selecting the right identity governance solution -...

A BUYER’S GUIDESECOND EDITION

Selecting the Right Identity Governance Solution

Selecting the Right Identity Governance Solution: A Buyer’s Guide — Second Edition3

C O N T E N T S

Smooth Sailing AheadAbout this Guide

5

Go the DistanceCrafting a Long-Term, Sustainable Identity Strategy

7

Sail to WinTaking on Real-World Business Challenges

11

Know the RopesUnderstanding Your Needs and Choosing Your Path

17

Move Full Speed AheadSelecting the Right Solution

23

SailPoint IdentityIQ™Navigating Today’s Security and Compliance Demands

41

The SailPoint AdvantageA Unified, Sustainable Approach to Identity Governance

47

Glossary 50

Resources 56

Contact SailPointYour Partner for the Identity Governance Journey

60

Selecting the Right Identity Governance Solution

A B U Y E R ’ S G U I D E

Selecting the Right Identity Governance Solution: A Buyer’s Guide5

Smooth Sailing Ahead

About this Guide

A successful identity governance strategy can move your organization toward sustainable compliance, reduced risk, improved service levels and lower operational costs. This guide is designed to help ensure a smooth, speedy journey all along the way. It covers everything from building a solid understanding of today’s business goals, reviewing the available choices, and planning for and selecting a technology solution. Designed as a workbook, with checklists and targeted, detailed information, it’s a practical tool that you can use to build a request for proposal (RFP) and conduct a side-by-side product analysis.

In the pages that follow, we show how identity governance can be a powerful force for risk management and business improvement on several levels. We present typical concerns and issues that identity governance can address. We introduce you to pathways to implementing solutions. And we help you assess your functional priorities — with checklists that can help make sure you don’t overlook anything.

As we wrap up, we provide a quick introduction to SailPoint IdentityIQ™, our complete identity governance solution, a glossary of terms that can help you understand identity governance in still more detail, and a list of resources where you can find additional information. We hope you find reading this guide a useful step on your journey to identity governance. Give us a call when you’re ready to move ahead!

Kevin CunninghamPresident and Founder, SailPoint


Go the Distance

Crafting a Long-Term, Sustainable Identity Strategy

In the last few years, identity management market requirements and business priorities have evolved rapidly. For those of you living through these changes, it has become tougher than ever to make the right decisions about your strategy and technology choices. The answer to yesterday’s technology demands may not be the answer to today’s complex business challenges. Ten years ago, when automated provisioning solutions were first brought to market, organizations were focused on automating and streamlining user administration across systems and applications. Enterprises still seek these same benefits today — operational efficiency, cost reduction, and business agility — but these business drivers have been overshadowed in the last few years by the urgent need to address regulatory compliance mandates. In truth, organizations need to address both of these business requirements — in a sustainable and cost-effective manner.

Faced with today’s multi-faceted challenges, the right identity management approach should be formulated with a long-term view in mind. Identity management must address immediate security, compliance, and service delivery requirements, but at the same time it must be part of a long-term strategy for business improvement. For example:

• By treating identity management as an extension of core business processes, organizations can ensure that IT and business users work together to manage organizational risks.

• As compliance becomes an everyday fact of business life, identity solutions can help improve not only the effectiveness, but also the efficiency, of an organization’s compliance processes.

• With constant and continuous enforcement of access policy across all identity processes, organizations can achieve ongoing, sustainable compliance.

As organizations move toward long-term, sustainable identity strategies, it’s important not to lose sight of the fundamental challenges associated with identity management. Threats to business information and technology infrastructures haven’t gone away and must be carefully managed. Compliance is a constant and growing requirement. And controlling access to sensitive data remains a high priority, so that questions like these continue to persist for IT and business leaders:

• Am I adequately safeguarding information assets and sensitive data?

• How can I prevent and detect fraud, misuse, or unauthorized access?

• Can I confidently attest to the adequacy of internal controls?

• Can I cost-effectively meet and prove compliance with regulatory requirements?

“Due to shrinking operating budgets and the need for more continuous compliance exercises, enterprises are searching for ways to reduce costs and access-related risks at the same time. Expensive episodic compliance exercises are giving way to continuous cost-sustainable compliance processes.”Ian Glazer Analyst, Burton GroupMarket Profile: Identity Management 2010 May 17, 2010


C R A F T I N G A L O N G - T E R M , S U S T A I N A B L E I D E N T I T Y S T R A T E G Y

“Identity and access management is finally beginning to grow up and bridge some of the gaps between what the enterprise needs and what IT can do for them. In governance, risk and compliance management, for example, strong access controls coupled with access request, approval and review processes are needed by the business to enable them to fully realize value from their policies, guidelines and practices. This is particularly the case for managing risk. Those IAM solutions that provide the business bridge between IAM and GRC management staff will play a significant role in enterprise access needs of the future.”Earl Perkins Research Vice President, Gartner, Inc.November 9, 2009

A Concern for the Entire OrganizationWhat makes the preceding questions particularly challenging is the fact that identity management today is more than a technology issue — it’s a business issue. To truly protect information assets from security threats and breaches, enforce corporate policy and meet compliance requirements, organizations must embrace a new approach to identity management — with the needs of governance and compliance in mind.

This evolution involves four critical shifts in your approach:

• Better alignment of business and IT: Identity management must be viewed as a business issue as much as it is a technology issue. IT and business users need to work together to define policy and controls, monitor the effectiveness of controls, and better manage organizational risk. To this end, key identity business processes, including compliance and user lifecycle management, must be seamlessly integrated.

• Greater visibility and transparency: Organizations must adopt an approach that gives them centralized “business intelligence” over identity data. This means merging all critical sources of identity information into a “single version of the truth” for better accountability and oversight.

• Consistency and repeatability: It’s more important than ever to apply centralized, automated controls and policy to key identity business processes. Adding consistency and repeatability will allow organizations to strengthen controls, work more efficiently, and sustain compliance over the long-term.

• Risk-based approach and prioritization: Organizations must optimize their time and resources by focusing internal controls and audits on the most critical areas. This ultimately reduces costs and preserves needed resources.

An Imperative for Business TodayNow, with the next generation of identity management solutions focused on these issues, organizations can enforce and verify that the right controls are in place to meet industry, regulatory and audit requirements. Organizations need identity governance, an integrated approach that embeds governance and risk management into core identity business processes. It’s an approach that provides a business-friendly layer linking business users and processes to underlying technology and technical users. And, one that improves quality of information and decision-making for all stakeholders.


C R A F T I N G A L O N G - T E R M , S U S T A I N A B L E I D E N T I T Y S T R A T E G Y

A Common Governance ModelTraditional approaches to identity management treat governance and provisioning as separate activities, making it costly, complex and burdensome to enforce access controls, carry out compliance initiatives and carry on the day-to-day work of meeting increasingly demanding service level requirements. A more innovative and effective approach is required to streamline all of these efforts — one that allows compliance and provisioning processes to leverage a common governance framework for roles, policy and risk management.

Tools for Identity GovernanceFinding the right combination of risk-aware identity controls, compliance and user lifecycle automation tools, and personalized reporting and analytics tools will help you to better protect your organization and its critical assets. Identity governance solutions include the following key components:

• Data Aggregation and Correlation: Integrate identity data from disparate IT resources to create a foundation for identity governance.

• Access Certification: Automate and optimize the review and certification of user access privileges to save significant time and money.

• Role Management: Simplify business and IT role creation and lifecycle management activities.

• Policy Scanning and Violation Detection: Automatically scan users and their existing access for violations of defined business policies to ensure that audit and legal requirements are met across all critical application environments.

• Risk Modeling: Analyze, manage and mitigate risk with visibility into key risk metrics. Track progress over time and provide quantifiable proof of enhanced security and reduced risk to the business.

• Access Request and Identity Lifecycle Management: Centralize self-service access request and automated lifecycle event processes.

• Password Management: Enable users to securely reset their own passwords on multiple systems without help desk involvement.

• Automated Provisioning: Automate changes to user access within connected IT resources based on access requests, role model changes or remediations from certifications.

• Reporting and Analytics: Put identity and access data within easy reach of your business and technical users through configurable dashboards, reports, and ad hoc queries.


Sail to Win

Taking on Real-World Business Challenges

Identity governance has become a strategic imperative for organizations of all sizes. Companies ranging from large, multi-national enterprises to smaller growing businesses must address increasing requirements to protect and govern access to critical applications, systems and databases within the IT environment. Identity governance plays a critical role in enabling organizations to inventory, analyze and understand the access privileges granted to their employees — and to be ready to answer the critical question: “Who has access to what?”

At the same time, today’s fast-paced environment demands faster and higher levels of service delivery. New employees and contractors come on board daily, and they need access to enterprise resources right away. Current users’ responsibilities change, or their relationship with the enterprise ends, and the organization needs to quickly modify or revoke their access. For IT staff, the challenge becomes how to meet service-level demands while enforcing policy and security, maintaining stringent controls and addressing compliance requirements.

Because there are many different business drivers for identity governance, you may wonder how and when to put the different components of a solution in place. The answer depends on your business priorities and the immediate challenges facing your organization.

As a first step, you should step back and assess your most urgent issues. You have to understand what you want your identity governance solution to help you achieve. Here are some common business goals that can help you determine your own unique priorities:

• Lower the cost of compliance

• Improve delivery of access to the business

• Reduce the cost of delivering access across the enterprise

• Address shortcomings with existing provisioning systems

• Eliminate audit deficiencies and improve audit performance

• Manage access risk during mergers, acquisitions, divestitures and layoffs

So let’s begin by looking at the business drivers for identity governance — the goals organizations most frequently hope to achieve with their implementation.


T A K I N G O N R E A L - W O R L D B U S I N E S S C H A L L E N G E S

Lower the Cost of Compliance Compliance can be complex, difficult — and, as a result, costly. Meeting the various industry and regulatory mandates requires auditors to regularly review and certify user access privileges. This leaves many companies constantly battling with error-prone and inefficient processes such as manually generating access reports and manually remediating inappropriate user access privileges.

Symptoms that you need to cut compliance costs include:

• Building or leveraging multiple, homegrown solutions to handle audit and compliance needs;

• Hiring a full-time staff or consultants to handle compliance projects like access certifications and SoD policy enforcement; and

• Using inefficient tools like spreadsheets and email to drive manual compliance processes.

