Phase 12 Governance structure request portal data governance access certifications March 2014 2 Executive Summary Deloitte 11 week study of SPEs IAM Program Sept 2012 Jan 2013 Benchmarked progress against the 2004 Roadmap and Industry practices ID: 745553
Download Presentation The PPT/PDF document "I AM SPE Identity Access management –" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
I AM SPEIdentity Access management –Phase 1-2 (Governance structure, request portal, data governance, access certifications)
March 2014Slide2
2Executive Summary
Deloitte 11 week study of SPE’s IAM Program (Sept 2012- Jan 2013)
Benchmarked progress against the 2004 Roadmap and Industry practices
Assessed and documented Current state and future requirements and objectives
Assessed and documented the current environment with respect to infrastructure, policies, procedures, processes, constraints, and risks
Key Findings:
Undefined Governance and Ownership of Workforce types
Full time employees are owned by P&O and globally managed in Workday (all other workforce types lack centralized ownership and tracking)
Recurring audit issues stemming from inconsistent processes and lack of governance (application controls, asset management and reconciliation, physical security controls)
Decentralized
Onboarding
/
Offboarding
Process
Lack of a standard process for
onboarding
and
offboarding
for multiple user types and across the regions
On average it takes 3-4 weeks to onboard a new joiner
Lack of an authoritative source for identity data
Inconsistent and inaccurate data
Manual entry of identity data across applications leads to audit issues (there is no clear number of identity stores)
Detailed Process Work and Program/Project Planning (Jan 2013- Oct 2013)
Designed the approach for future state Identity
LifeCycle
Management, including Global Template
Comprehensive assessment for all workforce types and scenarios (new hire, change/update, termination, rehire)
Recommended a phased project approach – Phase 1 and 2 are ready for
greenlightSlide3
3
IAM Proposed Solution
Workday
P & O &
Backlot
Admins
Create in authoritative source
Automatic
create in IDM
AD/Outlook
Default
access
Notify manager to initiate further requests
Manager
Onboarding
Request Access
Provision Access
Certify Access
Terminate Access
Off-boarding
Manager
ServiceNow
Access Request Portal
Systems
Applications
Assets
Provisioning Teams
Request application access
Request privilege access
Request
a
ssets
Automated
Manual
Request
Application
Admins
/ Mangers
Access Review Tool
Revoke access
Generate certification events
Workday
P & O
Backlot Admins
Terminate in authoritative source
Automatic
Terminate
in IDM
Notify manager to collect physical assets
Manager
ServiceNow
Create Non-FTE user
Manager & Badge
SailPoint
IIQ
ServiceNow “Launch in Context” with
SailPoint
Terminate Non-FTE user
Manager & Badge
Pinnacle (devices),
Provance
(desktop access), etc.
AD/Outlook
Default access
terminatedSlide4
Financial Summary4
** Five-Year Benefit is a total of the Quantifiable Business and IT Benefits explained in the slides to follow
Year One Project Costs
Five-Year Summary and Payback
Software:
$82,500
Five-Year Total Cost:
$
3,552,815
Hardware:
$0
Five-Year Total Benefit:
$11,131,777
Internal Labor:
$
127,946
Five-Year Net Benefit:$7,578,962
External Labor
$1,717,834
Internal Rate of Return:
61.3%
Inception Funding (FY14):
$190,000
Net Present Value at 10%:
$4,003,827
TOTAL$2,118,280
Payback in Months:
13
FY1 Project Benefits
Funding by Fiscal Year
Hard $ Benefits
$0FY15$1,928,280(cost reduction, cost avoidance, and operational efficiencies)
$1,083,089FY16
$359,535
TOTAL
$1,083,089
TOTAL
$2,477,815
Depreciation:
Ongoing Costs:
$1,075,000
Slide5
Benefits5
Operational Efficiency
Eliminated data entry into the multiple systems (i.e.
Ariba
, Notes, Email, paper forms)
Time savings across multiple groups including: GAA, Regional
Admins
, Desktop Support (i.e. multiple service now tickets that are manually created will be auto-generated)
Reduction in turnover costs due to streamlining onboarding process (based on AberdeenGroup’s 2009 ‘
Onboarding Benchmark Report’)¹
Automation of IT Consultant On-Boarding (Lotus Notes Star and IT Facilities & Admin replacement, as well as PPM)
Automated Ariba COFA approval will be trigged by IAM solution (closed loop)Cost Reduction / AvoidanceElimination of Support /Maintenance for end of life solution (throwaway customizations)
Cost for additional future assessmentRisk Mitigation
Audit findingsConsolidation of access requests, approvals /workflow, enabling closed loop for audit
¹
85% of new hires decide, within the first six months, whether or not they will stay with their new employer. (2% decrease in turnover due to streamlining
onboarding
, ~400 new Regular employees from ‘12-’13, avg. $40,000 salary, using conservative 1x salary to replace employee is $1.4M)Slide6
Competitive Analysis6
Recent studios implemented the following: Paramount Pictures -Microsoft/ ServiceNow
Other
SailPoint
customers: RBS, BNP Paribas, Fidelity,
Wellpoint
, Bank of America, JP Morgan Chase, MGM Resorts, Cardinal Health, Adobe, ING DIRECT, Sallie Mae, OfficeMax, Exxon Mobil, UBS, UPS, Travelers, New York Life
Scotia Bank, Exxon and Anadarko Petroleum Foundation use
SailPoint and ServiceNow (“Launch in Context”)Slide7
IAM SPE Timeline
Q4
FY14
Q1
FY15
Q2
FY15
Q3
FY15
Q4
FY15
Q1
FY16
Q2
Jan
2014
Feb
2014Mar2014
Apr2014
May2014
Jun2014
Jul
2014
Aug2014Sept2014
Oct
2014
Nov2014Dec2014
Jan2015
Feb2015
Mar2015
Apr2015
May2015June
2015July2015
0
12
345
6
7
8
9
10
1112
13
14
Planning
Project
Kickoff
Design
Implementation
Hypercare
Phase 0
Project
Kickoff
Greenlight
Planning
Design
Development
SIT
UAT
Cutover
Go Live
Design
Development
SIT
UAT
Cutover
Go Live
Hyper
Care
Phase I
Phase II
Governance/Data Governance
Change ManagementSlide8
Appendix8Slide9
Security, Risk and Compliance Considerations
Multiple SEHS audit issues resolved by automated provisioning/
deprovisioning
to
OnGuard
Active badge accounts that should have been terminated due to termination in IDM
Mismatched badge accounts to IDM accounts due to manual errors
Badge accounts are active in Onguard but terminated in IDM
Accounts are terminated in IDM for users who return as badge-only and the IDM account is never reactivated (out of sync)Cost /time associated with manual access reviews will decrease due to automated certifications (required per SOX compliance). Historically deficiencies have been reported year to year for inaccurate or incomplete user reviews. Resolves deficiencies FY13: C401.2.3,C205.3.1, C401.2.3.Audit issues related to Privileged Account Management will be resolved. Per GISS Monitoring, Section 3 - critical information systems and related events should be monitored. Per SOX, resolves deficiencies: C404.1.1, 404.1.2, 404.1.3, C20531.Audit issues surrounding Access Control will be resolved. Per GISS, Access Control, SPE systems (SOX and non-SOX) should be appropriately restricted. IAM will provide a record of critical sox. vs. non-sox systems to enforce proper access control, including terminations in a timely manner. Relates to findings: SOX C40131 and C40133, etc.
9Slide10
10
Scope and Benefits By
Phase