Omnitech s.r.l. • Via Fiume Giallo, 3 - 00144 Roma • Via dei Bossi, 7 - 20121 MilanoTel.: +39 06 6782586 • Fax.: +39 06 99331512 • www.omnitechweb.it

L’Eccellenza nei servizi e nelle soluzioni IT integrate.

Access Governance

Maurizio Milazzo

Governance

• Original term coming from anglo-saxsonstudies of politic sciences

• Refer to a complex system and to therelationships flexibility between systemsubjects

• Term adopted by economists talking about economic structure complex government (Corporate Governance)

….Governance

• From a Model based on Hierarchical Controlsto Interrelation Forms that are the System(R. Mayntz 1999, sociologist)

• Procedure or tool set used forpolicy processing and developmentwith more openness betweendecisional processes, involvingstakeholders via better informationsharing and via inclusion of them inthe listen phase.

Access Governance

• Procedure or tool set used to provide theUsers correct Access Management to theright Company Software Applications, takingcare about Corporate Policies, Complianceand Digital Identity Management, based onRoles Lifcycle Management.

Access Governance

• It Is a non technological approach addressinga Scenario of Processes, People, Complianceand Rules, Data and Systems, Access Rightsand Personal Information Management,oriented to reduce costs coming frominappropriate accesses, violations and rightsnonaligned to the Company needs.

Access Governance

• Top Down Iterative Approach

• Assessment

• Auditing

• Segregation of Duties

• Roles Lifecycle Management

• Starting point for a I&AM Project

• Not depending from I&AM

Resource Needs

• Competences

• Methodology Guide Lines

• Tools

• Auditing Abilities

• Sponsorship

Gartner Newsroom• Gartner Says Most Organizations Approach IAM in the

Wrong Way (Egham, UK, February 16, 2011)

• “Between half and two-thirds of organizations attempting to establish a truly-effective IAM program

approach it in the wrong way,” said Earl Perkins, research vice president at Gartner. ”IAM process

requirements should always precede organization and technology decisions. But currently, most IAM

planning is done around clusters of technologies, rather than by addressing specific IT or business

processes.”

• “The „build‟ experience of IAM projects has traditionally not been a good one,” said Mr. Perkins. “While

some experiences have improved and technologies are evolving, major efforts to formally build an IAM

system for an organization overlook a key lesson — planning for IAM often starts from the wrong

direction with the wrong people, or at least not everyone who should be involved.”

• … “IAM should not be planned with operations in mind; rather, it should be based on the foundations of

the organization relative to policies, processes and people,” said Mr. Perkins. “Products are actually a

relatively small focus of the decision process in an IAM program.”

• …By linking operational IAM process to the policy model of the organization, this part of IAM governance

can be established as a life cycle, rather than as an ad hoc set of activities applied in a reactionary way

to access and identity problems. IAM as a process can be effective in converging business and

enterprise processes with IT processes and accelerating IAM program maturity for the long term.

• I&AM have to result by an Access Governance Model

Access Governance: Why

• Clarify who Access which Resource and Why,considering Company Needs in terms ofCompliance, Processes and People

• Reducing Economic Losses

• Avoiding unpredictable Expences

• Mitigating Risks

• Avoiding friction with Clients

• Avoiding Company Reputation damage

Cost Control

Source: Novell

Cost Avoiding

Source: Novell

Risks Avoiding

• Systems and Data inappropriate Access

• Outdated Access Rights or Extended Rights

• “Orphans” Management

• Data Entry Errors Cut

• Violations

Access Lifecycle Management

Source: Novell

Critical Success Factors

Sponsorship

• Authority and Leadership

Target shared with Management

Policies Compliance Control

• Change Management

Prevention

• An healthy Professional Life Style

What can happen if you do not do it

Clients and PartnersReliability

Appreciation and ReputationMoney

What can happen if you do it

Cost Control Paper, People & Communication

Reputation Customer

Loyalty Market Share

Risk Avoidance Unwanted Media

Attention Regulatory Audit

Finding

Journal

Added Value Delighted

Customers Market

Differentiation

Cost Avoidance Penalty Fees Redundant

Processing Reduced

Development

Access Governance Benefits

• Awareness

• Consistent Accesses

• Strategic Model as Reference point

• Information Leakage Prevention

Conclusions

• The Inferior Doctor treats actual sickness

• The Mediocre Doctor attend to impedingsickness

• The Superior Doctor prevents sickness (Old

Chinese Proverb)

Access Governance

First Step to the Global Access Assurance

Maurizio Milazzo