Getting better control of your identity and access data, including centrally defining policy and automating your access certification process, means replacing expensive paper-based and manual processes with automated tools. Not only can you significantly reduce the cost of compliance, you can also establish repeatable practices for a more consistent, auditable, reliable and easier to manage access certification effort.

If you struggle to effectively implement compliance processes and integrate them into your systems and infrastructure, identity governance might be the launching pad you need to improve your effectiveness and reduce the costs of sustainable compliance.

Improve Delivery of Access to the Business Given the fast-paced environment of business today, IT organizations are challenged to improve service delivery across identity management processes. Users cannot wait days, or weeks, for access to systems required to perform their job duties. Similarly, organizations cannot tolerate huge gaps in deprovisioning access when a user changes positions or is terminated. Changes to user access must be performed in near-real time, while remaining a controlled, visible, and auditable process.

The current state of identity management in most organizations makes it almost impossible to provide consistent and effective service levels to the business due to the following challenges:

• Heavy utilization of manual access request and change processes;

• Inability to apply preventive audit controls to ensure access is granted according to pre-established policy; and

• Lack of coordination between service-level requirements across disparate provisioning processes.

If you’re ready to discover an easier, more cost-effective way to deliver access to the business, identity governance can provide the solution. By providing an integrated approach that leverages business-friendly self-service access request tools and automated lifecycle event triggers, identity governance can streamline the delivery of user access across your organization. It also provides a framework for managing changes to user access based on a pre-defined and pre-approved governance model to ensure that changes are made according to policy.

“Compliance is expensive. I need to get my costs under control.”

“I can’t seem to keep up with the incoming requests for managing user access across the organization. There’s got to be a better way!”



Reduce the Cost of Delivering Access across the Enterprise Managing the complex relationships between thousands of users and millions of access privileges continues to be a daunting and expensive task for most organizations. Changes to user access are initiated, approved and implemented using fragmented, disjointed processes. Coupled with the fact that in most organizations, the processes and tools used to request or change user access are highly manual, the result is inefficient and costly execution of access requests and changes.

Does your organization wrestle with the following problems when fulfilling access changes across enterprise IT systems?

• Multiple front-end processes are used by the business to request new or change existing access privileges;

• Manual processes are required to facilitate changes to user access; and

• Different provisioning/deprovisioning processes are used for different applications.

If these situations sound familiar, it’s time to take a different approach. By centralizing your approach to delivering access across disparate IT resources, you can reduce the costs associated with managing the initiation and fulfillment of access requests and changes. By empowering end users (employees and managers) to manage access through self-service, business-friendly tools, you can reduce the workload on Help Desk and IT Operations teams.

Automated identity lifecycle events can be used to reduce the number of self-service requests initiated by business users, by automatically triggering changes to access based on changes to identity attributes (e.g., employment status and manager changes). In addition, by selectively automating the entire process for certain resources, including the “last mile” fulfillment process, additional cost savings can be generated.

Address Shortcomings with Existing Provisioning Systems Many organizations have invested in a user provisioning solution only to find that it does not meet their needs, or more importantly, in the case of Sun Identity Manager, will no longer be supported in the future. It may be time to reevaluate your options if you find yourself facing these issues with provisioning:

• Your project is behind schedule and over budget;

• You lack the necessary coverage for applications;

• You have compliance weaknesses related to ineffective off-boarding processes, entitlement creep, separation-of-duty (SoD) violations, and more; and

• You still can’t answer the question “who has access to what?”

If you’re ready to migrate away from your existing provisioning platform, you will want to make sure you invest in a technology that will address your current provisioning challenges while also integrating with what you have in place today for a smoother transition.

The new solution must be able to balance core user provisioning requirements — add, change, delete user accounts and password management — with user-friendly interfaces and processes that empower business users to request and manage access. And most importantly, it must offer an integrated approach to identity governance. Governance and compliance should be handled as an integral component of identity management.

“Requesting new access or even changing a user’s existing access is a daunting task in our company. To add access to a single system can take an extraordinary effort to accomplish.”

“Help! The provisioning solution we’ve deployed is not meeting our expectations with regard to compliance and is not sustainable for our future needs.”



Eliminate Audit Deficiencies and Improve Audit PerformanceIdentity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the form of control deficiencies or material weaknesses.

Here are some of the most common identity risks auditors are looking for:

• Orphan accounts: Access that remains active for employees or contractors after termination due to failure to remove privileges;

• Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles resulting in employees with access beyond their job requirements;

• Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions or the ability to perform conflicting duties;

• Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users are managed using manual processes and are very difficult to audit; and

• Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make business decisions about what access is required to perform a specific job function.

If you’ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity governance solution will improve your visibility into risky or noncompliant areas and automate your processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively analyze risk, make more informed decisions and implement the appropriate controls in an automated and more sustainable fashion. Further, aligning user access with job functions through an enterprise role model can further strengthen user access controls by providing valuable business context around how specific sets of access map to the underlying business function being performed by an individual.

The result? Less chances of negative audit findings or failing another audit. More chances of seeing audit performance improve over time.

Manage Access Risk during Mergers, Acquisitions, Divestitures and Layoffs Businesses change. And, today they are changing substantially. More than ever before, you have to quickly add, manage or remove access for dozens, hundreds or thousands of individuals at a time.

In fact, in today’s complex business environment, one of the most significant challenges to successfully assimilating one organization into another is the ability to integrate IT environments in a timely manner. Large numbers of users must often be provisioned in one set of systems while other users are deprovisioned in a different set. Especially in a layoff, heightened uncertainty among employees can lead to the need to increase security and scrutiny of user access privileges to limit the risk of inappropriate behavior. And, to add to the challenge, acquired companies must meet Sarbanes-Oxley and other compliance requirements of the acquirer — in a relatively short timeframe.

“We just bought another company. How can I validate their identity controls before the transition is completed?”

“We failed an audit. I need a tool that can help us get back into compliance — quickly!”



The speed at which many mergers, acquisitions, divestitures and layoffs occur makes the efficiency, automation and comprehensive capabilities of an identity governance solution all the more important to successfully establishing control and auditability of identity and access.

It’s never too early to start planning for a change in the size of your organization. In today’s economy, events that force downsizing through a layoff or present opportunities for restructuring by shedding business units can come at you quickly. But if you don’t have the right visibility into your access privileges and rely on manual processes, you may not be able to act quickly enough.

Taking StockOnce you’ve evaluated your business drivers for identity management, you’ll be in a better position to prioritize your investments. If you’re like most organizations, you have more than one motivating factor, so the key is identifying your one or two most important business imperatives. Moving ahead without prioritizing may cause you to spend precious resources in the wrong direction, inhibiting your ability to meet your most critical needs in a timely manner.

The good news is that investing in an identity governance solution will enable you to realize some “quick wins,” while at the same time strengthening your organization for the long-term. Depending on your business priorities, these immediate results could save you money and reduce the compliance burden on IT; improve your audit performance; improve the efficiency of identity business processes like access request and delivery; or improve your company’s ability to execute on a merger or divestiture.

Whatever path you choose to embark on first, you should avoid taking on every business problem on day one. Best results are achieved by taking a stepwise approach where your project is focused on the business units, departments, or applications that align with your business goals — whether they are corporate agility, operational efficiency, service-level improvement, or regulatory compliance.


Know the Ropes

Understanding Your Needs and Choosing Your Path

Now that you’ve identified your goals, you’ll want to consider the steps you need to take to achieve them. The illustration below shows the possible steps and pathways to implement identity governance — from the most basic to the most advanced. In practice, you have several pathways to choose from, and you can prioritize these based on the unique business requirements of your organization.

Figure 1. The key to success is defining manageable, measurable steps that give you a strong foundation on which to build upon for future identity governance projects — which path you take

depends upon your priorities.

Conduct BaselineAccess Certi�cation

Aggregate &Correlate Identity Data

Build Risk Model

Build Role Model

Build Policy Model

Policy Detection& Remediation

Access Certi�cations

Aggregate &Cleanse Data

BuildGovernance Model

Automate ComplianceManagement

1 2

Manual Methods

Help Desk

AutomatedProvisioning

Full�llAccess Changes

53

Event-BasedLifecycle Management

Access RequestManagement

Automate UserLifecycle Management

4

Steps 3 and 4 are interchangeabledepending on your priorities.

Charting Your Course for Successful Identity Governance


U N D E R S T A N D I N G Y O U R N E E D S A N D C H O O S I N G Y O U R P A T H

Let’s look at each of the steps in Figure 1 more closely:

Step 1: Data PreparationThe starting point for any identity governance project should be to understand the current state of user access within the organization by centralizing your identity data. This stage involves creating a single repository for user and access information by extracting data from your authoritative source (or sources) and all target resources, then performing initial access reviews to clean up that data.

• Data aggregation and correlation: This aggregation and correlation process resolves the inconsistencies between the various sources of identity data, creating an enterprise-wide view that enables you to implement appropriate controls and better manage risk. At this stage, you’ll gain visibility to accounts that do not correlate to users in authoritative sources (orphan accounts and system/service accounts) and you can remove those accounts or assign them to owners for ongoing management.

• Baseline access certification: Once you’ve aggregated and correlated your identity data, your next step should be to perform an initial “data cleanup” certification on the centralized identity data. At this stage, your data/application owners and people managers should review the access privileges for all users. These initial certifications should be used to establish a reliable baseline of data. It’s not unusual for organizations performing a baseline certification to find that between 10 and 25 percent of user access privileges are inaccurate or inappropriate and should be revoked. After revocations are performed, this cleansed data will be utilized by other identity governance functions, including ongoing access certifications, policy enforcement, role management, and risk analytics.

Step 2: Governance Model DevelopmentThis step focuses on defining the policy and controls you will use to ensure that all identity management processes are performed in accordance with your organization’s business policies and risk management strategy.

The governance model covers important components such as roles, access policies, and risk. While each model provides distinct benefits to the organization, the creation and deployment of the specific models can align with overall project priorities. Many organizations start with policy management and define the most critical access policies which protect against significant risks to the business. Next, roles typically are generated to simplify how access is assigned to users, as well as reviewed within access certifications. Finally, the risk model enables you to start tracking and monitoring risk across enterprise resources and users. You can prioritize the importance of these components, described in more detail below, and adjust the project accordingly.

• Policy model: As part of configuring the controls environment for your identity governance solution, you will need to define the identity policies required to meet corporate and regulatory requirements across all critical resources. Identity policies that can be defined at this stage include SoD rules that prevent users from holding “toxic combinations” of roles or entitlements and other access policy rules that can enforce access policies such as “no user can hold more than one account on a resource” or “employees in location ABC cannot have access to the following applications.”



