various pattern search algorithms? Does the role mining support a directed search, whereby the user is able to narrow the focus of the mining by selecting a set of applications to mine against and by providing user-specifics such as locations, job title, manager, cost center? For example, Only mine against application 1 & 3 and only mine against users of those applications that are in cost center 1204 and work in the Chicago office. Does the solution allow you to create candidate roles by mining the entitlements of a user that represents a useful prototype of a business role? Does the role definition process include the ability to identify or suggest candidate roles during the access certification process? Does the solution support role ownership? Does the solution support delegation with respect to role ownership? Does the solution provide role approval workflow for all changed roles (i.e., add, modify, disable)? Is the workflow configurable for duration, approvers, escalation parameters, etc.? Does the solution limit administrative functions for role management and allow the restriction of certain role definitions/applications between individuals or groups of people? Can role approvers communicate comments, which are to be passed back to the user/requestor? Does the solution provide the ability to perform a what if impact analysis on role model changes? Does the solution provide analysis of roles indicating role quality based on factors such as membership, risk, and usage? Can the solution detect and report on: inactive roles? users with no roles? roles with no users? 29

30 SELECTING THE RIGHT SOLUTION Role Management (cont.) The following questions can help you determine whether the solution under evaluation can manage the entire role lifecycle to accommodate change and keep the quality and reliability of the role model in place. Role Management Requirements (cont.) SailPoint Other Vendor Does the solution support periodic role certification of both role composition (role privilege/entitlement mapping) and role membership? Can the solution detect and alert on role violations before assigning roles to users? Does the solution provide the ability to assign and de-assign roles to users? Can assignment be done both manually and through automated assignment and de-assignment rules associated with a role? Can the solution request changes for all users that have a particular role, when a role definition is changed? Does the solution provide logging and reporting capabilities for all role changes? (e.g., What date was the role created, who created the role, who approved the role? ) Does it allow you to search on a specific role within the organization from the role repository? Does it allow you to report on all privileges mapped to a role? Does it allow you to report on all users assigned to a role? Does the solution support temporary assignment of a role to a user (e.g., sunrise and sunset dates)? Does the solution support the creation of temporary roles that have defined activation and deactivation dates? Does the solution maintain all previous versions of role definitions? Can the solution easily roll back to previous versions of role definitions? Does the solution provide a common role model/repository leveraged by all identity processes? If more than one model/repository, does the tool synchronize between them? N/A 30

31 SELECTING THE RIGHT SOLUTION Risk Modeling The following questions address a solution s ability to take a riskbased approach and to provide the functionality necessary for you to assess, manage and control threats to security posed by people, roles and applications. Risk Modeling Requirements SailPoint Other Vendor Does the solution track and monitor the relative risk of each user based on that user s access to sensitive applications and data (identity risk scoring)? Does the solution dynamically calculate a user s risk score based on changes to access within the environment? Does the solution support configurable risk factors and weightings for calculating identity or resource risk scores? Can activity monitoring be used as a mitigating factor for reducing the risk score of a user s identity risk profile? Is the risk model within the application extensible? Can attributes from authoritative sources be used to influence an identity or resource risk score, such as location, employee status, etc.? Does the solution enable risk mitigation actions (e.g., certifications or activity monitoring) to be targeted at high-risk users? Can the solution profile aggregate risk scores, e.g., by manager, department, location, or company-wide? Can aggregate risk scores be displayed graphically for easy identification of risk hot spots? Does the solution track risk scores over time for trending analysis? Can this tracking be done by user, manager, department, location, or company-wide? Can the solution alert or notify managers, application owners or compliance officers based on changes to an identity or resource risk score? Can risk scores be viewed on demand as part of each user s identity information? Can high-risk users be easily identified via reporting and analytics? Does the solution recommend risk mitigation actions for high-risk users, such as activity monitoring, ad hoc certifications, or remediation of policy violations? Can bulk corrective or mitigating actions (such as an ad hoc certification) be taken against high-risk user populations discovered via reporting or analytics? 31

32 SELECTING THE RIGHT SOLUTION Access Request and Identity Lifecycle Management An identity governance solution should offer a convenient and easy way for users to request new access or make changes to existing access privileges within the constraints of the pre-defined identity policy and role model. And it should allow you to gain greater transparency not only into who has access to what, but also into how they acquired access privileges. The following questions can help you review these capabilities. Access Request and Identity Lifecycle Management Requirements SailPoint Other Vendor Does the solution provide a business-friendly interface for requesting changes to user access? Does the self-service access request solution allow for additions, changes, and removals of access? Can the solution facilitate requesting of: roles? entitlements? accounts? Does the solution support requesting optional (permitted) IT roles for business roles that are already assigned? Can the system be configured to restrict end users to only requesting permitted IT roles? Can users request a start date ( sunrise ) associated with new access requests? Can users select an end date ( sunset ) when removing access through the self-service request interface? Does the solution support creating new identities from scratch within the user interface (e.g., act as the authoritative source for creating identities)? Does the solution allow you to edit identity attributes of existing users? Can the solution limit the data which is editable from the user interface? Does the solution scope who can request access for others? Can attributes can be used to define the requestor relationship? Does it allow anyone in the organization to request access for anyone else? Does the solution support preventive policy-checking of self-service and delegated access requests prior to being submitted for fulfillment? Does the solution support configurable workflows to manage self-service access requests/changes? Does the solution give end users a business-friendly dashboard to view status of pending and completed requests? Does the solution support the definition of automated lifecycle events e.g., new hire, promotion, termination? Can events be configured from the user interface? Does the solution support configuration of access change triggers associated with lifecycle events to automatically initiate changes to user access? Can access change triggers call specific workflows to manage the change process from initiation through provisioning? Does the solution provide visibility to access changes initiated through automated change events? Does the solution provide a graphical user interface for configuring/editing business processes and workflows associated with manually-initiated access requests (including self-service and delegated requests)? Does the solution provide flexible approval routing for changes initiated through self-service request or automated lifecycle events e.g., manager, data owners, role owners, and security administrators? Does the solution support the following approval workflow types serial, parallel, single approvals, multiple approvals? Does the solution support delegation of approval requests to other users within the system and is this information tracked and audited? 32

33 SELECTING THE RIGHT SOLUTION Access Request and Identity Lifecycle Management (cont.) An identity governance solution should offer a convenient and easy way for users to request new access or make changes to existing access privileges within the constraints of the pre-defined identity policy and role model. And it should allow you to gain greater transparency not only into who has access to what, but also into how they acquired access privileges. The following questions can help you review these capabilities. Access Request and Identity Lifecycle Management Requirements (cont.) SailPoint Other Vendor Can automatic escalation rules be defined within the solution? Does the solution support dynamic rerouting of approval requests based on the outcome of other workflow steps e.g., change approval routing if a policy violation is identified or if the user s risk score is greater than 800? Does the solution support the creation of new accounts associated with adding new users or access? Can the solution request additional information from users involved in the access request process e.g., requester, approver, application/data owners? Can the solution dynamically generate forms to capture additional information from the user based on pre-configured provisioning policies for applications and roles? Does the solution provide an administrative interface to track aggregate request activity across the enterprise? Is the request activity available from an administrative dashboard? Does the access request and lifecycle management solution track aggregated request metrics and workflow statistics? Does the solution support tracking and reporting on service-level metrics? Are metrics available at the business process as well as the individual workflow step levels? Can the solution orchestrate changes to user access based on self-service access requests and lifecycle events across disparate provisioning processes? 33

34 SELECTING THE RIGHT SOLUTION Password Management These questions help you determine if the solution will be sufficient to manage your user passwords from policy setting, self-service resets and synchronization. Password Management Requirements SailPoint Other Vendor Does the solution allow end users to manage their own passwords i.e., reset forgotten passwords, change existing passwords? Are the end-user password management user interfaces integrated with the solution s access request user interfaces for a seamless user experience? Does the solution allow delegated password administration? Can passwords be synchronized across multiple systems at the same time? Does the solution enforce password strength requirements? Does the solution support the following constraints: minimum/maximum length minimum letters/numbers/special characters password history constraints exclusion dictionary If password strength requirements are supported, are they configurable per target system? Does the solution support challenge questions for password recovery? Can the number of challenge questions presented to the user be configured based on the organization s security policies? Can the solution provide administrators with a report detailing users who have not completed answers to challenge questions? 34

35 SELECTING THE RIGHT SOLUTION Automated Provisioning The following questions will help you to understand if the solution can effectively drive changes to user access across your target systems in a timely manner and according to policy. Automated Provisioning Requirements SailPoint Other Vendor Does the solution provide out-of-the-box capabilities for automatically pushing changes to enterprise IT systems? Can the solution manage the complete user account lifecycle (add, edit and delete, enable, disable) for connected resources? Can the solution validate that changes requested are correctly implemented in the target resource? Does the solution provide a web-based interface for administration and configuration? Does the product store provisioning values in its repository? Are provisioning activities recorded for audit purposes? Does the solution provide out-of-the-box connectors for the following categories of enterprise systems? directories databases platforms business applications messaging applications Does the solution provide a toolkit for creating connectors for custom or homegrown applications? Is the connector architecture agentless? Does the solution allow transformation of data and execution of validation rules as part of the data load processing? 35