• Role model: Roles are an important component of identity governance because they make it easier for business staff to review and approve user access privileges and ensure low-level access rights or entitlements adhere to business policies. The process of building a role model and creating roles can be pursued incrementally based on your individual organization’s needs. Many companies begin by focusing on a defined set of departments or applications based on compliance or other business drivers. Once you’ve defined the scope of your role project, role mining can be used to build candidate roles by searching and analyzing your correlated identity data using parameters such as department, cost center, or manager. Once roles have been created, they can be leveraged by many components of identity governance, including access certifications, policy enforcement, and user lifecycle management.

• Risk model: Developing an identity risk model empowers you to better assess, manage and control threats to security posed by users and their access privileges. Most conventional approaches require you to manually evaluate each user or application individually. However, a risk-based approach can automatically categorize people and applications and assign privileges accordingly. For example, a person with simple read-only privileges and no access to critical applications would likely be considered low risk — while a person who has numerous policy violations who has not been certified recently or who has access to key applications would be a high risk. With a risk model, you can calculate risk scores for each person and resource under management in order to prioritize compliance efforts on those areas that matter most — and more efficiently remediate risk.

Steps 3 and 4: Your Choice Based on Organizational PrioritiesOnce you have consolidated your identity data and built the appropriate components of a governance model for identity management, you have some choices about where you go next. Your next step will depend on a range of factors: the compliance issues you face, the need to improve administrative efficiency, the need to keep up with the demands of a dynamic business environment, etc. The reality is that needs are unique to every company, so deciding on the right path to identity governance will be up to you. There are two major directions you can take: focus on compliance automation or focus on user lifecycle management and automated provisioning.

Step 3 or 4: Compliance ManagementIf audit deficiencies and the high cost of compliance are top of mind issues in your organization, then you may want to focus on compliance automation as a next step after completion of the governance model. There are two major components of compliance automation:

• Access certifications: Once you’ve established a baseline of accurate identity data and built key components of your governance model, it’s time to focus on automating key compliance activities like access certifications. Access certifications make it easy to perform regularly scheduled access reviews by application or data owners, people managers, or a combination of both — or to review user access based on detected events, such as a job or manager change. Building on policy, role, and risk models you’ve established, certification reports will clearly highlight detected roles, policy violations, user risk scores and any changes from the previous certification (new users, new roles, or new entitlements). This information enables your reviewers to quickly focus on areas of potential risk and make better decisions.



• Policy violation detection and remediation: After the policy model is defined, you can put in place controls to automatically scan and analyze your identity data to quickly detect any violations, such as SoD violations. Based on these scans, detailed reports can be generated, showing a summary of violations grouped by application, department, or geography. In addition, you can customize how policy violations are handled once they are detected. For example, low-severity violations can be summarized in reports, whereas high-severity alerts can automatically trigger notifications to managers for immediate remediation. Alerts can include a detailed description of the rule violated and the source of the rule (e.g., Sarbanes-Oxley or HIPAA), and recommendations for compensating controls.

Step 3 or 4: User Lifecycle Management If your organization struggles with inefficient and/or non-compliant processes for granting new access privileges or making changes to existing privileges for employees, contractors, and partners, then it may make sense to focus on user lifecycle management as your next step after completing work on the governance model. There are three major components of lifecycle management:

• Self-service access request: Once you have an identity governance model in place, you have the means to build efficient and compliant access request management capabilities. Centralized access request management allows managers and end users to conveniently request new access or make changes to existing access privileges within the constraints of your pre-defined identity policy and role models. It also provides an efficient, more accurate way to view existing access and remove access as needed, as well as to create and edit identities.

• Password management: Using the same business-friendly user interface, users and/or their approved delegates can change or reset passwords across target systems. Allowing end-users to proactively manage password changes can significantly reduce help desk calls.

• Event-based lifecycle management: To further streamline user onboarding, offboarding, and other job changes within the enterprise, you can add event-based lifecycle management to automatically trigger access changes based on HR or other authoritative feeds. For example, when an employee’s status changes from “active” to “terminated,” a trigger launches a change request for all of the user’s access privileges. Or when an employee is promoted, resulting in a job title change, a lifecycle event triggers the assignment of a new business role to replace the user’s current role. Event-based lifecycle management builds upon and leverages the work you’ve done to implement the governance model in step 2 by ensuring compliance with defined business policy for roles, entitlements, and risk guidelines.



Step 5: Access FulfillmentThe final step in deploying identity governance involves the fulfillment of access changes on target resources, such as applications, databases and systems. In other words, this phase of the project is focused on ensuring that all changes triggered by compliance remediations, access requests, password changes or lifecycle events are successfully implemented within your IT environment. You should take a very practical approach to this phase of the project and consider all possible solutions and processes for “last mile” provisioning, including automated provisioning systems, help desk systems, and even manual methods for change.

Bear in mind that it’s not always cost-effective to automate all access changes; sometimes using application administrators to implement needed changes is the optimal approach. The critical requirement is to implement a closed-loop capability that confirms whether or not all changes have been made, no matter what the method.

There are two approaches that can help you determine which provisioning methodology best fits your IT resources: an ROI analysis and a risk analysis. The ROI analysis can help you identify systems where there are a significant number of users on the target system and/or a high number of changes to users and accounts. The risk analysis can help you identify systems where any lag time between an access change request (e.g., termination of access or revocation of privileges) could put the enterprise at an increased level of risk. The combination of these two metrics can help you prioritize your resources for automating last mile change management.


Move Full Speed Ahead

Selecting the Right Solution

With your goals and general approach established, it’s time to move ahead to evaluating solutions. You’ll want to look at the specific attributes of various identity governance offerings and determine whether they can provide the functionality you need to accomplish your goals and whether they can deliver the business and technical benefits of true governance that your organization requires.

The following pages contain lists of qualifying questions that will help you evaluate products and plan for a successful implementation of identity governance. We provide questions on the following topics:

• Identity Governance Business Case

• Data Aggregation and Correlation

• Access Certification

• Policy Management

• Role Management

• Risk Modeling

• Access Request and Identity Lifecycle Management

• Password Management

• Automated Provisioning and Help Desk Integration

• Reporting and Analytics

• Architecture and Platform

• Configuration and Administration Requirements

Because an identity governance solution should be designed to enable you to begin at the stage that is appropriate for you — based on your business and IT goals and your existing identity management implementation — all sections may not be relevant to your needs. Feel free to apply the questions to your product evaluation that are most appropriate to your organization.

Note: The lists are divided for ease of use into subsections that reflect activities in the deployment paths we have previously discussed in this guide.


S E L E C T I N G T H E R I G H T S O L U T I O N

Identity Governance Business Cases Ask the following questions to understand how the solution under consideration can help you to solve your current business problems related to governance of user access within the enterprise. Be sure to ask for example case studies and conduct reference calls for confirmation.

Identity Governance Business Case Requirements SailPoint Other Vendor

Does the software help address your most pressing identity governance challenges today? Yes

Does the solution address common detective identity controls required by regulatory mandates such as Sarbanes-Oxley, HIPAA and Basel II? Yes

Does the solution reduce the complexity of creating an enterprise governance model? Yes

Does the solution help to proactively enforce pre-established business policies for how access should be granted within the enterprise? Yes

Does the vendor provide customer case study examples demonstrating how the solution has reduced the cost of compliance? Yes

Can the vendor provide specifics on how customers using the solution have leveraged identity risk metrics to improve the effectiveness of preventive and detective identity controls within their organization?

Yes

Does the solution have a unified architecture? Yes

Is the solution comprised of a single application or a set of integrated applications? Yes

If integrated, what level of synchronization is required between each component? Yes

Can the solution quickly deliver a return on investment? Yes



Data Aggregation and CorrelationConsolidating and correlating your identity and access data is an essential step in laying the foundation for your identity management initiatives — no matter where in the process you stand. In evaluating tools that offer this important first step in your project, be sure you find one that meets the following criteria.

Data Aggregation and Correlation Requirements SailPoint Other Vendor

Can the solution collect user access privileges from various applications and platforms (e.g., AD, SAP, Mainframes, UNIX and other applications with different file formats)?

Yes

Does the solution support the collection of data using agent-less connectors? Yes

Are the following import options supported:• CSV files? Yes

• XML files? Yes

• Flat files? Yes

Does the solution support automatic discovery of flat-file or database schemas? Yes

Does the solution support modeling fine-grained permissions such as operational rights on database tables and file shares? Yes

Can updates to user and access data be scheduled within the application to support regular refresh of information? Yes

Does the software support the definition of custom schemas for each connected application? Yes

Can the application derive the employee/manager relationship from an authoritative identity source, such as the central HR application? Yes

Can the application support multiple authoritative sources for identity data? Yes

Does the software create a single view of each user within the enterprise and their associated access privileges? Yes

Are all user entitlements, roles, policy information and activity data viewable within the context of an individual identity? Yes

Does the solution enable automated correlation of user account information using a “wizard-like” interface that can be operated by non-technical users? Yes

Does the application provide a user interface for performing manual correlation of user account privileges? Yes

Can an approval be associated with manual correlation of accounts? Yes

Does the application provide a way to designate accounts as privileged or system accounts? Yes

Can this designation be accomplished from the user interface? Yes

Does the solution include an entitlement glossary and the ability to associate contextual metadata with each entitlement — e.g., business-friendly description, data owner, and account type?

Yes

Can business-friendly descriptions and other metadata be imported and associated with low-level IT entitlements? Yes

Are both automated and manual updates to entitlement metadata supported? Yes

Does the solution support importing and evaluating activity data from target systems? Yes

Does the import provide filtering of activity data to ensure only the desired data is included? Yes

Can activity data be mapped back to a known identity based on unique correlation rules? Yes



Access Certification These questions are designed to ensure that the solution you select is best suited to improve the efficiency and accuracy of your certification process — and to help you meet goals for corporate accountability and compliance.

Access Certification Requirements SailPoint Other Vendor

Does the access certification feature support both technical and business user needs within the tool? Yes

Does the application enable business users to create and manage periodic access reviews across the enterprise? Yes

Does the solution support managing different certification use cases by different user types out-of-the-box — e.g., manager certifications, application owner certifications, data owners?

Yes

Can the solution create certifications for individual entitlements, such as group memberships, and assign them to the appropriate data owners? Yes

Can user access certifications be setup to auto-generate on a periodic cycle? Yes

Does the application enable a continuous certification environment where users and their associated access privileges are constantly monitored for changes and any change precipitates a review?

Yes

Does the solution support automated report routing to the appropriate certification recipients? Yes

Can automatic notifications be generated and sent out to certifiers when a new certification is created? Yes

Does the application support the ability to send reminder notifications periodically during an active certification? Yes

Can identity attributes such as HR data and user risk profiles be used to automatically define populations of users for certification? Yes

Does the application highlight privileged user accounts and other high-risk accounts (e.g., service accounts) during the certification process? Yes

Do the user certification screens highlight/identify changes in user entitlements and/or business roles since the last certification or new users not previously certified?

Yes

Does the reviewer have the ability to bulk certify/approve a particular entitlement for all users in a certification and can this feature be disabled? Yes

Does the solution support filtering of users during a certification to simplify and speed completion (e.g., filter users by customer-defined attributes, entitlements, business roles)?

Yes

When certifiers review a user’s access privileges, can they approve, revoke or allow exceptions? Yes

Are the certifier options configurable? Yes

Can certifiers reassign a specific user or users within a certification to another employee to complete the certification process? Yes

Does the application support delegation of users to another certifier? Yes

Can specific certification line items be delegated to another certifier for completion? Yes

Can the solution support certification of multi-tiered applications by allowing business users to only sign-off at the high-level business application account level?

Yes

Can the solution automatically generate a certification based on detected changes to a user’s access (e.g., user changes departments, job roles)? Yes

Can these change events be defined and managed through the user interface? Yes

Does the solution support review and resolution of existing policy violations directly within a certification? Yes



Access Certification (cont.)These questions are designed to ensure that the solution you select is best suited to improve the efficiency and accuracy of your certification process — and to help you meet goals for corporate accountability and compliance.

Access Certification Requirements (cont.) SailPoint Other Vendor

Does the solution provide user activity data on specific applications/transactions during certifications, enabling reviewers to evaluate access based on usage?

Yes

Does the solution support the ability to define rules by application to identify former employees as an identity attribute? Yes

Does the solution optionally support bulk remediation for all former employees’ access privileges prior to beginning an access certification, thereby reducing the workload of reviewers?

Yes

Does the access certification process support a challenge period to allow users to contest a pending remediation decision before it is implemented in the environment?

Yes

Does the solution support the definition and assessment of remediation periods, allowing the compliance solution to track the remediation activity within the target system?

Yes

Can work items assigned to a manager or application owner be automatically forwarded if the person leaves the company during an access certification? Yes

Does the application display each user’s risk profile within the certification report as additional context for reviewers? Yes

Can the software support the integration of entitlement descriptions into a certification to provide users with a business-friendly translation of complex IT information?

Yes

Can users configure the certification report display based on their individual preferences (e.g., display/hide columns, sort columns, move columns)? Yes

Does the solution provide the history of certification decisions previously made on entitlements and roles? Yes

Is this historical information included in active certifications to help reviewer determine the appropriateness of access? Yes

Does the solution provide visibility to certification activities (e.g., completion status) on a user’s dashboard? Yes

Does the solution provide an administrative dashboard to track aggregated certification metrics across the enterprise and certification campaigns? Yes



Policy Management With constant changes in user entitlements across multiple, heterogeneous enterprise applications, businesses often struggle to address separation-of-duty and user access violations that expose the organization to risk. The following questions can help you identify a solution that can enable you to simplify policy definition and automate policy scanning and remediation.

Policy Management Requirements SailPoint Other Vendor

Can the application support the ability to define policy violations within and across applications/resources? Yes

Does the solution support the ability to define and enforce access policy, including SoD policies between individual roles, between individual entitlements, and between roles and entitlements?

Yes

Can SoD policy support multiple sided exclusions? For example, “A, B, or C conflicts with any of D, E, or F” Yes

Does the solution support policies around activity-based data (e.g., accessing a critical system after hours triggers a violation)? Yes

Can risk-based policies be created in the application to support notification/alerting when user risk profiles change? Yes

Does the application support the definition of account or identity attribute business policies? Yes

Does the system provide a business-friendly UI for defining and editing access policies? Yes

Can basic policies be expanded using a scripting or programming language interface? Yes

Does the solution provide a common policy repository that is leveraged by all identity processes? Yes

If more than one repository is needed, does it synchronize between them? N/A

Does the application automatically scan and detect policy violations? Yes

When policy violations are detected, does the application automatically notify responsible parties? Yes

Are the policy violations escalated if not addressed in a defined period of time? Yes

Does the application support execution of a business process or workflow when policy violations are detected, allowing varying responses based on criteria such as the calculated risk of the violation?

Yes

Does the solution provide a business-friendly user interface for managing policy violations by both business managers and compliance administrators? Yes

Are policy violations clearly highlighted during access reviews to allow for rapid remediation? Yes

When addressing policy violations, is flexibility provided to allow different actions, based on the type and circumstances of the violation? Yes

Can revocation recommendations be stored in conjunction with each policy rule and exposed to the user when viewing policy violations? Yes



Role ManagementThe following questions can help you determine whether the solution under evaluation can manage the entire role lifecycle to accommodate change and keep the quality and reliability of the role model in place.

Role Management Requirements SailPoint Other Vendor

Does the solution provide features which simplify the implementation of an enterprise role model made up of business and IT roles? Yes

Can the solution import roles using manual or automated interfaces? Yes

Does the solution support the ability to read or import organizational hierarchy information? Yes

Does the solution support a hierarchical role model with n–levels? Yes

Does the solution support custom types of roles? Yes

Can role types be configured directly within the user interface? Yes

Can role engineering define additional metadata attributes on a role? Yes

Does the solution provide a mechanism for combining business roles and IT roles into a common role model? Yes

Does the business role model support the notion of required and optional IT role associations to enable the principle of least privilege? Yes

Does the solution support the creation of both business roles (top-down) and IT roles (bottom-up)? Yes

Does the solution support automated mining of both business roles (top-down) and IT roles (bottom-up)? Yes

Does the solution have the ability to define roles in plain business language? Yes

Does the solution facilitate collaboration between business and technical users in the definition and management of roles? Yes

Does the solution support role mining to discover potential roles using various pattern search algorithms? Yes

Does the role mining support a directed search, whereby the user is able to narrow the focus of the mining by selecting a set of applications to mine against and by providing user-specifics such as locations, job title, manager, cost center? For example, “Only mine against application 1 & 3 and only mine against users of those applications that are in cost center 1204 and work in the Chicago office.”

Yes

Does the solution allow you to create candidate roles by mining the entitlements of a user that represents a useful prototype of a business role? Yes

Does the role definition process include the ability to identify or suggest candidate roles during the access certification process? Yes

Does the solution support role ownership? Yes

Does the solution support delegation with respect to role ownership? Yes

Does the solution provide role approval workflow for all changed roles (i.e., add, modify, disable)? Yes

Is the workflow configurable for duration, approvers, escalation parameters, etc.? Yes

Does the solution limit administrative functions for role management and allow the restriction of certain role definitions/applications between individuals or groups of people?

Yes

Can role approvers communicate comments, which are to be passed back to the user/requestor? Yes

Does the solution provide the ability to perform a “what if” impact analysis on role model changes? Yes

Does the solution provide analysis of roles indicating role quality based on factors such as membership, risk, and usage? Yes

Can the solution detect and report on:• inactive roles? Yes

• users with no roles? Yes

• roles with no users? Yes



Role Management (cont.)The following questions can help you determine whether the solution under evaluation can manage the entire role lifecycle to accommodate change and keep the quality and reliability of the role model in place.

Role Management Requirements (cont.) SailPoint Other Vendor

Does the solution support periodic role certification of both role composition (role privilege/entitlement mapping) and role membership? Yes

Can the solution detect and alert on role violations before assigning roles to users? Yes

Does the solution provide the ability to assign and de-assign roles to users? Yes

Can assignment be done both manually and through automated assignment and de-assignment rules associated with a role? Yes

Can the solution request changes for all users that have a particular role, when a role definition is changed? Yes

Does the solution provide logging and reporting capabilities for all role changes? (e.g., “What date was the role created, who created the role, who approved the role?”)

Yes

Does it allow you to search on a specific role within the organization from the role repository? Yes

Does it allow you to report on all privileges mapped to a role? Yes

Does it allow you to report on all users assigned to a role? Yes

Does the solution support temporary assignment of a role to a user (e.g., sunrise and sunset dates)? Yes

Does the solution support the creation of temporary roles that have defined activation and deactivation dates? Yes

Does the solution maintain all previous versions of role definitions? Yes

Can the solution easily roll back to previous versions of role definitions? Yes

Does the solution provide a common role model/repository leveraged by all identity processes? Yes

If more than one model/repository, does the tool synchronizebetween them? N/A



Risk ModelingThe following questions address a solution’s ability to take a risk-based approach and to provide the functionality necessary for you to assess, manage and control threats to security posed by people, roles and applications.

Risk Modeling Requirements SailPoint Other Vendor

Does the solution track and monitor the relative risk of each user based on that user’s access to sensitive applications and data (identity risk scoring)? Yes

Does the solution dynamically calculate a user’s risk score based on changes to access within the environment? Yes

Does the solution support configurable risk factors and weightings for calculating identity or resource risk scores? Yes

Can activity monitoring be used as a mitigating factor for reducing the risk score of a user’s identity risk profile? Yes

Is the risk model within the application extensible? Yes

Can attributes from authoritative sources be used to influence an identity or resource risk score, such as location, employee status, etc.? Yes

Does the solution enable risk mitigation actions (e.g., certifications or activity monitoring) to be targeted at high-risk users? Yes

Can the solution profile aggregate risk scores, e.g., by manager, department, location, or company-wide? Yes

Can aggregate risk scores be displayed graphically for easy identification of risk “hot spots”? Yes

Does the solution track risk scores over time for trending analysis? Yes

Can this tracking be done by user, manager, department, location, or company-wide? Yes

Can the solution alert or notify managers, application owners or compliance officers based on changes to an identity or resource risk score? Yes

Can risk scores be viewed on demand as part of each user’s identity information? Yes

Can high-risk users be easily identified via reporting and analytics? Yes

Does the solution recommend risk mitigation actions for high-risk users, such as activity monitoring, ad hoc certifications, or remediation of policy violations?