36 SELECTING THE RIGHT SOLUTION Provisioning and Help Desk Integration To maximize your existing investments, your provisioning solution should be able to seamlessly integrate with third party systems whether they are provisioning or help desk solutions. Be sure to evaluate the following integration capabilities. Provisioning and Help Desk Integration Requirements SailPoint Other Vendor Can the system orchestrate changes to user access across multiple provisioning processes? Does the solution provide out-of-box integration with any third party automated provisioning systems? Can the system support the retrieval of entitlement information through provisioning connectors without the need to directly connect to the target system, if required? Does integration with automated provisioning systems use industry standards such as the service provisioning markup language (SPML) when supported by integrated systems? Does the solution support closed-loop validation of change requests through integration with a provisioning solution? Does the solution support retry? Can the solution detect and notify the appropriate manager when a previously revoked role or entitlement is replaced/comes back? Does the solution support separation-of-duty (SoD) or other access policy checking by provisioning before users are granted access? Does the solution support role exchange with automated provisioning systems (e.g., Oracle Identity Manager or IBM Tivoli Identity Manager)? Does the solution expose web services for integrating with a provisioning solution to bulk re-provision users based on role model changes? Can the solution evaluate the change request and construct a detailed set of entitlement level changes for the provisioning system? Can the solution monitor provisioning system audit logs and correlate this activity data to identities under management? Does the solution integrate with non-automated provisioning systems, such as help desk/service request systems? Does the solution support the automatic generation of tickets through service/help desk integrations? 36

37 SELECTING THE RIGHT SOLUTION Reporting and Analytics The following questions can help you identify whether the solution under consideration can give you the information you need via dashboards and alerts while also enabling you to run queries and produce detailed reports. Reporting and Analytics Requirements SailPoint Other Vendor Does the software include customizable user dashboards which highlight critical GRC activities and status within the enterprise? Do users have control over the content and presentation of their dashboard? Can users drill down from the dashboard into specific tasks and/or supporting data? Does the software include pre-defined reports out-of-the-box? Can users set specific parameters when running reports? Can the configuration of reports be saved for later recall? Does the software provide users with the ability to create and save ad hoc reports? Is a report scheduler provided that allows user-specified reports to be run on a regularly scheduled basis with results in ? Does the solution support saving reporting results in downloadable file formats (e.g., PDF, Excel or CSV)? Can the solution report on historical point-in-time access as well as current state? Does the software provide reports that are targeted towards proving compliance with various regulatory requirements (e.g., SOX, HIPAA, Basel II, PCI)? Does the application provide reports on certification activity? Can each report provide information filtered by certifier, application, department, cost center? Are policy enforcement reports provided which outline users with active policy violations? Can the application generate a report highlighting uncorrelated users across applications? Does the solution provide a report which outlines defined security risks by application? Does the application include an analytics interface for searching and analyzing identity and audit data? Can the solution trace activity back to the entitlement that granted the privilege and its associated identity? Does the solution provide a way to search on activity information according to various search parameters related to the system/activity and the target user base? For example, show all login activity on application Y for users in cost center 1139 with risk scores over 600. Does the application include a user-friendly dashboard, which highlights governance-relevant activities across the enterprise? Can users configure the presentation of information on the dashboard and is the personalized dashboard saved? Can users click-through the dashboard information into detailed information about tasks, users, risk analytics, etc.? Does the dashboard provide an Inbox that clearly indicates all required actions for the user? 37

38 SELECTING THE RIGHT SOLUTION Architecture and Platform Here are some key criteria to consider when reviewing the core architecture and platform components of your identity governance solution. Architecture and Platform Requirements SailPoint Other Vendor Does the solution allow for extensibility or configuration via a scripting language, API or other? Does the solution use standard programming language for the customization? Does the solution support web services? Does the vendor support and participate in standards efforts around identity management interoperability (e.g., XACML, SPML)? Does the solution provide pass-through authentication, leveraging existing authentication mechanisms to authenticate users? Does the solution support definition of user roles and assignment of internal access rights based on roles? Can the internal authorization model be customized? Can applications run in a clustered environment for load balancing and/or fail-over purposes? Does the application need to be modified to run in a load balanced or failover mode? Does the solution run on a wide variety of enterprise platforms, application servers and database combinations? Does the solution support running in a virtualized application environment such as VMware? Does the proposed solution provide rapid scalability from the proposed configuration to support future business growth? Is the solution available as a pre-configured appliance? 38

39 SELECTING THE RIGHT SOLUTION Configuration and Administration In order to meet the unique requirements of your organization and IT infrastructure, you ll want to have the flexibility to customize workflows, processes, interfaces and more. Use this checklist to determine if the solution will meet your needs. Configuration and Administration Requirements SailPoint Other Vendor Are the user interface and reporting templates (color, fonts, headers, footers, logos, etc.) extensible? Can the application s look-and-feel be customized? Does the application support end-user configuration of tables and charts? Are user preferences stored in between sessions? Does the solution provide a graphical user interface for defining and managing identity business processes and workflows? Does the solution provide standard/reference workflows? Does the solution enable the customization of workflows? Can workflows and the individual process steps within be instrumented to track performance? What utilities or capabilities exist for tracking requests, tracking workflow execution? Does the solution provide inline, GUI-based rule editing to allow for rapid definition or editing of configuration rules? Can any customizations or configurations be rolled forward in an upgrade? Can customizations be migrated between deployment environments (i.e., development, test, staging, and production)? Does the solution integrate with enterprise mail servers? Does the solution provide a batch scheduling utility? Can actions performed by users of the solution be audited? Does the solution timestamp all actions? 39

40

41 SailPoint IdentityIQ Navigating Today s Security and Compliance Demands SailPoint IdentityIQ is an innovative identity governance solution that alleviates the cost and complexity of meeting compliance requirements and managing user lifecycles. Traditional approaches to identity management treat governance and provisioning as separate initiatives, often managed by multiple, disjointed products. IdentityIQ, however, provides a unified approach that leverages a common identity governance framework to consistently apply business and security policy and role and risk models across all access-related activities. With on-demand visibility into who has access to what, IdentityIQ equips enterprises to successfully address compliance mandates and governance requirements across the most complex IT environments. Its centralized intelligence and risk-based approach to managing user access provides transparency and strengthens controls. IdentityIQ automates access certifications, policy enforcement, and the end-to-end access request and fulfillment process. SailPoint IdentityIQ Compliance Manager Lifecycle Manager Governance Platform Role Policy Management Risk Management Management Provisioning Broker Resource Connectivity Provisioning Engine Provisioning Integration Modules Service Desk Integration Modules www Figure 2. SailPoint IdentityIQ is a business-oriented identity governance solution that delivers risk-aware compliance management and lifecycle management, identity intelligence, and user provisioning with a common governance framework for managing roles, risk and policy. Selecting the Right Identity Governance Solution: A Buyer s Guide 41

42 NAVIGATING TODAY'S SECURITY AND COMPLIANCE DEMANDS With Compliance Manager, you can: Reduce the cost of compliance by automating labor-intensive compliance processes Strengthen controls to address audit deficiencies or weaknesses Provide proof of compliance to internal and external auditors Ensure compliance and better manage risk during mergers, acquisitions, or divestitures Proactively detect and prevent inappropriate access and violation of corporate policy SailPoint IdentityIQ Compliance Manager Streamline Compliance and Improve Audit Performance For many organizations, compliance is top of mind. So are the complex issues and the difficult and expensive processes that come with it. That s why so many organizations are thinking about streamlining. They re looking for ways to simplify processes and lower the costs of compliance while still ensuring the effectiveness and accuracy that auditors demand. SailPoint IdentityIQ Compliance Manager takes a risk-aware approach to compliance that automates the common auditing, reporting and management activities associated with a compliance program, and integrates identity processes such as access certification and policy enforcement for the visibility that compliance demands. By taking a risk-aware approach to compliance, IdentityIQ Compliance Manager helps you to prioritize compliance activities and focus controls on the users, resources and access privileges that represent the greatest potential risk to your business and the greatest possibility of a failed audit. Compliance Manager Delivers Visibility into and Control over Enterprise Access Define Policy and Controls DEFINE As a publicly-traded company and financial services provider, we are subject to a variety of regulations including FISMA, SOX, PCI, and SAS 70. To meet these requirements, we are standardizing and automating our compliance processes for identity management, so that we can centrally control who gets access to sensitive resources and maintain compliance as the organization changes over time. This centralized and automated approach allows us to proactively address risk and more efficiently maintain a compliant, secure environment. Jerry Archer, Chief Security Officer, Sallie Mae Capability Access Certifications Policy Enforcement Audit and Measure AUDIT Centralized Identity Data AUTOMATE Access Certification Policy Enforcement Automate Controls Figure 3. Compliance Manager takes centralized identity data, applies automated controls such as access certifications and policy enforcement and then provides greater visibility through reports and customizable executive dashboards. COMPLIANCE MANAGER AT-A-GLANCE Description Automate the entire certification process, provide reports, and enable closed-loop remediation. Creates policies, enforces separation-of-duty policy, scans and detects violations and initiates remediation when alerted. 42