Yes

Can bulk corrective or mitigating actions (such as an ad hoc certification) be taken against high-risk user populations discovered via reporting or analytics? Yes



Access Request and Identity Lifecycle Management An identity governance solution should offer a convenient and easy way for users to request new access or make changes to existing access privileges within the constraints of the pre-defined identity policy and role model. And it should allow you to gain greater transparency not only into who has access to what, but also into how they acquired access privileges. The following questions can help you review these capabilities.

Access Request and Identity Lifecycle Management Requirements SailPoint Other Vendor

Does the solution provide a business-friendly interface for requesting changes to user access? Yes

Does the self-service access request solution allow for additions, changes, and removals of access? Yes

Can the solution facilitate requesting of:• roles? Yes

• entitlements? Yes

• accounts? Yes

Does the solution support requesting optional (permitted) IT roles for business roles that are already assigned? Yes

Can the system be configured to restrict end users to only requesting permitted IT roles? Yes

Can users request a start date (“sunrise”) associated with new access requests? Yes

Can users select an end date (“sunset”) when removing access through the self-service request interface? Yes

Does the solution support creating new identities from scratch within the user interface (e.g., act as the authoritative source for creating identities)? Yes

Does the solution allow you to edit identity attributes of existing users? Yes

Can the solution limit the data which is editable from the user interface? Yes

Does the solution scope who can request access for others? Yes

Can attributes can be used to define the requestor relationship? Yes

Does it allow anyone in the organization to request access for anyone else? Yes

Does the solution support preventive policy-checking of self-service and delegated access requests prior to being submitted for fulfillment? Yes

Does the solution support configurable workflows to manage self-service access requests/changes? Yes

Does the solution give end users a business-friendly dashboard to view status of pending and completed requests? Yes

Does the solution support the definition of automated lifecycle events — e.g., new hire, promotion, termination? Yes

Can events be configured from the user interface? Yes

Does the solution support configuration of access change triggers associated with lifecycle events to automatically initiate changes to user access? Yes

Can access change triggers call specific workflows to manage the change process from initiation through provisioning? Yes

Does the solution provide visibility to access changes initiated through automated change events? Yes

Does the solution provide a graphical user interface for configuring/editing business processes and workflows associated with manually-initiated access requests (including self-service and delegated requests)?

Yes

Does the solution provide flexible approval routing for changes initiated through self-service request or automated lifecycle events — e.g., manager, data owners, role owners, and security administrators?

Yes

Does the solution support the following approval workflow types — serial, parallel, single approvals, multiple approvals? Yes

Does the solution support delegation of approval requests to other users within the system and is this information tracked and audited? Yes



Access Request and Identity Lifecycle Management (cont.)An identity governance solution should offer a convenient and easy way for users to request new access or make changes to existing access privileges within the constraints of the pre-defined identity policy and role model. And it should allow you to gain greater transparency not only into who has access to what, but also into how they acquired access privileges. The following questions can help you review these capabilities.

Access Request and Identity Lifecycle Management Requirements (cont.) SailPoint Other Vendor

Can automatic escalation rules be defined within the solution? Yes

Does the solution support dynamic rerouting of approval requests based on the outcome of other workflow steps — e.g., change approval routing if a policy violation is identified or if the user’s risk score is greater than 800?

Yes

Does the solution support the creation of new accounts associated with adding new users or access? Yes

Can the solution request additional information from users involved in the access request process — e.g., requester, approver, application/data owners? Yes

Can the solution dynamically generate forms to capture additional information from the user based on pre-configured provisioning policies for applications and roles?

Yes

Does the solution provide an administrative interface to track aggregate request activity across the enterprise? Yes

Is the request activity available from an administrative dashboard? Yes

Does the access request and lifecycle management solution track aggregated request metrics and workflow statistics? Yes

Does the solution support tracking and reporting on service-level metrics? Yes

Are metrics available at the business process as well as the individual workflow step levels? Yes

Can the solution orchestrate changes to user access based on self-service access requests and lifecycle events across disparate provisioning processes? Yes



Password ManagementThese questions help you determine if the solution will be sufficient to manage your user passwords from policy setting, self-service resets and synchronization.

Password Management Requirements SailPoint Other Vendor

Does the solution allow end users to manage their own passwords — i.e., reset forgotten passwords, change existing passwords? Yes

Are the end-user password management user interfaces integrated with the solution’s access request user interfaces for a seamless user experience? Yes

Does the solution allow delegated password administration? Yes

Can passwords be synchronized across multiple systems at the same time? Yes

Does the solution enforce password strength requirements? Yes

Does the solution support the following constraints:• minimum/maximum length Yes

• minimum letters/numbers/special characters Yes

• password history constraints Yes

• exclusion dictionary Yes

If password strength requirements are supported, are they configurable per target system? Yes

Does the solution support challenge questions for password recovery? Yes

Can the number of challenge questions presented to the user be configured based on the organization’s security policies? Yes

Can the solution provide administrators with a report detailing users who have not completed answers to challenge questions? Yes



Automated ProvisioningThe following questions will help you to understand if the solution can effectively drive changes to user access across your target systems in a timely manner and according to policy.

Automated Provisioning Requirements SailPoint Other Vendor

Does the solution provide out-of-the-box capabilities for automatically pushing changes to enterprise IT systems? Yes

Can the solution manage the complete user account lifecycle (add, edit and delete, enable, disable) for connected resources? Yes

Can the solution validate that changes requested are correctly implemented in the target resource? Yes

Does the solution provide a web-based interface for administration and configuration? Yes

Does the product store provisioning values in its repository? Yes

Are provisioning activities recorded for audit purposes? Yes

Does the solution provide out-of-the-box connectors for the following categories of enterprise systems?

• directoriesYes

• databases Yes

• platforms Yes

• business applications Yes

• messaging applications Yes

Does the solution provide a toolkit for creating connectors for custom or homegrown applications? Yes

Is the connector architecture agentless? Yes

Does the solution allow transformation of data and execution of validation rules as part of the data load processing? Yes



Provisioning and Help Desk IntegrationTo maximize your existing investments, your provisioning solution should be able to seamlessly integrate with third party systems whether they are provisioning or help desk solutions. Be sure to evaluate the following integration capabilities.

Provisioning and Help Desk Integration Requirements SailPoint Other Vendor

Can the system orchestrate changes to user access across multiple provisioning processes? Yes

Does the solution provide out-of-box integration with any third party automated provisioning systems? Yes

Can the system support the retrieval of entitlement information through provisioning connectors without the need to directly connect to the target system, if required?

Yes

Does integration with automated provisioning systems use industry standards such as the service provisioning markup language (SPML) when supported by integrated systems?

Yes

Does the solution support closed-loop validation of change requests through integration with a provisioning solution? Yes

Does the solution support retry? Yes

Can the solution detect and notify the appropriate manager when a previously revoked role or entitlement is replaced/comes back? Yes

Does the solution support separation-of-duty (SoD) or other access policy checking by provisioning before users are granted access? Yes

Does the solution support role exchange with automated provisioning systems (e.g., Oracle Identity Manager or IBM Tivoli Identity Manager)? Yes

Does the solution expose web services for integrating with a provisioning solution to bulk re-provision users based on role model changes? Yes

Can the solution evaluate the change request and construct a detailed set of entitlement level changes for the provisioning system? Yes

Can the solution monitor provisioning system audit logs and correlate this activity data to identities under management? Yes

Does the solution integrate with non-automated provisioning systems, such as help desk/service request systems? Yes

Does the solution support the automatic generation of “tickets” through service/help desk integrations? Yes



Reporting and AnalyticsThe following questions can help you identify whether the solution under consideration can give you the information you need via dashboards and alerts while also enabling you to run queries and produce detailed reports.

Reporting and Analytics Requirements SailPoint Other Vendor

Does the software include customizable user dashboards which highlight critical GRC activities and status within the enterprise? Yes

Do users have control over the content and presentation of their dashboard? Yes

Can users drill down from the dashboard into specific tasks and/or supporting data? Yes

Does the software include pre-defined reports out-of-the-box? Yes

Can users set specific parameters when running reports? Yes

Can the configuration of reports be saved for later recall? Yes

Does the software provide users with the ability to create and save ad hoc reports? Yes

Is a report scheduler provided that allows user-specified reports to be run on a regularly scheduled basis with results in email? Yes

Does the solution support saving reporting results in downloadable file formats (e.g., PDF, Excel or CSV)? Yes

Can the solution report on historical “point-in-time” access as well as current state? Yes

Does the software provide reports that are targeted towards proving compliance with various regulatory requirements (e.g., SOX, HIPAA, Basel II, PCI)? Yes

Does the application provide reports on certification activity? Yes

Can each report provide information filtered by certifier, application, department, cost center? Yes

Are policy enforcement reports provided which outline users with active policy violations? Yes

Can the application generate a report highlighting uncorrelated users across applications? Yes

Does the solution provide a report which outlines defined security risks by application? Yes

Does the application include an analytics interface for searching and analyzing identity and audit data? Yes

Can the solution trace activity back to the entitlement that granted the privilege and its associated identity? Yes

Does the solution provide a way to search on activity information according to various search parameters related to the system/activity and the target user base? For example, show all login activity on application Y for users in cost center 1139 with risk scores over 600.

Yes

Does the application include a user-friendly dashboard, which highlights governance-relevant activities across the enterprise? Yes

Can users configure the presentation of information on the dashboard and is the personalized dashboard saved? Yes

Can users click-through the dashboard information into detailed information about tasks, users, risk analytics, etc.? Yes

Does the dashboard provide an Inbox that clearly indicates all required actions for the user? Yes



Architecture and PlatformHere are some key criteria to consider when reviewing the core architecture and platform components of your identity governance solution.

Architecture and Platform Requirements SailPoint Other Vendor

Does the solution allow for extensibility or configuration via a scripting language, API or other? Yes

Does the solution use standard programming language for the customization? Yes

Does the solution support web services? Yes

Does the vendor support and participate in standards efforts around identity management interoperability (e.g., XACML, SPML)? Yes

Does the solution provide pass-through authentication, leveraging existing authentication mechanisms to authenticate users? Yes

Does the solution support definition of user roles and assignment of internal access rights based on roles? Yes

Can the internal authorization model be customized? Yes

Can applications run in a clustered environment for load balancing and/or fail-over purposes? Yes

Does the application need to be modified to run in a load balanced or fail-over mode? Yes

Does the solution run on a wide variety of enterprise platforms, application servers and database combinations? Yes

Does the solution support running in a virtualized application environment such as VMware? Yes

Does the proposed solution provide rapid scalability from the proposed configuration to support future business growth? Yes

Is the solution available as a pre-configured appliance? Yes



Configuration and AdministrationIn order to meet the unique requirements of your organization and IT infrastructure, you’ll want to have the flexibility to customize workflows, processes, interfaces and more. Use this checklist to determine if the solution will meet your needs.

Configuration and Administration Requirements SailPoint Other Vendor

Are the user interface and reporting templates (color, fonts, headers, footers, logos, etc.) extensible? Yes

Can the application’s look-and-feel be customized? Yes

Does the application support end-user configuration of tables and charts? Yes

Are user preferences stored in between sessions? Yes

Does the solution provide a graphical user interface for defining and managing identity business processes and workflows? Yes

Does the solution provide standard/reference workflows? Yes

Does the solution enable the customization of workflows? Yes

Can workflows and the individual process steps within be instrumented to track performance? Yes

What utilities or capabilities exist for tracking requests, tracking workflow execution? Yes

Does the solution provide inline, GUI-based rule editing to allow for rapid definition or editing of configuration rules? Yes

Can any customizations or configurations be rolled forward in an upgrade? Yes

Can customizations be migrated between deployment environments (i.e., development, test, staging, and production)? Yes

Does the solution integrate with enterprise mail servers? Yes

Does the solution provide a batch scheduling utility? Yes

Can actions performed by users of the solution be audited? Yes

Does the solution timestamp all actions? Yes


SailPoint IdentityIQ™

Navigating Today’s Security and Compliance Demands

SailPoint IdentityIQ™ is an innovative identity governance solution that alleviates the cost and complexity of meeting compliance requirements and managing user lifecycles. Traditional approaches to identity management treat governance and provisioning as separate initiatives, often managed by multiple, disjointed products. IdentityIQ, however, provides a unified approach that leverages a common identity governance framework to consistently apply business and security policy and role and risk models across all access-related activities.

With on-demand visibility into “who has access to what,” IdentityIQ equips enterprises to successfully address compliance mandates and governance requirements across the most complex IT environments. Its centralized intelligence and risk-based approach to managing user access provides transparency and strengthens controls. IdentityIQ automates access certifications, policy enforcement, and the end-to-end access request and fulfillment process.

ComplianceManager

LifecycleManager

Governance Platform

Resource Connectivity

RiskManagement

ProvisioningEngine

ProvisioningIntegration Modules

Service DeskIntegration Modules

PolicyManagement

RoleManagement

Provisioning Broker

www

Figure 2. SailPoint IdentityIQ is a business-oriented identity governance solution that delivers risk-aware compliance management and lifecycle management, identity intelligence, and user

provisioning with a common governance framework for managing roles, risk and policy.

SailPoint IdentityIQ


N A V I G A T I N G T O D A Y ' S S E C U R I T Y A N D C O M P L I A N C E D E M A N D S

SailPoint IdentityIQ Compliance Manager

Streamline Compliance and Improve Audit PerformanceFor many organizations, compliance is top of mind. So are the complex issues and the difficult and expensive processes that come with it. That’s why so many organizations are thinking about streamlining. They’re looking for ways to simplify processes and lower the costs of compliance — while still ensuring the effectiveness and accuracy that auditors demand.

SailPoint IdentityIQ Compliance Manager takes a risk-aware approach to compliance that automates the common auditing, reporting and management activities associated with a compliance program, and integrates identity processes such as access certification and policy enforcement for the visibility that compliance demands. By taking a risk-aware approach to compliance, IdentityIQ Compliance Manager helps you to prioritize compliance activities and focus controls on the users, resources and access privileges that represent the greatest potential risk to your business — and the greatest possibility of a failed audit.

Capability Description

Access Certifications Automate the entire certification process, provide reports, and enable closed-loop remediation.

Policy Enforcement Creates policies, enforces separation-of-duty policy, scans and detects violations and initiates remediation when alerted.

Automate ControlsAudit and Measure

Define Policy and Controls

Access CertificationPolicy Enforcement

CentralizedIdentity Data

AUD

IT

DEFINE AU

TOM

ATE

Figure 3. Compliance Manager takes centralized identity data, applies automated controls such as access certifications and policy enforcement and then provides greater visibility through reports and customizable executive dashboards.

With Compliance Manager, you can:

• Reduce the cost of compliance by automating labor-intensive compliance processes

• Strengthen controls to address audit deficiencies or weaknesses

• Provide proof of compliance to internal and external auditors

• Ensure compliance and better manage risk during mergers, acquisitions, or divestitures

• Proactively detect and prevent inappropriate access and violation of corporate policy Compliance Manager Delivers Visibility

into and Control over Enterprise Access

C O M P L I A N C E M A N A G E R AT - A - G L A N C E

“As a publicly-traded company and financial services provider, we are subject to a variety of regulations including FISMA, SOX, PCI, and SAS 70. To meet these requirements, we are standardizing and automating our compliance processes for identity management, so that we can centrally control who gets access to sensitive resources and maintain compliance as the organization changes over time. This centralized and automated approach allows us to proactively address risk and more efficiently maintain a compliant, secure environment.”Jerry Archer, Chief Security Officer, Sallie Mae



SailPoint IdentityIQ Lifecycle Manager

Deliver Access Quickly, Securely and Cost-EffectivelyIn today’s world of rapid, constant change, many organizations struggle to address the increased access demands of the business. Current solutions for requesting and managing user access are outdated and inefficient. Processes are disjointed and don’t map succinctly to the core business processes driving changes within the enterprise.

SailPoint IdentityIQ Lifecycle Manager enables business users to directly participate through a business-friendly interface that allows them to request access. IdentityIQ applies policy to the provisioning process ensuring that users only gain the most appropriate levels of access for their job function. In addition to handling self-service access requests, Lifecycle Manager automatically detects lifecycle events (i.e., changes in employment status), through integration with authoritative sources such as HR systems and corporate directories. These changes initiate the required approval process and drive the requested change through Provisioning Broker for closed-loop access fulfillment. By centralizing and managing access request and change processes within the constraints of a pre-defined governance model, Lifecycle Manager enhances the organization’s security and compliance posture and creates transparency for audit-related inquiries.


Self-Service Access Request

Empowers business users to easily request and manage access through a policy-driven “shopping cart” interface.

Password Management Supports end-user and delegated password change and reset using a simple, straightforward interface designed for business users.

Lifecycle Event Management

Automates changes to access across the lifecycle of a user (e.g., onboarding, promotion or transfer, offboarding).

Configurable Workflows Facilitate the automated review and approval process to drive provisioning requests, ensure closed-loop access fulfillment and track all access approval activity for auditability.

IdentityIQ orchestrateschanges across resourcesand provisions changes

Automated Lifecycle Management

IdentityIQ detects changeevent in HR System and

determines appropriate access

IdentityIQ checkspolicy and routes change

request for approvalNew employeejoins company

HR departmentcreates new employeerecord in HR system

IdentityIQ orchestrateschanges across resourcesand provisions changes

Self-Service Access Request

IdentityIQ determinesrequired data

for “check-out”

IdentityIQ checkspolicy and routes change

request for approval

Manager addsappropriate business roles

to “shopping cart”Employee

changes job

01001010010101000110001

0100011000101

Figure 4. Lifecycle Manager facilitates the delivery of access changes according to policy that are generated through an easy-to-use request interface or triggered by automatic lifecycle events.

Lifecycle Manager Streamlines Policy-Driven Access Delivery

L I F E C Y C L E M A N A G E R AT - A - G L A N C E

With Lifecycle Manager, you can:

• Empower business users to independently request and manage access

• Enable business users to proactively change and/or reset passwords

• Speed delivery of access using automated event triggers (i.e., hires, transfers, moves, and terminations)

• Centralize access request and change processes across disparate “last-mile” provisioning processes

• Improve audit performance and risk posture with preventive policy enforcement

• Gain complete visibility to process execution and service-level monitoring

• Streamline IT operations and offload IT and help desk

“With SailPoint IdentityIQ, we have ample visibility into our company’s identity data, which is critical for compliance and security initiatives. Providing our business users with an interface to request and validate access changes, and then automatically provision those changes, will increase the efficiency and effectiveness of the overall process. It’s a win-win situation for both business and information security personnel.”Jeff Boatman, Information Security Manager, Tokyo Electron, U.S. Holdings



SailPoint IdentityIQ Identity Governance Platform

Establish a Centralized Framework for Identity GovernanceTraditional approaches to identity management treat governance, compliance and provisioning as separate activities, making it costly, complex and burdensome to enforce access controls, carry out compliance initiatives and carry on the day-to-day work of meeting increasingly demanding service level requirements. A more innovative and effective approach is required to streamline all these efforts — one that allows compliance and provisioning processes to leverage a common framework for roles, policy and risk management.

The IdentityIQ Governance Platform centralizes identity data, captures business policy, models roles and mitigates risk to support all critical identity business processes. It also orchestrates how access changes are fulfilled by provisioning tools and other change processes at the resource layer. Together, these integrated capabilities allow organizations to build preventive and detective controls that support critical identity business processes, including access certifications, access requests, lifecycle management and provisioning.


Identity Warehouse Centralizes identity data across resources to provide the foundation for identity compliance and lifecycle management.

Role Management Mines, models and manages roles to align access privileges with job functions.

Policy Management Defines, detects and enforces policy during access request, certification and provisioning processes.

Risk Management Assigns risk scores to users and systems based on multiple factors to strategically prioritize identity compliance activities.

Provisioning Broker Encapsulates resource-specific provisioning policies and orchestrates changes to user access across disparate fulfillment processes.

I D E N T I T Y G O V E R N A N C E P L AT F O R M AT - A - G L A N C E

Figure 5. With SailPoint IdentityIQ, you get a unified approach leveraging a common identity governance framework to consistently apply business and security policy, role and risk models

across all access-related activities including compliance and provisioning.