43 NAVIGATING TODAY'S SECURITY AND COMPLIANCE DEMANDS With Lifecycle Manager, you can: Empower business users to independently request and manage access Enable business users to proactively change and/or reset passwords Speed delivery of access using automated event triggers (i.e., hires, transfers, moves, and terminations) Centralize access request and change processes across disparate last-mile provisioning processes Improve audit performance and risk posture with preventive policy enforcement Gain complete visibility to process execution and service-level monitoring Streamline IT operations and offload IT and help desk SailPoint IdentityIQ Lifecycle Manager Deliver Access Quickly, Securely and Cost-Effectively In today s world of rapid, constant change, many organizations struggle to address the increased access demands of the business. Current solutions for requesting and managing user access are outdated and inefficient. Processes are disjointed and don t map succinctly to the core business processes driving changes within the enterprise. SailPoint IdentityIQ Lifecycle Manager enables business users to directly participate through a business-friendly interface that allows them to request access. IdentityIQ applies policy to the provisioning process ensuring that users only gain the most appropriate levels of access for their job function. In addition to handling self-service access requests, Lifecycle Manager automatically detects lifecycle events (i.e., changes in employment status), through integration with authoritative sources such as HR systems and corporate directories. These changes initiate the required approval process and drive the requested change through Provisioning Broker for closed-loop access fulfillment. By centralizing and managing access request and change processes within the constraints of a pre-defined governance model, Lifecycle Manager enhances the organization s security and compliance posture and creates transparency for audit-related inquiries. Lifecycle Manager Streamlines Policy-Driven Access Delivery Self-Service Access Request Employee changes job Manager adds appropriate business roles to shopping cart IdentityIQ determines required data for check-out IdentityIQ checks policy and routes change request for approval IdentityIQ orchestrates changes across resources and provisions changes Automated Lifecycle Management New employee joins company HR department creates new employee record in HR system IdentityIQ detects change event in HR System and determines appropriate access IdentityIQ checks policy and routes change request for approval IdentityIQ orchestrates changes across resources and provisions changes With SailPoint IdentityIQ, we have ample visibility into our company s identity data, which is critical for compliance and security initiatives. Providing our business users with an interface to request and validate access changes, and then automatically provision those changes, will increase the efficiency and effectiveness of the overall process. It s a win-win situation for both business and information security personnel. Jeff Boatman, Information Security Manager, Tokyo Electron, U.S. Holdings Figure 4. Lifecycle Manager facilitates the delivery of access changes according to policy that are generated through an easy-to-use request interface or triggered by automatic lifecycle events. LIFECYCLE MANAGER AT-A-GLANCE Capability Self-Service Access Request Password Management Lifecycle Event Management Configurable Workflows Description Empowers business users to easily request and manage access through a policy-driven shopping cart interface. Supports end-user and delegated password change and reset using a simple, straightforward interface designed for business users. Automates changes to access across the lifecycle of a user (e.g., onboarding, promotion or transfer, offboarding). Facilitate the automated review and approval process to drive provisioning requests, ensure closed-loop access fulfillment and track all access approval activity for auditability. 43

44 www NAVIGATING TODAY'S SECURITY AND COMPLIANCE DEMANDS With the Governance Platform, you can: Centralize technical identity data across resources and transform it into rich, businessrelevant information Create, enforce and verify rolebased access across diverse enterprise applications Prioritize compliance and security efforts by assessing the risk of each person, application and system resource across the environment Detect existing policy violations and prevent new ones from occurring Speed provisioning deployments by minimizing the need for custom code Orchestrate changes to user access across different lastmile provisioning processes SailPoint IdentityIQ Identity Governance Platform Establish a Centralized Framework for Identity Governance Traditional approaches to identity management treat governance, compliance and provisioning as separate activities, making it costly, complex and burdensome to enforce access controls, carry out compliance initiatives and carry on the day-to-day work of meeting increasingly demanding service level requirements. A more innovative and effective approach is required to streamline all these efforts one that allows compliance and provisioning processes to leverage a common framework for roles, policy and risk management. The IdentityIQ Governance Platform centralizes identity data, captures business policy, models roles and mitigates risk to support all critical identity business processes. It also orchestrates how access changes are fulfilled by provisioning tools and other change processes at the resource layer. Together, these integrated capabilities allow organizations to build preventive and detective controls that support critical identity business processes, including access certifications, access requests, lifecycle management and provisioning. Governance Platform Supports All Identity Business Processes Provisioning Process Request Access Collect Data Approve Analyze/Audit Compliance Process Define Controls Implement Controls Review/Certify CLOSED-LOOP AUDIT Grant/Remove Provisioning Engine Help Desk IT Admin Remediate CLOSED-LOOP AUDIT By using roles to request, approve and certify user access privileges, BNSF will be able to simplify its user administration and compliance processes. SailPoint IdentityIQ will allow us to enforce and verify role-based access across our critical enterprise applications using a streamlined, automated approach. Bart Boudreaux, Director, Technology Services, BNSF Railway Figure 5. With SailPoint IdentityIQ, you get a unified approach leveraging a common identity governance framework to consistently apply business and security policy, role and risk models across all access-related activities including compliance and provisioning. IDENTITY GOVERNANCE PLATFORM AT-A-GLANCE Capability Identity Warehouse Role Management Policy Management Risk Management Provisioning Broker Description Centralizes identity data across resources to provide the foundation for identity compliance and lifecycle management. Mines, models and manages roles to align access privileges with job functions. Defines, detects and enforces policy during access request, certification and provisioning processes. Assigns risk scores to users and systems based on multiple factors to strategically prioritize identity compliance activities. Encapsulates resource-specific provisioning policies and orchestrates changes to user access across disparate fulfillment processes. 44

45 NAVIGATING TODAY'S SECURITY AND COMPLIANCE DEMANDS With Provisioning Engine, you can: Speed the provisioning of access changes to your managed resources Reduce costs associated with managing access changes Improve compliance by implementing changes according to defined policy Generate documentation of your provisioning changes for auditors Streamline deployment with out-of-the-box connectivity to over 40 systems and a custom connector toolkit SailPoint IdentityIQ Provisioning Engine Automate Provisioning to Save Time and Reduce Operational Costs With the rapid rate of change in today s enterprises, managing changes to user access with limited IT resources is a daunting task but one that is essential to delivering value to the business and managing risk. Handling access changes efficiently is critical, because taking days or weeks to create account access manually is no longer an acceptable or affordable option. The SailPoint IdentityIQ Provisioning Engine automates changes to target systems to speed delivery access requests, changes or remediations requested by the business. This eliminates the need for IT to use slow, error-prone manual processes for provisioning. It s fully integrated with the other components of IdentityIQ and automatically responds to requests for changes triggered in either IdentityIQ Lifecycle Manager or Compliance Manager. The IdentityIQ Provisioning Engine offers out-of-the-box connectivity to over 40 systems to enable rapid deployment and provides real-time provisioning of access changes to managed resources. All provisioning changes are implemented according to defined policy and documented to capture a detailed audit trail for future reference. PROVISIONING ENGINE AT-A-GLANCE The new service provides an open and flexible approach to the last mile of provisioning the connector layer where changes are executed on IT resources by supporting multiple techniques and processes for making changes to resources. This eliminates the hundreds of thousands of dollars organizations typically spend on last mile integrations. SailPoint Offers New Take on Provisioning Network World, March 19, 2010 Capability Data Synchronization Extensive Connector Library Custom Connector Toolkit Description Detects and synchronizes account, entitlement and password changes across enterprise IT resources. Provides connectors for over 40 enterprise applications, platforms, databases to speed deployment. Supports deployment to custom applications. 45

46

47 The SailPoint Advantage A Unified, Sustainable Approach to Identity Governance Controlling user access in an increasingly complex, regulated and threatening environment is especially challenging when coupled with the pressure to streamline operations and contain costs. We re working with our customers to deliver better information to make better decisions, so that the right allocation of resources can be made relative to risk. That s the underlying philosophy behind identity governance. Knowledge is power. In the world of identity governance, power begins with knowing and assessing risks that come with granting access to your assets. Power grows stronger with your ability to automate controls that reduce or mitigate these risks. Power becomes meaningful with measuring the effectiveness of your controls and refining your risk model based on the feedback you receive. SailPoint IdentityIQ gives you both the knowledge and the power to identify risk, control access, see and understand your workforce actions, and use this knowledge to minimize security risks and strengthen controls. Mark McClain, CEO and Founder, SailPoint Key Elements of SailPoint s Approach ess Contex t Busin -Based Approach omated Controls Aut Risk Unified Governance Model 36 0º E n t e r p r i s e V is i b ili ty Figure 6. SailPoint is unique in its ability to provide a comprehensive identity governance solution that automates key identity compliance and user lifecycle processes, applies risk-aware controls, delivers cross-enterprise visibility and packages the information in a business-relevant format. Selecting the Right Identity Governance Solution: A Buyer s Guide 47

48 A UNIFIED, SUSTAINABLE APPROACH TO IDENTITY GOVERNANCE Innovations in Identity SailPoint s 360-degree visibility into identity data, its ability to transform data into knowledge that is relevant to business users, and its risk-based focus that helps prioritize automated controls all combine to give you the power. You are able to make intelligent decisions during the request, review, approval and fulfillment processes even while you reduce compliance costs and resource burdens. SailPoint is unique in its ability to assess the risk of a user and assign a score that will help you prioritize your actions, along with its dashboards and powerful analytical tools that give you insights you can t get anywhere else. With SailPoint, you can rest assured with the knowledge that any technology asset, application or person including employees, contractors, vendors or partners has the appropriate, secure access they require. That you are well positioned to meet compliance requirements and audit standards. And, that ultimately your organization is protected with the security it needs. SailPoint is competing and winning against some very large companies in the identity management market because of our innovative products, and our unmatched commitment to helping companies succeed with their compliance and security efforts. We re very focused on maintaining our high customer satisfaction levels, and have invested a significant amount of resources internally to make that possible. Mark McClain, CEO and Founder, SailPoint SailPoint is leading the identity management market with key innovations built upon: Unified governance model: Provides a unified solution for provisioning and compliance based on a common identity governance model. Risk-based approach: Enables organizations to better prioritize and focus internal controls and audits ultimately reducing their compliance costs and resource burdens. 360-degree visibility into identity data: Delivers an on-demand, centralized view into identity and access data providing the transparency needed to reduce potential security and compliance exposures and liabilities. Business-relevant identity management: Bridges the gap between business and IT by breaking down language barriers for more successful collaboration while automating key identity business processes such as compliance and user lifecycle management. Managing the Business of Identity for the World s Largest Organizations SailPoint helps the world s largest organizations to mitigate risk, reduce IT costs and ensure compliance. The company s award-winning software, SailPoint IdentityIQ, provides superior visibility into and control over user access to sensitive applications and data while streamlining the access request and delivery process. IdentityIQ is the industry s first business-oriented identity governance suite that quickly delivers tangible results with risk-aware compliance management, closed-loop user lifecycle management, flexible provisioning, an integrated governance model, and identity intelligence. Visit to learn more. 48

49

50 Glossary A Access Certifications: The periodic review of user access privileges in order to validate that access privileges align with a user s job function and conform to policy guidelines. Access certifications are commonly used as an internal control to ensure compliance with Sarbanes-Oxley and other regulations. Access Control: The system controls and surrounding processes that grant or deny parties the capability and opportunity to access systems (i.e., gain knowledge of or to alter information or material on systems). Access Management: Systems or processes used to control access to resources within an organization, such as files, applications, systems, devices, etc. Access management is often based on a role and rule evaluation system to grant or deny access to an object in the organization. Access Privileges: The identified rights that a particular user has to a particular system resource, such as the right to access, view, modify, create, or delete. Access Request: Systems or processes used to request new access, make changes to existing access, or remove access to resources within an organization. Activity Monitoring: A means to monitor user actions (e.g., access to systems, modifications to data) using log data collected from systems or applications. Aggregation: The collection of identity data from heterogeneous data sources into a single identity data repository. Approval Workflow: Software that automates a business process for sending online requests to appropriate persons for approval. Approval workflow makes an approval business process more efficient by managing and tracking all of the human tasks involved with the process and by providing a record of the process after it is completed. Attestation: Alternate term for access certification, the periodic review of user access privileges in order to validate that access privileges align with a user s job function and conform to policy guidelines. Attribute: A single piece of information associated with a digital identity. Examples of an attribute are name, phone number, and institution affiliation. Audit: The independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. Audit Deficiency: Auditor s finding that an IT control is not effective. The term is commonly used in SOX audits to flag a control deficiency that could adversely affect the company s ability to report external financial data reliably. Audit Log: A log that captures a record of events that have occurred within a system or application. For example, an audit log may contain all logins made to the system, the name of the persons making the logins, the time the logins occurred, etc. Selecting the Right Identity Governance Solution: A Buyer s Guide 50

51 GLOSSARY B Basel II: Recommendations issued by the Basel Committee on Banking Supervision on how much capital banks need to put aside to guard against different types of financial and operational risks. Breach: The successful defeat of security controls, which could result in an unauthorized penetration of a system or application; a violation of controls of a particular system such that information assets or system components are unduly exposed. C Certification: See Access Certifications. Compliance: Conforming to a specification or policy, standard or law that has been clearly defined. These laws can have criminal or civil penalties or can be regulations. Continuous Compliance: Using processes and tools to meet compliance requirements in an automated, consistent, and predictable manner, rather than treating compliance as a one-time event. Correlation: The process of combining identity data from disparate data sources into a common schema. Related identities can be linked automatically using correlation rules or manually using a tool to establish the correct links. CSV: A comma separated values file is a data file used for the digital storage of data structured in a table of lists form, where each associated item (member) in a group is in association with others also separated by the commas of its set. D Dashboard: A business-oriented user interface that allows users to monitor the status of key operational performance metrics. Dashboards make granular data more accessible through the use of charts, graphs and reports with the ability to drill down into details for more analysis. Detective Control: A procedure, possibly aided by automation, that is used to identify events (undesirable or desired), errors and other occurrences that an enterprise has determined to have a material effect on its business. Directory: A shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. E Entitlement: A specific value for an account attribute, most commonly a group membership or a permission. Entitlement Creep: An access control vulnerability that results from workers accruing access privileges over time through transfers, promotions, or simply through the normal course of business. When workers accrue entitlements beyond what they actually need to do their job, organizations become exposed to unnecessary business risks. Entitlement Management: A mechanism for centrally defining the applications and services to which a user may be given authorization. G Gramm-Leach-Bliley Act (GLBA): Federal legislation enacted in the United States to control the ways that financial institutions deal with the private information of individuals. GLBA requires financial institutions to give customers written privacy notices that explain informationsharing practices. Group: A collection of users to simplify access control to computer systems. Traditionally, groups are static: one defines a group by individually selecting its members. In dynamic groups, however, all users which match a specified search criteria will be considered a member of this dynamic group. 51

52 GLOSSARY H Hierarchical Role Model: In role-based access control, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the employee role. Above this may be roles department manager and accountant, which inherit all permissions of the employee role. HIPAA (Health Insurance Portability and Accountability Act): Federal legislation enacted in the United States to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. HIPAA mandates security mechanisms to ensure confidentiality and data integrity of any information that personally identifies an individual. I Identity Governance: A new category of identity management software that combines compliance management, role management, access request management and identity intelligence to improve accountability and transparency, better meet compliance mandates and manage the business risk associated with user access to critical applications and data. Identity Management: The policies, rules, processes and systems involved in ensuring that only known, authorized identities gain access to networks and systems and the information contained therein. An identity management system enables organizations to facilitate and control their users legitimate access to resources, while protecting information from unauthorized access or use. Insider Threat: The potential risks of fraud, theft, sabotage, or privacy breaches that originate from workers inside an organization with access to sensitive applications and data. Internal Controls: Processes designed to help organizations prevent and detect fraud and protect sensitive assets. Internal controls are usually a means by which an organization s processes and IT resources are reviewed, monitored, and measured. L Last-Mile Provisioning: The process for implementing changes on target resources based on user lifecycle changes. LDAP (Lightweight Directory Access Protocol): Set of protocols for accessing information in directories. LDAP makes it possible for almost any application running on virtually any computer platform to obtain directory information. Least Privilege: A concept that seeks to restrict a user s access (e.g., to data or applications) or type of access (e.g. read, write, execute, delete) to the minimum necessary to perform his or her duties. M Material Weakness: Auditor s finding that an IT control is severely deficient. The term is commonly used in SOX audits to indicate that a material misstatement of financials cannot be prevented or detected. Model Audit Rule (MAR): A mandate effective January 1, 2010 that requires non-public insurers in the United States to prove that they have effective controls over the integrity of financial systems and data. Similar to Sarbanes-Oxley, MAR requires more transparency, tighter adherence to internal controls and better corporate governance. N NERC CIP: A framework developed to protect the ongoing reliability of the North American bulk power system that was approved in early The CIP standards require utilities to identify and secure their critical cyber assets. O Orphan Account: An account belonging to a user who has since left the organization. Orphan accounts are a direct result of failure to remove access privileges when workers terminate or transfer jobs and are a frequent focus for IT auditors looking for security risks. 52

53 GLOSSARY P Password: A form of secret authentication data that is used to control access to system services. It enables the holder of an electronic identifier to confirm that he or she is the person to whom the identifier was issued. Password Management: Automation of the process for controlling setting, resetting and synchronizing passwords across systems. Preventive Control: An internal control that is used to prevent undesirable events, errors and other occurrences than an organization has determined could have a negative material effect on its business. Payment Card Industry (PCI) Data Security Standard (DSS): A standard developed by the PCI Standards Council to enhance payment account data security. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures. Policy: An authoritative, prescribed set of rules for conducting business that may be defined by an organization or by the outcome of regulatory mandates. Policy Enforcement: The set of preventive and detective controls that automatically ensure that defined policy is followed by the organization. Policy Evaluation: Rules that automatically enforce policy by checking a new request for policy violations before granting it. Provisioning: The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity. R Resource: A system, application, database, or other object under management by an identity management system. Reassign: An action that transfers responsibility for a certification to a different reviewer. Remediation: The act or process of remedying a compliance problem or issue, such as a policy violation. Revocation: The act of removing a specified role or entitlement from a user based on a decision made by a reviewer during a certification. Risk: The probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and the resulting impact if this should occur. Risk Assessment: The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Risk Management: The total process of identifying, controlling, and mitigating risks. Risk Mitigation: A process to reduce either the probability or the consequences of a threat. Risk mitigation options can include eliminating vulnerabilities; strengthening internal controls; or reducing the magnitude of adverse impacts. Role: A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. Role Assignment: The process of granting roles to users. Role-Based Access Control (RBAC): A model that limits user access based on the user s role within an organization. Role Creation: The process of defining roles within a role model and mapping those roles to the appropriate set of access privileges based on business process and job function. 53