Governance Platform Supports All Identity Business Processes

With the Governance Platform, you can:

• Centralize technical identity data across resources and transform it into rich, business-relevant information

• Create, enforce and verify role-based access across diverse enterprise applications

• Prioritize compliance and security efforts by assessing the risk of each person, application and system resource across the environment

• Detect existing policy violations and prevent new ones from occurring

• Speed provisioning deployments by minimizing the need for custom code

• Orchestrate changes to user access across different “last-mile” provisioning processes

“By using roles to request, approve and certify user access privileges, BNSF will be able to simplify its user administration and compliance processes. SailPoint IdentityIQ will allow us to enforce and verify role-based access across our critical enterprise applications using a streamlined, automated approach.”Bart Boudreaux, Director, Technology Services, BNSF Railway

Provisioning Process

Review/Certify

Implement Controls

De�ne Controls

Compliance Process

Remediate

Approve

Collect Data

Request Access Analyze/Audit

Grant/Remove

Provisioning Engine Help Desk IT Admin

CLOS

ED-LO

OP AU

DIT CLOSED-LOOP AUDIT

www




Data Synchronization Detects and synchronizes account, entitlement and password changes across enterprise IT resources.

Extensive Connector Library

Provides connectors for over 40 enterprise applications, platforms, databases to speed deployment.

Custom Connector Toolkit Supports deployment to custom applications.

SailPoint IdentityIQ Provisioning Engine

Automate Provisioning to Save Time and Reduce Operational CostsWith the rapid rate of change in today’s enterprises, managing changes to user access with limited IT resources is a daunting task — but one that is essential to delivering value to the business and managing risk. Handling access changes efficiently is critical, because taking days or weeks to create account access manually is no longer an acceptable or affordable option.

The SailPoint IdentityIQ Provisioning Engine automates changes to target systems to speed delivery access requests, changes or remediations requested by the business. This eliminates the need for IT to use slow, error-prone manual processes for provisioning. It’s fully integrated with the other components of IdentityIQ and automatically responds to requests for changes triggered in either IdentityIQ Lifecycle Manager or Compliance Manager.

The IdentityIQ Provisioning Engine offers out-of-the-box connectivity to over 40 systems to enable rapid deployment and provides real-time provisioning of access changes to managed resources. All provisioning changes are implemented according to defined policy and documented to capture a detailed audit trail for future reference.

P R O V I S I O N I N G E N G I N E AT - A - G L A N C E

With Provisioning Engine, you can:

• Speed the provisioning of access changes to your managed resources

• Reduce costs associated with managing access changes

• Improve compliance by implementing changes according to defined policy

• Generate documentation of your provisioning changes for auditors

• Streamline deployment with out-of-the-box connectivity to over 40 systems and a custom connector toolkit

“The new service provides an open and flexible approach to the ‘last mile’ of provisioning – the connector layer where changes are executed on IT resources – by supporting multiple techniques and processes for making changes to resources. This eliminates the hundreds of thousands of dollars organizations typically spend on ‘last mile’ integrations.”“SailPoint Offers New Take on Provisioning” Network World, March 19, 2010


The SailPoint Advantage

A Unified, Sustainable Approach to Identity Governance

Knowledge is power. In the world of identity governance, power begins with knowing and assessing risks that come with granting access to your assets. Power grows stronger with your ability to automate controls that reduce or mitigate these risks. Power becomes meaningful with measuring the effectiveness of your controls and refining your risk model based on the feedback you receive.

SailPoint IdentityIQ gives you both the knowledge and the power to identify risk, control access, see and understand your workforce actions, and use this knowledge to minimize security risks and strengthen controls.

Figure 6. SailPoint is unique in its ability to provide a comprehensive identity governance solution that automates key identity compliance and user lifecycle processes, applies risk-aware controls, delivers

cross-enterprise visibility and packages the information in a business-relevant format.

UnifiedGovernance

Model

Business Context

360º Enterprise Visibility

Risk-Based A

pp

roachAut

omat

ed C

ont

rols

“Controlling user access in an increasingly complex, regulated and threatening environment is especially challenging when coupled with the pressure to streamline operations and contain costs. We’re working with our customers to deliver better information to make better decisions, so that the right allocation of resources can be made relative to risk. That’s the underlying philosophy behind identity governance.” Mark McClain, CEO and Founder, SailPoint

Key Elements of SailPoint’s Approach


A U N I F I E D , S U S T A I N A B L E A P P R O A C H T O I D E N T I T Y G O V E R N A N C E

Innovations in IdentitySailPoint’s 360-degree visibility into identity data, its ability to transform data into knowledge that is relevant to business users, and its risk-based focus that helps prioritize automated controls all combine to give you the power. You are able to make intelligent decisions during the request, review, approval and fulfillment processes — even while you reduce compliance costs and resource burdens. SailPoint is unique in its ability to assess the risk of a user and assign a score that will help you prioritize your actions, along with its dashboards and powerful analytical tools that give you insights you can’t get anywhere else. With SailPoint, you can rest assured with the knowledge that any technology asset, application or person — including employees, contractors, vendors or partners — has the appropriate, secure access they require. That you are well positioned to meet compliance requirements and audit standards. And, that ultimately your organization is protected with the security it needs. SailPoint is leading the identity management market with key innovations built upon:

• Unified governance model: Provides a unified solution for provisioning and compliance based on a common identity governance model.

• Risk-based approach: Enables organizations to better prioritize and focus internal controls and audits — ultimately reducing their compliance costs and resource burdens.

• 360-degree visibility into identity data: Delivers an on-demand, centralized view into identity and access data providing the transparency needed to reduce potential security and compliance exposures and liabilities.

• Business-relevant identity management: Bridges the gap between business and IT by breaking down language barriers for more successful collaboration while automating key identity business processes such as compliance and user lifecycle management.

Managing the Business of Identity for the World’s Largest OrganizationsSailPoint helps the world’s largest organizations to mitigate risk, reduce IT costs and ensure compliance. The company’s award-winning software, SailPoint IdentityIQ™, provides superior visibility into and control over user access to sensitive applications and data while streamlining the access request and delivery process. IdentityIQ is the industry’s first business-oriented identity governance suite that quickly delivers tangible results with risk-aware compliance management, closed-loop user lifecycle management, flexible provisioning, an integrated governance model, and identity intelligence. Visit www.sailpoint.com to learn more.

“SailPoint is competing – and winning – against some very large companies in the identity management market because of our innovative products, and our unmatched commitment to helping companies succeed with their compliance and security efforts. We’re very focused on maintaining our high customer satisfaction levels, and have invested a significant amount of resources internally to make that possible.” Mark McClain, CEO and Founder, SailPoint


Glossary

AAccess Certifications: The periodic review of user access privileges in order to validate that access privileges align with a user’s job function and conform to policy guidelines. Access certifications are commonly used as an internal control to ensure compliance with Sarbanes-Oxley and other regulations.

Access Control: The system controls and surrounding processes that grant or deny parties the capability and opportunity to access systems (i.e., gain knowledge of or to alter information or material on systems).

Access Management: Systems or processes used to control access to resources within an organization, such as files, applications, systems, devices, etc. Access management is often based on a role and rule evaluation system to grant or deny access to an object in the organization.

Access Privileges: The identified rights that a particular user has to a particular system resource, such as the right to access, view, modify, create, or delete.

Access Request: Systems or processes used to request new access, make changes to existing access, or remove access to resources within an organization.

Activity Monitoring: A means to monitor user actions (e.g., access to systems, modifications to data) using log data collected from systems or applications.

Aggregation: The collection of identity data from heterogeneous data sources into a single identity data repository.

Approval Workflow: Software that automates a business process for sending online requests to appropriate persons for approval. Approval workflow makes an approval business process more efficient by managing and tracking all of the human tasks involved with the process and by providing a record of the process after it is completed.

Attestation: Alternate term for access certification, the periodic review of user access privileges in order to validate that access privileges align with a user’s job function and conform to policy guidelines.

Attribute: A single piece of information associated with a digital identity. Examples of an attribute are name, phone number, and institution affiliation.

Audit: The independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.

Audit Deficiency: Auditor’s finding that an IT control is not effective. The term is commonly used in SOX audits to flag a control deficiency that could adversely affect the company’s ability to report external financial data reliably.

Audit Log: A log that captures a record of events that have occurred within a system or application. For example, an audit log may contain all logins made to the system, the name of the persons making the logins, the time the logins occurred, etc.


G L O S S A R Y

BBasel II: Recommendations issued by the Basel Committee on Banking Supervision on how much capital banks need to put aside to guard against different types of financial and operational risks.

Breach: The successful defeat of security controls, which could result in an unauthorized penetration of a system or application; a violation of controls of a particular system such that information assets or system components are unduly exposed.

CCertification: See Access Certifications.

Compliance: Conforming to a specification or policy, standard or law that has been clearly defined. These laws can have criminal or civil penalties or can be regulations.

Continuous Compliance: Using processes and tools to meet compliance requirements in an automated, consistent, and predictable manner, rather than treating compliance as a one-time event.

Correlation: The process of combining identity data from disparate data sources into a common schema. Related identities can be linked automatically using correlation rules or manually using a tool to establish the correct links.

CSV: A comma separated values file is a data file used for the digital storage of data structured in a table of lists form, where each associated item (member) in a group is in association with others also separated by the commas of its set.

DDashboard: A business-oriented user interface that allows users to monitor the status of key operational performance metrics. Dashboards make granular data more accessible through the use of charts, graphs and reports with the ability to drill down into details for more analysis.

Detective Control: A procedure, possibly aided by automation, that is used to identify events (undesirable or desired), errors and other occurrences that an enterprise has determined to have a material effect on its business.

Directory: A shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects.

EEntitlement: A specific value for an account attribute, most commonly a group membership or a permission.

Entitlement Creep: An access control vulnerability that results from workers accruing access privileges over time through transfers, promotions, or simply through the normal course of business. When workers accrue entitlements beyond what they actually need to do their job, organizations become exposed to unnecessary business risks.

Entitlement Management: A mechanism for centrally defining the applications and services to which a user may be given authorization.

GGramm-Leach-Bliley Act (GLBA): Federal legislation enacted in the United States to control the ways that financial institutions deal with the private information of individuals. GLBA requires financial institutions to give customers written privacy notices that explain information-sharing practices.

Group: A collection of users to simplify access control to computer systems. Traditionally, groups are static: one defines a group by individually selecting its members. In dynamic groups, however, all users which match a specified search criteria will be considered a member of this dynamic group.


G L O S S A R Y

HHierarchical Role Model: In role-based access control, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the ‘employee’ role. Above this may be roles ‘department manager’ and ‘accountant, which inherit all permissions of the ‘employee’ role.