54 GLOSSARY Role Certification: The periodic review of a role or roles in order to validate that the role contains the appropriate access privileges and that members of the role are correct. Role certifications are commonly used as an internal control and a way to prevent role proliferation. Role Lifecycle Management: The process of automating role creation, modification, retirement; role approvals; role certifications; and role analytics. Role Management: A new category of identity management software that focuses on the discovery, analysis, design, management, reporting, and distribution of roles and related policy. Role Model: A schematic description of roles that defines roles and role hierarchies, subject role activation, subject-object mediation, as well as constraints on user/role membership and role set activation. Rules: A set of prescribed guidelines that may be defined by an organization or by the outcome of regulatory mandates. S Sarbanes-Oxley Act (SOX): Also known as the Public Company Accounting Reform and Investor Protection Act is a law enacted in 2002 to protect investors by improving the accuracy and reliability of corporate financial disclosures. The regulation affects all companies listed on stock exchanges in the U.S. Separation of Duty (SoD): An internal control designed to prevent fraud by ensuring that no one person has excessive control over one or more critical business transactions. Also sometimes called Segregation of Duties. Self-Service: The process of allowing users to request access to resources using a self-service interface, which uses workflow to route the request to the appropriate manager(s) for approval. Service Account: A typed of shared account that is used for application-to-application communications when secured access must be granted by one system to another system. Shared Account: An account that is shared by one or more users and is not associated with a particular person. Examples of shared accounts are system administration accounts such as Administrator or root and service accounts. SIEM (Security Information and Event Management): Collect data about security-related events (typically from log files) into a central repository for trend analysis and reporting. Single Sign-On (SSO): An authentication process where the user can enter one name and password and have access to more than one application or access to a number of resources within an enterprise. Solvency II: A new risk-based regulatory framework that applies to all insurers in EU member states and takes effect in Solvency II seeks to instill risk awareness into the governance, operations, and decision-making of the European insurance business. T Transparency: The availability of full information required for accountability, risk management, and collective decision making. U User: Any person who interacts directly with a computer system. User Lifecycle Management: The process for automating and managing user onboarding, promotions and transfers, and offboarding. 54

55

56 Resources Resources For further information about the area of identity governance, try these links to experts, websites and publications. Websites blog.sailpoint.com Analysts Burton Group Provides in-depth, IT research and advisory services to executives and technologists at Global 2000 organizations with a focus on strategic business technologies and the unique needs of enterprise organizations. Forrester Identifies and analyzes emerging trends in technology and their impact on business. Gartner Provides research and analysis of the computer hardware, software, communications, and related information technology industries. IDC Provides data, analysis and advisory services on information technology (IT) markets, trends, products, vendors, and geographies. Selecting the Right Identity Governance Solution: A Buyer s Guide 56

57 RESOURCES Membership Organizations (ISC)² The global leader in educating and certifying information security professionals throughout their careers. A network of certified information security professionals. Members have access to current industry information, networking opportunities, discounts on industry conferences and valuable career tools. National Institute of Standards Technology (NIST) NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. OASIS OASIS (Organization for the Advancement of Structured Information Standards) is a notfor-profit consortium that drives the development, convergence and adoption of open standards for the global information society. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. Magazines CIO Magazine Resources for Chief Information Officers. Technology executives can find articles, research, events, and CIO communities. CISO Handbook CISOHandbook.com is a resource site for CISOs, CSOs, and security professionals. A place where security executives, managers, and practitioners can share ideas, challenges and opportunities associated with developing, participating, or managing Enterprise Security Programs. CSO Magazine Provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more. ISACA Journal ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment. 57

58 RESOURCES Network World A provider of information, intelligence and insight for Network and IT Executives. With an editorial focus on delivering news, opinion and analytical tools for key decision makers who architect, deploy and manage business solutions. SC Magazine Aims to provide IT security professionals with in-depth and unbiased information. Each monthly issue contains news, analysis, features, contributions from thought leaders and product reviews. Established in 1989, it is the longest established IT security title in the United States. Recommended Reading General Purpose RBAC Standards American National Standard is the fundamental Information Technology industry consensus standard for RBAC. In 2000, NIST proposed a unified model for RBAC, based on the Ferraiolo-Kuhn (1992) model, in the framework developed by Sandhu et al (1996). The model was further refined within the RBAC community and has been adopted by the American National Standards Institute, International Committee for Information Technology Standards (ANSI/INCITS) as ANSI INCITS Related Resources: Tutorial-style explanation of the NIST model used in the standard: ANSI/INCITS standard (link to ANSI/INCITS site): Insider Threat Research by CERT CERT is an organization devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limiting damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures. CERT is located at the Software Engineering Institute (SEI), a federally-funded research and development center (FFRDC) operated by Carnegie Mellon University. CERT has conducted extensive insider threat research focusing on both technical and behavioral aspects of actual compromises. They produce models, reports, training, and tools to raise awareness of the risks of insider threat and to help identify the factors influencing an insider s decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization. Risk Management Guide for Information Technology Systems This guide, provided by NIST, provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks. The NIST guidelines cover IT risk management assessment and mitigations. 58

59 RESOURCES Notes 59

60 YOUR PARTNER FOR THE IDENTITY GOVERNANCE JOURNEY Contact SailPoint SailPoint: Your Partner for the Identity Governance Journey For more information or advice on how to navigate the path to Identity Governance contact us: USA Phone: Toll-free: SAILPT UK Phone: SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or services are trademarks of their respective companies

61

Simplify and Secure: Managing User Identities Throughout their Lifecycles

Simplify and Secure: Managing User Identities Throughout their Lifecycles PRODUCT FAMILY BRIEF: CA SOLUTIONS FOR IDENTITY LIFECYCLE MANAGEMENT Simplify and Secure: Managing User Identities Throughout their Lifecycles CA Identity & Access Management (IAM) Identity Lifecycle Management

More information

Making intelligent decisions about identities and their access

Making intelligent decisions about identities and their access Making intelligent decisions about identities and their access Provision users and mitigate risks with Identity Governance and Intelligence Highlights Provide a business-centric approach to risk-based

More information

An Oracle White Paper March Access Certification: Addressing and Building On a Critical Security Control

An Oracle White Paper March Access Certification: Addressing and Building On a Critical Security Control An Oracle White Paper March 2010 Access Certification: Addressing and Building On a Critical Security Control Introduction Today s enterprise faces multiple multifaceted business challenges in which the

More information

Fulfilling CDM Phase II with Identity Governance and Provisioning

Fulfilling CDM Phase II with Identity Governance and Provisioning SOLUTION BRIEF Fulfilling CDM Phase II with Identity Governance and Provisioning SailPoint has been selected as a trusted vendor by the Continuous Diagnostics and Mitigation (CDM) and Continuous Monitoring

More information

Brainwave USER ACCESS REVIEW CERTIFICATION AND RECERTIFICATION IN A NUTSHELL

Brainwave USER ACCESS REVIEW CERTIFICATION AND RECERTIFICATION IN A NUTSHELL Brainwave Identity Analytics USER ACCESS REVIEW CERTIFICATION AND RECERTIFICATION IN A NUTSHELL NEXT-GENERATION IDENTITY ANALYTICS REDUCES THE COST AND BURDEN OF THE USER ACCESS REVIEW PROCESS FOR ACCESS

More information

Securing Your Business in the Digital Age

Securing Your Business in the Digital Age SAP Solution in Detail SAP GRC Solutions SAP Access Control Securing Your Business in the Digital Age 1 / 13 Table of Contents 3 Quick Facts 4 Governing Access Efficiently in a Hyperconnected World 7 Analyzing

More information

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Certified Identity Governance Expert (CIGE) Overview & Curriculum Overview Identity and Access Governance (IAG) provides the link between Identity and Access Management (IAM) rules and the policies within a company to protect systems and data from unauthorized access,

More information

Sustainable Identity and Access Governance

Sustainable Identity and Access Governance Business White Paper IDENTITY AND SECURITY Sustainable Identity and Access Governance Sustainable Identity and Access Governance Table of Contents: 2..... Enterprise Access Governance: Some Assembly Required

More information

INTELLIGENT IAM FOR DUMMIES. SecureAuth Special Edition

INTELLIGENT IAM FOR DUMMIES. SecureAuth Special Edition INTELLIGENT IAM FOR DUMMIES SecureAuth Special Edition TABLE OF CONTENTS Introduction... 3 Introducing Intelligent Identity and Access Management (IIAM)... 4 What Can IIAM Do for You?... 7 Analyzing Account

More information

Identity & access management solution IDM365 for the Energy & Utility sector

Identity & access management solution IDM365 for the Energy & Utility sector Identity & access management solution IDM365 for the Energy & Utility sector Achieve compliance with regulations such as SOX NERC ISO 27001 An Achilles certified vendor since 2010 1 Challenges in your

More information

SOLUTION BRIEF IDENTITY AND ACCESS GOVERNANCE. Simplify Identity Governance and Reduce Risk With the CA Identity Suite

SOLUTION BRIEF IDENTITY AND ACCESS GOVERNANCE. Simplify Identity Governance and Reduce Risk With the CA Identity Suite SOLUTION BRIEF IDENTITY AND ACCESS GOVERNANCE Simplify Identity Governance and Reduce Risk With the CA Identity Suite 2 SOLUTION BRIEF: IDENTITY AND ACCESS GOVERNANCE Section 1: Challenge Identity Governance

More information

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER INTRODUCTION Many healthcare security professionals understand the need to enhance their security and privacy

More information

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK BENEFITS ACT WITH INSIGHTS Identity has emerged as today s most consequential

More information

Identity Governance and Administration

Identity Governance and Administration Identity Governance and Administration Background In the early days of identity management, organizations implemented the technology to provision access to applications so that users could be more efficient

More information

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008 An Introduction to Oracle Identity Management An Oracle White Paper June 2008 An Introduction to Oracle Identity Management INTRODUCTION Oracle Identity Management's best-in-class suite of identity management

More information

Seven Key Success Factors for Identity Governance

Seven Key Success Factors for Identity Governance WHITE PAPER Seven Key Success s for Identity Governance Insights and Advice from Real-World Implementations You have been given a high-profile mission: address urgent audit and compliance requirements

More information

Active Directory Integration with Microsoft Dynamics. 5 Steps to Create Dynamic Identity Management. Elevate HR, Inc. Published: January 2018

Active Directory Integration with Microsoft Dynamics. 5 Steps to Create Dynamic Identity Management. Elevate HR, Inc. Published: January 2018 5 Steps to Create Dynamic Identity Management Elevate HR, Inc. Published: January 2018 Active Directory Integration with Microsoft Dynamics www.elevate-hr.com 5 Steps to Create Dynamic Identity Management:

More information

BUYER S GUIDE. Identity Management and Governance

BUYER S GUIDE. Identity Management and Governance BUYER S GUIDE Identity Management and Governance 2 BUYER S GUIDE: IDENTITY MANAGEMENT AND GOVERNANCE Overview For those charged with selecting all or part of their organization s identity management and

More information

RSA Identity Management & Governance

RSA Identity Management & Governance RSA Identity Management & Governance 1 RSA IAM Enabling trusted interactions between identities and information Access Platform Authentication Federation/SSO Employees/Partners/Customers Identity Intelligence

More information

Fastpath. Innovation in User Experience for Automated Controls SOLUTIONPERSPECTIVE EXPERIENCE. November 2017

Fastpath. Innovation in User Experience for Automated Controls SOLUTIONPERSPECTIVE EXPERIENCE. November 2017 November 2017 Fastpath Innovation in User Experience for Automated Controls EXPERIENCE 2017 SOLUTIONPERSPECTIVE Governance, Risk Management & Compliance Insight 2017 GRC 20/20 Research, LLC. All Rights

More information

Detect. Resolve. Prevent. Assure.

Detect. Resolve. Prevent. Assure. Detect. Resolve. Prevent. Assure. The Emerging Mandate: Continuous Monitoring of Enterprise Business Controls to Achieve Risk Intelligence In every industry, companies of every size are witnessing unprecedented

More information

agility made possible

agility made possible SOLUTION BRIEF Identity and Access Governance How can I address identity and access governance within my organization to reduce risks? agility made possible With CA GovernanceMinder, you can address identity

More information

See how SailPoint helps organizations around the globe.

See how SailPoint helps organizations around the globe. Customer Successes CASE STUDIES See how SailPoint helps organizations around the globe. SALLIE MAE REDUCES COMPLIANCE PRESSURES ADOBE REPLACES LEGACY PROVISIONING WITH NEXT-GEN IAM ING DIRECT AUSTRALIA

More information

Business Risk Intelligence

Business Risk Intelligence Business Risk Intelligence Bringing business focus to information risk It s a challenge maintaining a strong security and risk posture. CISOs need to constantly assess new threats that are complex and

More information

Identity & access management solution IDM365 for the Public Sector

Identity & access management solution IDM365 for the Public Sector Identity & access management solution IDM365 for the Public Sector Achieve compliance with regulations such as ISO 27001 Data Protection and Privacy CoCo 1 Challenges in your sector Public sector organizations

More information

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE Advanced Access Controls (AAC) Cloud Service enables continuous monitoring of all access policies in Oracle ERP, potential violations, insider threats and

More information

The SaaS Management Platform (SMP): A Single Pane of Glass to Make SaaS Management More Secure, Streamlined & Cost-Effective

The SaaS Management Platform (SMP): A Single Pane of Glass to Make SaaS Management More Secure, Streamlined & Cost-Effective The SaaS Management Platform (SMP): A Single Pane of Glass to Make SaaS Management More Secure, Streamlined & Cost-Effective Get more productivity, savings and value out of SaaS solutions like Microsoft

More information

Reining in Maverick Spend. 3 Ways to Save Costs and Improve Compliance with e-procurement

Reining in Maverick Spend. 3 Ways to Save Costs and Improve Compliance with e-procurement 3 Ways to Save Costs and Improve Compliance with e-procurement Contents The Need to Eliminate Rogue Spending Exists for all Businesses...3 Leveraging Technology to Improve Visibility...5 Integrate your

More information

RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.

RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business. RSA Solution for egrc A holistic strategy for managing risk and compliance across functional domains and lines of business Solution Brief Enterprise Governance, Risk and Compliance or egrc is an umbrella

More information

IBM Balanced Warehouse Buyer s Guide. Unlock the potential of data with the right data warehouse solution

IBM Balanced Warehouse Buyer s Guide. Unlock the potential of data with the right data warehouse solution IBM Balanced Warehouse Buyer s Guide Unlock the potential of data with the right data warehouse solution Regardless of size or industry, every organization needs fast access to accurate, up-to-the-minute

More information

Jeff Carpenter Authentication and Access Specialist RSA, The Security Division of EMC. Copyright 2015 EMC Corporation. All rights reserved.

Jeff Carpenter Authentication and Access Specialist RSA, The Security Division of EMC. Copyright 2015 EMC Corporation. All rights reserved. Jeff Carpenter Authentication and Access Specialist RSA, The Security Division of EMC 1 BILLIONS OF USERS MILLIONS OF APPS 2010 HUNDREDS OF MILLIONS OF USERS Mobile Cloud Big Data Social Mobile Devices

More information

Be Remarkable. CONTRACT LIFECYCLE MANAGEMENT SOFTWARE. Software Overview OVERVIEW. Additional Available Professional Services

Be Remarkable. CONTRACT LIFECYCLE MANAGEMENT SOFTWARE. Software Overview OVERVIEW. Additional Available Professional Services Be Remarkable. CONTRACT LIFECYCLE MANAGEMENT SOFTWARE Software Overview Greatly improves management of contracts and business agreements across your entire enterprise, maximizing the value of each and

More information

Streamline Physical Identity and Access Management

Streamline Physical Identity and Access Management Streamline Physical Identity and Access Management Quantum Secure s SAFE Software Suite automates key processes and empowers IT teams to implement, streamline and manage physical access Table of Contents

More information

SAP Road Map for Governance, Risk, and Compliance Solutions

SAP Road Map for Governance, Risk, and Compliance Solutions SAP Road Map for Governance, Risk, and Compliance Solutions Q4 2016 Customer Disclaimer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the

More information

CHOOSE THE RIGHT IDENTITY & ACCESS MANAGEMENT SOLUTION

CHOOSE THE RIGHT IDENTITY & ACCESS MANAGEMENT SOLUTION E VA L U AT ION C HE C K L I S T CHOOSE THE RIGHT IDENTITY & ACCESS MANAGEMENT SOLUTION Realise business value by protecting critical assets from unauthorised access HELPING YOU TO SECURE AN EXTENDED ENTERPRISE

More information

Keep pace with change.

Keep pace with change. solution brief Keep pace with change. This brief illustrates how SailPoint s provisioning solution successfully strikes the balance between empowering users to manage their own access needs, and enabling

More information

Human Capital Management Solution Guide A complete solution for creating and engaging a diverse workforce

Human Capital Management Solution Guide A complete solution for creating and engaging a diverse workforce Human Capital Management Solution Guide A complete solution for creating and engaging a diverse workforce Imagine a full suite of automated, scalable tools that integrates HR, time and attendance, payroll,

More information

Human Capital Management Solution Guide

Human Capital Management Solution Guide Human Capital Management Solution Guide A complete solution for creating and engaging a diverse workforce Imagine a full suite of automated, scalable tools that integrates HR, time and attendance, payroll,

More information

EVALUATING CONTRACT LIFECYCLE MANAGEMENT SOLUTIONS: BEST-IN-CLASS FEATURES

EVALUATING CONTRACT LIFECYCLE MANAGEMENT SOLUTIONS: BEST-IN-CLASS FEATURES EVALUATING CONTRACT LIFECYCLE MANAGEMENT SOLUTIONS: BEST-IN-CLASS FEATURES INTRODUCTION INTRODUCTION CONTRACTS FORM THE FOUNDATION OF ALL BUSINESSES AND EVERY BUSINESS RELATIONSHIP. THEY DEFINE EVERY ASPECT

More information

10/18/2018. London Governance, Risk, and Compliance

10/18/2018. London Governance, Risk, and Compliance 10/18/2018 Governance, Risk, and Compliance Contents Contents... 4 Applications and integrations supporting GRC workflow... 6 GRC terminology... 7 Domain separation in... 9 Policy and Compliance Management...11

More information

Is It Time to Evolve from Spreadsheets to Business Intelligence?

Is It Time to Evolve from Spreadsheets to Business Intelligence? Position Paper Is It Time to Evolve from Spreadsheets to Business Intelligence? Gregg Gordon Sr. Director, Big Data Practice No matter how your organization delivers value to your market, customers are

More information

BMC FootPrints. Service Management Solution Overview.