HIPAA (Health Insurance Portability and Accountability Act): Federal legislation enacted in the United States to establish standardized mechanisms for electronic data interchange (EDI), security, and confidentiality of all healthcare-related data. HIPAA mandates security mechanisms to ensure confidentiality and data integrity of any information that personally identifies an individual.

IIdentity Governance: A new category of identity management software that combines compliance management, role management, access request management and identity intelligence to improve accountability and transparency, better meet compliance mandates and manage the business risk associated with user access to critical applications and data.

Identity Management: The policies, rules, processes and systems involved in ensuring that only known, authorized identities gain access to networks and systems and the information contained therein. An identity management system enables organizations to facilitate and control their users’ legitimate access to resources, while protecting information from unauthorized access or use.

Insider Threat: The potential risks of fraud, theft, sabotage, or privacy breaches that originate from workers inside an organization with access to sensitive applications and data.

Internal Controls: Processes designed to help organizations prevent and detect fraud and protect sensitive assets. Internal controls are usually a means by which an organization’s processes and IT resources are reviewed, monitored, and measured.

LLast-Mile Provisioning: The process for implementing changes on target resources based on user lifecycle changes.

LDAP (Lightweight Directory Access Protocol): Set of protocols for accessing information in directories. LDAP makes it possible for almost any application running on virtually any computer platform to obtain directory information.

Least Privilege: A concept that seeks to restrict a user’s access (e.g., to data or applications) or type of access (e.g. read, write, execute, delete) to the minimum necessary to perform his or her duties.

MMaterial Weakness: Auditor’s finding that an IT control is severely deficient. The term is commonly used in SOX audits to indicate that a material misstatement of financials cannot be prevented or detected.

Model Audit Rule (MAR): A mandate effective January 1, 2010 that requires non-public insurers in the United States to prove that they have effective controls over the integrity of financial systems and data. Similar to Sarbanes-Oxley, MAR requires more transparency, tighter adherence to internal controls and better corporate governance.

NNERC CIP: A framework developed to protect the ongoing reliability of the North American bulk power system that was approved in early 2008. The CIP standards require utilities to identify and secure their critical cyber assets.

OOrphan Account: An account belonging to a user who has since left the organization. Orphan accounts are a direct result of failure to remove access privileges when workers terminate or transfer jobs and are a frequent focus for IT auditors looking for security risks.


G L O S S A R Y

PPassword: A form of secret authentication data that is used to control access to system services. It enables the holder of an electronic identifier to confirm that he or she is the person to whom the identifier was issued.

Password Management: Automation of the process for controlling setting, resetting and synchronizing passwords across systems.

Preventive Control: An internal control that is used to prevent undesirable events, errors and other occurrences than an organization has determined could have a negative material effect on its business.

Payment Card Industry (PCI) Data Security Standard (DSS): A standard developed by the PCI Standards Council to enhance payment account data security. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures.

Policy: An authoritative, prescribed set of rules for conducting business that may be defined by an organization or by the outcome of regulatory mandates.

Policy Enforcement: The set of preventive and detective controls that automatically ensure that defined policy is followed by the organization.

Policy Evaluation: Rules that automatically enforce policy by checking a new request for policy violations before granting it.

Provisioning: The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity.

RResource: A system, application, database, or other object under management by an identity management system.

Reassign: An action that transfers responsibility for a certification to a different reviewer.

Remediation: The act or process of remedying a compliance problem or issue, such as a policy violation.

Revocation: The act of removing a specified role or entitlement from a user based on a decision made by a reviewer during a certification.

Risk: The probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and the resulting impact if this should occur.

Risk Assessment: The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact.

Risk Management: The total process of identifying, controlling, and mitigating risks.

Risk Mitigation: A process to reduce either the probability or the consequences of a threat. Risk mitigation options can include eliminating vulnerabilities; strengthening internal controls; or reducing the magnitude of adverse impacts.

Role: A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization.

Role Assignment: The process of granting roles to users.

Role-Based Access Control (RBAC): A model that limits user access based on the user’s role within an organization.

Role Creation: The process of defining roles within a role model and mapping those roles to the appropriate set of access privileges based on business process and job function.


G L O S S A R Y

Role Certification: The periodic review of a role or roles in order to validate that the role contains the appropriate access privileges and that members of the role are correct. Role certifications are commonly used as an internal control and a way to prevent role proliferation.

Role Lifecycle Management: The process of automating role creation, modification, retirement; role approvals; role certifications; and role analytics.

Role Management: A new category of identity management software that focuses on the discovery, analysis, design, management, reporting, and distribution of roles and related policy.

Role Model: A schematic description of roles that defines roles and role hierarchies, subject role activation, subject-object mediation, as well as constraints on user/role membership and role set activation.

Rules: A set of prescribed guidelines that may be defined by an organization or by the outcome of regulatory mandates.

SSarbanes-Oxley Act (SOX): Also known as the “Public Company Accounting Reform and Investor Protection Act” is a law enacted in 2002 to protect investors by improving the accuracy and reliability of corporate financial disclosures. The regulation affects all companies listed on stock exchanges in the U.S.

Separation of Duty (SoD): An internal control designed to prevent fraud by ensuring that no one person has excessive control over one or more critical business transactions. Also sometimes called Segregation of Duties.

Self-Service: The process of allowing users to request access to resources using a self-service interface, which uses workflow to route the request to the appropriate manager(s) for approval.

Service Account: A typed of shared account that is used for application-to-application communications when secured access must be granted by one system to another system.

Shared Account: An account that is shared by one or more users and is not associated with a particular person. Examples of shared accounts are system administration accounts such as “Administrator” or “root” and service accounts.

SIEM (Security Information and Event Management): Collect data about security-related events (typically from log files) into a central repository for trend analysis and reporting.

Single Sign-On (SSO): An authentication process where the user can enter one name and password and have access to more than one application or access to a number of resources within an enterprise.

Solvency II: A new risk-based regulatory framework that applies to all insurers in EU member states and takes effect in 2012. Solvency II seeks to instill risk awareness into the governance, operations, and decision-making of the European insurance business.

TTransparency: The availability of full information required for accountability, risk management, and collective decision making.

UUser: Any person who interacts directly with a computer system.

User Lifecycle Management: The process for automating and managing user onboarding, promotions and transfers, and offboarding.


Resources

Resources

For further information about the area of identity governance, try these links to experts, websites and publications.

Websiteswww.sailpoint.comblog.sailpoint.com

Analysts Burton GroupProvides in-depth, IT research and advisory services to executives and technologists at Global 2000 organizations with a focus on strategic business technologies and the unique needs of enterprise organizations. www.burtongroup.com

ForresterIdentifies and analyzes emerging trends in technology and their impact on business.www.forrester.com

GartnerProvides research and analysis of the computer hardware, software, communications, and related information technology industries.www.gartner.com

IDCProvides data, analysis and advisory services on information technology (IT) markets, trends, products, vendors, and geographies.www.idc.com


R E S O U R C E S

Membership Organizations(ISC)²The global leader in educating and certifying information security professionals throughout their careers. A network of certified information security professionals. Members have access to current industry information, networking opportunities, discounts on industry conferences and valuable career tools. www.isc2.org

National Institute of Standards Technology (NIST)NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. www.nist.gov

OASISOASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries.www.oasis-open.org

MagazinesCIO MagazineResources for Chief Information Officers. Technology executives can find articles, research, events, and CIO communities. www.cio.com

CISO HandbookCISOHandbook.com is a resource site for CISOs, CSOs, and security professionals. A place where security executives, managers, and practitioners can share ideas, challenges and opportunities associated with developing, participating, or managing Enterprise Security Programs.www.cisohandbook.com

CSO MagazineProvides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.www.csoonline.com

ISACA Journal ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment.www.isaca.org


R E S O U R C E S

Network WorldA provider of information, intelligence and insight for Network and IT Executives. With an editorial focus on delivering news, opinion and analytical tools for key decision makers who architect, deploy and manage business solutions.www.networkworld.com

SC MagazineAims to provide IT security professionals with in-depth and unbiased information. Each monthly issue contains news, analysis, features, contributions from thought leaders and product reviews. Established in 1989, it is the longest established IT security title in the United States.www.scmagazine.com

Recommended ReadingGeneral Purpose RBAC StandardsAmerican National Standard 359-2004 is the fundamental Information Technology industryconsensus standard for RBAC. In 2000, NIST proposed a unified model for RBAC, based on theFerraiolo-Kuhn (1992) model, in the framework developed by Sandhu et al (1996). The modelwas further refined within the RBAC community and has been adopted by the AmericanNational Standards Institute, International Committee for Information Technology Standards(ANSI/INCITS) as ANSI INCITS 359-2004.

Related Resources:

• Tutorial-style explanation of the NIST model used in the standard: http://csrc.nist.gov/groups/SNS/rbac/documents/towards-std.pdf

• ANSI/INCITS 359-2004 standard (link to ANSI/INCITS site): http://www.techstreet.com/cgi-bin/detail?product_id=1151353

Insider Threat Research by CERTCERT is an organization devoted to ensuring that appropriate technology and systems management practices are used to resist attacks on networked systems and to limiting damage and ensure continuity of critical services in spite of successful attacks, accidents, or failures. CERT is located at the Software Engineering Institute (SEI), a federally-funded research and development center (FFRDC) operated by Carnegie Mellon University. CERT has conducted extensive insider threat research focusing on both technical and behavioral aspects of actual compromises. They produce models, reports, training, and tools to raise awareness of the risks of insider threat and to help identify the factors influencing an insider’s decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve the survivability and resiliency of the organization.http://www.cert.org/insider_threat/ Risk Management Guide for Information Technology SystemsThis guide, provided by NIST, provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks. The NIST guidelines cover IT risk management assessment and mitigations.http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf


R E S O U R C E S

Notes


Y O U R P A R T N E R F O R T H E I D E N T I T Y G O V E R N A N C E J O U R N E Y

© 2010 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks orregistered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or services aretrademarks of their respective companies. 0710

Contact SailPoint

SailPoint: Your Partner for the Identity Governance Journey

For more information or advice on how to navigate the path to Identity Governance contact us:

USA Phone: 512.346.2000Toll-free: 1.888.4SAILPTUK Phone: +44 845 273 3826www.sailpoint.com

A BUYER’S GUIDESECOND EDITIONUSA Phone: 512.346.2000

Toll-free: 1.888.4SAILPTUK Phone: +44 845 273 3826www.sailpoint.com

selecting the right identity governance solution -...

Documents