BMC FootPrints. Service Management Solution Overview. BMC FootPrints Service Management Solution Overview www.rightstar.com BMC FootPrints Service Management Key Benefits Single pane of glass: Single, web-based entry point for all of your Service and Asset

More information

Vendor Cloud Platinum Package: Included Capabilities

Vendor Cloud Platinum Package: Included Capabilities Solution Overview Third-Party Risk Management Vendor Cloud Platinum Package: Included Capabilities The Vendor Cloud Platinum package provides the highest level of risk management capabilities, offering

More information

SailPoint + Microsoft: Better Together

SailPoint + Microsoft: Better Together SOLUTION BRIEF SailPoint + Microsoft: Better Together Today s rapidly changing business environment demands that businesses be agile, innovative and secure. Organizations can now join the identity governance

More information

MOVING FROM MySafeWorkplace TO CONVERCENT. Convercent All Rights Reserved.

MOVING FROM MySafeWorkplace TO CONVERCENT. Convercent All Rights Reserved. MOVING FROM MySafeWorkplace TO CONVERCENT Convercent 2015. All Rights Reserved. 1 We ve loved having you as a MySafeWorkplace customer and appreciate the critical nature of the business you ve entrusted

More information

Data Warehousing provides easy access

Data Warehousing provides easy access Data Warehouse Process Data Warehousing provides easy access to the right data at the right time to the right users so that the right business decisions can be made. The Data Warehouse Process is a prescription

More information

Cisco s Digital Transformation Supply Chain for the Digital Age

Cisco s Digital Transformation Supply Chain for the Digital Age Cisco s Digital Transformation Supply Chain for the Digital Age The Cisco Supply Chain: Global, Complex, and Diverse Cisco s global supply chain extends across 13 countries and more than 25 locations.

More information

BlackLine Compliance

BlackLine Compliance BlackLine Compliance The Compliance Imperative Compliance and Internal Audit teams are facing a complex regulatory and operating environment. Many teams are under significant cost pressure to improve efficiency

More information

Service management solutions White paper. Six steps toward assuring service availability and performance.

Service management solutions White paper. Six steps toward assuring service availability and performance. Service management solutions White paper Six steps toward assuring service availability and performance. March 2008 2 Contents 2 Overview 2 Challenges in assuring high service availability and performance

More information

Achieving Application Readiness Maturity The key to accelerated service delivery and faster adoption of new application technologies

Achieving Application Readiness Maturity The key to accelerated service delivery and faster adoption of new application technologies WHITE PAPER Achieving Application Readiness Maturity The key to accelerated service delivery and faster adoption of new application technologies Achieving Application Readiness Maturity Executive Summary

More information

BUYER S GUIDE: CUSTOMER IDENTITY & ACCESS MANAGEMENT (CIAM)

BUYER S GUIDE: CUSTOMER IDENTITY & ACCESS MANAGEMENT (CIAM) BUYER S GUIDE: CUSTOMER IDENTITY & ACCESS MANAGEMENT (CIAM) SHIFTING MARKETPLACE Over the last few years, there s been a major shift in requirements for enterprises managing customer identities. This shift

More information

OIC LLC is our Oracle Partner name. It stands for Oracle Independent Consultants (OIC) LLC.

OIC LLC is our Oracle Partner name. It stands for Oracle Independent Consultants (OIC) LLC. OIC FAQ This document contains some of our Frequently Asked Questions (FAQ). We also include links to Oracle resources, which may require you to log in Oracle Partner Network (OPN). All OIC Contractors

More information

Infor PM 10. Do business better.

Infor PM 10. Do business better. Infor PM 10 Infor PM is designed for companies in all industries that seek to better monitor, measure, and manage their business performance in real time. Do business better. The speed, complexity, and

More information

DFS-Sphere Human Resources Automation Efficient processes, Compliance and Audit Trails: Keys to Success

DFS-Sphere Human Resources Automation Efficient processes, Compliance and Audit Trails: Keys to Success DFS-Sphere Human Resources Automation Efficient processes, Compliance and Audit Trails: Keys to Success Introduction Human resources is an ever-evolving business function. The number one pain HR professional

More information

Human Capital Management

Human Capital Management Human Capital Management A complete solution for creating and engaging a diverse workforce @ (800) 579-9529 www.paytime.com EMPLOYMENT ELIGIBILITY VERIFICATION Imagine a full suite of automated, scalable

More information

invest in leveraging mobility, not in managing it Solution Brief Mobility Lifecycle Management

invest in leveraging mobility, not in managing it Solution Brief Mobility Lifecycle Management MOTOROLA MOBILITY LIFECYCLE MANAGEMENT invest in leveraging mobility, not in managing it If you have any doubt about the impact of mobility on your future, consider this: In a recent Broadsoft survey of

More information

INFOR PM 10 DO BUSINESS BETTER. LEVERAGE EXPERIENCE.

INFOR PM 10 DO BUSINESS BETTER. LEVERAGE EXPERIENCE. Infor PM is designed for companies in all industries that seek to better monitor, measure, and manage their business performance in real time. INFOR PM 10 DO BUSINESS BETTER. The speed, complexity, and

More information

Achieve Continuous Compliance via Business Service Management (BSM)

Achieve Continuous Compliance via Business Service Management (BSM) Achieve Continuous Compliance via Business Service (BSM) Brian Holmes, CISA Solutions Consultant BMC Software Agenda Introduction Compliance: The Business Driver Challenges of IT Compliance Business Service

More information

Secure information access is critical & more complex than ever

Secure information access is critical & more complex than ever WHITE PAPER Purpose-built Cloud Platform for Enabling Identity-centric and Internet of Things Solutions Connecting people, systems and things across the extended digital business ecosystem. Secure information

More information

Quantifying the Value of Investments in Micro Focus Quality Center Solutions

Quantifying the Value of Investments in Micro Focus Quality Center Solutions Dynamic Value Brief Application Delivery Management Quantifying the Value of Investments in Micro Focus Quality Center Solutions Manage software testing and IT quality management with consistent processes

More information

Data Integration for the Real-Time Enterprise

Data Integration for the Real-Time Enterprise Solutions Brief Data Integration for the Real-Time Enterprise Business Agility in a Constantly Changing World Executive Summary For companies to navigate turbulent business conditions and add value to

More information

Thomson Reuters Regulatory Change Management

Thomson Reuters Regulatory Change Management Thomson Reuters Regulatory Change Management TRACK AND MANAGE THE IMPACT OF REGULATORY CHANGE 2 Thomson Reuters Regulatory Change Management provides your organization with enhanced mapping capabilities

More information

3 STEPS TO MAKE YOUR SHARED SERVICE ORGANIZATION A DIGITAL POWERHOUSE

3 STEPS TO MAKE YOUR SHARED SERVICE ORGANIZATION A DIGITAL POWERHOUSE GUIDE 3 STEPS TO MAKE YOUR SHARED SERVICE ORGANIZATION A DIGITAL POWERHOUSE www.celonis.com IN THIS GUIDE Shared-service organizations (SSOs) are about to get a digital upgrade. For decades, SSOs have

More information

Integrated IT Management Solutions. Overview

Integrated IT Management Solutions. Overview Integrated IT Management Solutions Overview freedommanage IT, The Numara FootPrints family of IT Management products and solutions streamline, automate and improve IT operations. They have been designed

More information

HQX HQX. HQXchange Is Your Single Comprehensive EDI Platform

HQX HQX. HQXchange Is Your Single Comprehensive EDI Platform HQX HQX TM TM HQXchange Is Your Single Comprehensive EDI Platform The industry leading 1 EDI Source flagship EDI software solution EDI HQ is now even more powerful with HQXchange (HQX). HQX is a new innovative

More information

Unified Employee Desktop. Best Practice Guide

Unified Employee Desktop. Best Practice Guide Unified Employee Desktop Best Practice Guide Table of Contents Introduction... 3 1. Decide Where to Start... 4 2. Design Your Process... 4 3. Deploy Your Integration Strategy... 5 4. Use Contextual Knowledge

More information

Driving Radical Customer Service Innovation Move beyond operational demands to deliver proactive strategies that drive business growth

Driving Radical Customer Service Innovation Move beyond operational demands to deliver proactive strategies that drive business growth Driving Radical Customer Service Innovation Move beyond operational demands to deliver proactive strategies that drive business growth START 1 Partnering for success IT leaders stand at a crossroads continue

More information

The power of the Converge platform lies in the ability to share data across all aspects of risk management over a secure workspace.

The power of the Converge platform lies in the ability to share data across all aspects of risk management over a secure workspace. Converge Platform The transition to value-based care is breaking down the barriers between the CNO, CMO, and Chief Legal Counsel in managing enterprise risk. It s time to take a proactive systems approach

More information

A buyer s guide to data-driven HR. Which approach is best for you?

A buyer s guide to data-driven HR. Which approach is best for you? A buyer s guide to data-driven HR Which approach is best for you? You know where you want to go. Now pick your route. Smart organizations know that they need to use their HR data to do big, important things.

More information

VULNERABILITY MANAGEMENT BUYER S GUIDE

VULNERABILITY MANAGEMENT BUYER S GUIDE VULNERABILITY MANAGEMENT BUYER S GUIDE VULNERABILITY MANAGEMENT BUYER S GUIDE 01 Introduction 2 02 Key Components 3 03 Other Considerations 10 About Rapid7 11 01 INTRODUCTION Exploiting weaknesses in browsers,

More information

Brochure. Information Management & Governance. Find and Control Enterprise Content. Micro Focus ControlPoint

Brochure. Information Management & Governance. Find and Control Enterprise Content. Micro Focus ControlPoint Brochure Information Management & Governance Find and Control Enterprise Content Micro Focus ControlPoint Brochure Find and Control Enterprise Content Micro Focus ControlPoint: A Better Way to Manage Data

More information

Identity and Access Management

Identity and Access Management Chapter 2 Identity and Access Management There are many configurations of identity and access management (IAM) systems, and to some extent, each organization s IAM system will be unique, developed and

More information

Workforce Dimensions

Workforce Dimensions Workforce Dimensions Built from the ground up to manage the workforce of the future today Welcome to the Future of Workforce Management Breakthroughs in technology affect nearly every dimension of our

More information

EDI. Buyer s Guide. Finding the Best Total Solution for Your Business

EDI. Buyer s Guide. Finding the Best Total Solution for Your Business EDI Buyer s Guide Finding the Best Total Solution for Your Business TABLE OF CONTENTS Introduction 2 EDI 101 3-4 Selecting the Right Solution 5-7 Product Decision Making Process 8 About 1 EDI Source 9

More information

Reinforcing the Three Lines of Defense SAP software for risk management, process control, and audit management

Reinforcing the Three Lines of Defense SAP software for risk management, process control, and audit management Reinforcing the Three Lines of Defense SAP software for risk management, process control, and audit management Three Lines of Defense Building confidence and trust The three-lines-of-defense framework,

More information

10/16/2018. Kingston Governance, Risk, and Compliance

10/16/2018. Kingston Governance, Risk, and Compliance 10/16/2018 Kingston Governance, Risk, and Compliance Contents Contents... 4 Domain separation in... 8 Policy and Compliance Management...9 Understanding Policy and Compliance Management... 10 Risk Management...87

More information

An Overview of the AWS Cloud Adoption Framework

An Overview of the AWS Cloud Adoption Framework An Overview of the AWS Cloud Adoption Framework Version 2 February 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes

More information

IBM Sterling B2B Integrator

IBM Sterling B2B Integrator IBM Sterling B2B Integrator B2B integration software to help synchronize your extended business partner communities Highlights Enables connections to practically all of your business partners, regardless

More information

RSA ARCHER IT & SECURITY RISK MANAGEMENT

RSA ARCHER IT & SECURITY RISK MANAGEMENT RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, anti-virus, intrusion prevention systems, intrusion

More information

Simple, Scalable, Real-time Protection

Simple, Scalable, Real-time Protection Data Sheet Simple, Scalable, Real-time Protection Practical Content Security With Egnyte Protect, companies can quickly find and safeguard the content that matters most. It is simple to use, requires almost

More information

5 Important Questions to Ask Potential BPM Vendors

5 Important Questions to Ask Potential BPM Vendors 5 Important Questions to Ask Potential BPM Vendors By Tripp Solomon, Product Marketing Manager GETTING STARTED WITH YOUR BPM INITIATIVE There are many elements to consider when embarking on a Business

More information

U.S. Bank Access Online

U.S. Bank Access Online U.S. Bank Access Online Overview U.S. Bank Access Online provides organizations with real time access to their commercial card programs anywhere, anytime, within a secured environment. This powerful proprietary

More information

REALIZING THE POTENTIAL FROM FINANCIAL ANALYSIS APPLICATION INVESTMENTS

REALIZING THE POTENTIAL FROM FINANCIAL ANALYSIS APPLICATION INVESTMENTS REALIZING THE POTENTIAL FROM FINANCIAL ANALYSIS APPLICATION INVESTMENTS A STAR ANALYTICS BUSINESS WHITE PAPER CONTENTS Introduction: The Evolution Of Financial Analysis... 2 The Business Problem... 2 The

More information

Enterprise Compliance Management for Credit Unions

Enterprise Compliance Management for Credit Unions Enterprise Compliance for Credit Unions Streamline Regulatory Compliance with a Unified Platform to Manage Requirements and Demonstrate Compliance to Regulators Industry Challenge Credit unions are subject

More information

Securing the Mobile, Cloud-connected Enterprise

Securing the Mobile, Cloud-connected Enterprise Securing the Mobile, Cloud-connected Enterprise What is a Mobile, Cloud-connected Enterprise? The rise of mobile users and apps, coupled with the continued growth in software as a service (SaaS), has transformed

More information

Top 35 Reasons You Need Contact Center Performance Management

Top 35 Reasons You Need Contact Center Performance Management Top 35 Reasons You Need Contact Center Performance Management February 2014 Sponsored by: - 1 - DMG Consulting LLC Table of Contents Introduction... 1 Real-Time and Historical CCPM... 1 Top Reasons to

More information

IBM Tivoli Endpoint Manager for Lifecycle Management

IBM Tivoli Endpoint Manager for Lifecycle Management IBM Endpoint Manager for Lifecycle Management A single-agent, single-console approach for endpoint management across the enterprise Highlights Manage hundreds of thousands of endpoints regardless of location,

More information

Identity Management Solutions for Oracle E-Business Suite. An Oracle White Paper January 2008

Identity Management Solutions for Oracle E-Business Suite. An Oracle White Paper January 2008 Identity Management Solutions for Oracle E-Business Suite An Oracle White Paper January 2008 NOTE: The following is intended to outline our general product direction. It is intended for information purposes

More information

IBM Service Management Buyer s guide: purchasing criteria. Choose a service management solution that integrates business and IT innovation.

IBM Service Management Buyer s guide: purchasing criteria. Choose a service management solution that integrates business and IT innovation. IBM Service Management Buyer s guide: purchasing criteria Choose a service management solution that integrates business and IT innovation. Close the integration gap between business and IT innovation According

More information

The SAM Optimization Model. Control. Optimize. Grow SAM SOFTWARE ASSET MANAGEMENT

The SAM Optimization Model. Control. Optimize. Grow SAM SOFTWARE ASSET MANAGEMENT The Optimization Model Control. Optimize. Grow The Optimization Model In an ever-changing global marketplace, your company is looking for every opportunity to gain a competitive advantage and simultaneously

More information

Spotlight: Robotic Process Automation (RPA) What Tax needs to know now

Spotlight: Robotic Process Automation (RPA) What Tax needs to know now May 2017 Spotlight: Robotic Process Automation (RPA) What Tax needs to know now The emergence of smart robotic process automation changes the game: Intelligent Automation in the Digital Age Business process

More information

Enterprise Performance Management Bridging the Gap from Strategy to Operations

Enterprise Performance Management Bridging the Gap from Strategy to Operations Enterprise Performance Management Bridging the Gap from Strategy to Operations A White Paper by Guident Technologies, Inc. Adam Getz Business Intelligence Architect May, 2007 2007 Guident 1 Summary In

More information

Efficient Support for Internal Control Systems via a GRC Software Platform

Efficient Support for Internal Control Systems via a GRC Software Platform Expert Paper Platform Expert Paper A blueprint for success in an increasingly regulated business environment Efficient Support for Internal Control Systems via a GRC Software Platform www.ids-scheer.com

More information

Project and Process Tailoring For Success

Project and Process Tailoring For Success Project and Process Tailoring For Success 1 Key Learning Objectives Demonstrate how project/process tailoring can decrease cost by aligning process intensity with project risk and complexity Provide a

More information

Oracle Fusion Human Capital Management

Oracle Fusion Human Capital Management Oracle Fusion Human Capital Management STRATEGIC GLOBAL HUMAN CAPITAL MANAGEMENT KEY FEATURES Support for multiple work relationships that employees or contingent workers may have with multiple legal employers,

More information

Agile Risk Assessment Reinventing RCSAs

Agile Risk Assessment Reinventing RCSAs POINT OF VIEW Agile Assessment Reinventing RCSAs The Building Blocks of Agile Management Protiviti s Agile Management philosophy enables organizations to focus on growth, improve efficiency and become

More information

CENTRE (Common Enterprise Resource)

CENTRE (Common Enterprise Resource) CENTRE (Common Enterprise Resource) IT Service Management Software designed for ISO 20000 ITSM ISO/IEC 20000 is the international IT Service Management (ITSM) standard that enables IT organizations (whether

More information

Verint Engagement Management Solution Brief. Overview of the Applications and Benefits of

Verint Engagement Management Solution Brief. Overview of the Applications and Benefits of Verint Engagement Management Solution Brief Overview of the Applications and Benefits of Verint Engagement Management November 2015 Table of Contents Introduction... 2 Verint Engagement Management Advantages...

More information

A BUYER S GUIDE TO CHOOSING A MOBILE MARKETING PLATFORM

A BUYER S GUIDE TO CHOOSING A MOBILE MARKETING PLATFORM A BUYER S GUIDE TO CHOOSING A MOBILE MARKETING PLATFORM A Buyer s Guide to Choosing a Mobile Marketing Platform Today, mobile users are demanding more from their app experiences, and the priority is clear:

More information

The Five Critical SLA Questions

The Five Critical SLA Questions STERLING COMMERCE WHITE PAPER The Five Critical SLA Questions What you need to know before you define your managed file transfer service level agreements Introduction A Service Level Agreement (SLA) is

More information