access governance – approach and methodology at …gmcon.de/110504 eic fiducia and cogula...
TRANSCRIPT
Access Governance – approach and methodology at Fiducia IT AG
awareness – vision – reality
Marek Chroust - COGULA, Armin Schönherr - Fiducia | 12.05.2011
110504 EIC Fiducia and COGULA v07 | Slide 2 Copyright 2011 © Fiducia IT AG, COGULA
agenda
Fiducia and COGULA
motivation and objectives
methodology
results and benefits
outlook
110504 EIC Fiducia and COGULA v07 | Slide 3 Copyright 2011 © Fiducia IT AG, COGULA
Germanys largest IT service provider in the Cooperative Financial Group
more than 770 banks – cooperative and private – with approximately 100,000 client work centres are deploying Germany’s leading core banking system agree
66 million managed accounts, 18.2 billion transactions processes per year
Fiducia IT AG – guarantees constant centralized system and network monitoring 24 hours/7 days per week – mantains high performance and security of the maximum availability computer centre – was the first computer centre worldwide to use state-of-the-art security software for reliable
authentication – deployes one of the world‘s largest MPLS networks – a standardized platform for rapid and
secure communication
50 years of experience, more than 2,300 employees
Fiducia offers customers the best services at fair market prices. This is a claim that Fiducia is solidly committed to.
Fiducia IT AG
110504 EIC Fiducia and COGULA v07 | Slide 4 Copyright 2011 © Fiducia IT AG, COGULA
founded 2010
Governance Risk Management Compliance & IT-Security
major topics are – access governance – audits – regulations – IdM compliance
historically grown, technically driven
customers – upper medium-sized businesses in the
markets of • finance • healthcare • public sector • automotive • manufacturing
COGULA Management Consulting
110504 EIC Fiducia and COGULA v07 | Slide 5 Copyright 2011 © Fiducia IT AG, COGULA
agenda
Fiducia and COGULA
motivation and objectives
methodology
results and benefits
outlook
110504 EIC Fiducia and COGULA v07 | Slide 6 Copyright 2011 © Fiducia IT AG, COGULA
motivation and objectives
complexity of the current situation – multitude of different systems with their own identity management and access management
approaches – several different projects regarding identity management and access management with varying
needs of information
time / quick win
lack of internal know-how
search for „ariadne‘s thread“ as guidance
meeting of regulatory requirements of the BDSG (German data protection act) and KWG (German banking act) – task-oriented access control
need for an efficient methodology with the prospect for – decentralized responsibility and usage – additional advantages
110504 EIC Fiducia and COGULA v07 | Slide 7 Copyright 2011 © Fiducia IT AG, COGULA
agenda
Fiducia and COGULA
motivation and objectives
methodology
results and benefits
outlook
110504 EIC Fiducia and COGULA v07 | Slide 8 Copyright 2011 © Fiducia IT AG, COGULA
CO
GU
LA c
ore
appr
oach
methodology approach
identification of the right “parts” to start with – business processes – roles – tasks
customizing of COGULA‘s methodology and tools
identification and collection of all the necessary information – organisational chart – process description – role definitions – current access entitlements
preparation of prefilled templates
definition and involvement of participating departments for the pilot – interviews and workshops to complete the templates
review and „task-mining“, based and the results using COGULA‘s Task-Entitlement-Matrix to identify access requirements for any kind of resources (facilities, systems, applications, data)
110504 EIC Fiducia and COGULA v07 | Slide 9 Copyright 2011 © Fiducia IT AG, COGULA
business oriented role model
generic roles (e.g. employee or manager) or derived roles (based on business processes and tasks) respectivily define the requirements for access entitlements
flexible framework
the identified requirement for access entitlements is the neccessary qualified information for the definition of functional groups
functional groups enable an efficient and highly automated access management
use of the most stable determinant – processes instead of the
organisational chart
methodology customized COGULA methodology and tools
110504 EIC Fiducia and COGULA v07 | Slide 10 Copyright 2011 © Fiducia IT AG, COGULA
customized and unified COGULA Task-Entitlement- Matrix, based on Microsoft Excel
tranparent approach, easy to explain and to use
decentralized responsibility for the correct information
usage by all managers, right from the beginning
transparent and complete up-to-date information on required access entitlements via continuous verification process
methodology customized COGULA methodology and tools
110504 EIC Fiducia and COGULA v07 | Slide 11 Copyright 2011 © Fiducia IT AG, COGULA
agenda
Fiducia and COGULA
motivation and objectives
methodology
results and benefits
outlook
110504 EIC Fiducia and COGULA v07 | Slide 12 Copyright 2011 © Fiducia IT AG, COGULA
project oriented results – customer oriented terminology – common understanding – transparency of the
• objectives • businness units, business processes and the
tasks to be considered • systems, applications and data to focus on
– customer oriented methodology and tools
effective results – transparent and easy to implement methodology
and tools – standardized and efficient approach for describing
roles and needed access entitlements respectively – adjusted and described roles and defined required access entitlements – compliance (KWG (German banking act) and MaRisk)
• integrity of all relevant access entitlements, based on single tasks of a single person (internal and external employees)
– increased awareness regarding access governance
results and benefits
110504 EIC Fiducia and COGULA v07 | Slide 13 Copyright 2011 © Fiducia IT AG, COGULA
beyond – classification of all business processes, systems,
applications and data • highly critical, critical, non-critical
– input for the system documentations (ISO 27005) and for our IT risk management processes
– eliminated need for additional organisational and / or technical roles
– reduced number of actual and / or required roles
– input for our skill management system
the most valuable finding: – this small “module” plays a crucial role
in mastering a multitude of current and future challenges
results and benefits
110504 EIC Fiducia and COGULA v07 | Slide 14 Copyright 2011 © Fiducia IT AG, COGULA
positive – fast implementation of the methodology and the applied tools – business oriented approach vs. technical approach – unexpected key to supporting additional subjects,
e. g. skill management
not quite as positive – using Microsoft Excel is hard to accept by the
technical experts • extisting expection to solve all kind of
problems with appropriate tools and databases • difficult to convince
– steep functional learning curve due to lack of market experience
– system support still to implement
results and benefits lessons learned
110504 EIC Fiducia and COGULA v07 | Slide 15 Copyright 2011 © Fiducia IT AG, COGULA
agenda
Fiducia and COGULA
motivation and objectives
methodology
results and benefits
outlook
110504 EIC Fiducia and COGULA v07 | Slide 16 Copyright 2011 © Fiducia IT AG, COGULA
implementation of an universal application & approval process – using a standardized workflow engine – based on the identified roles – integrating the existing identity management and access
management systems – complemented by a rezertification process
all in all: – this small gear drives a
large and complicated machinery
outlook
we have found what we were looking for
thank you for your interest
Marek Chroust COGULA Management Consulting [email protected]
Armin Schönherr Fiducia IT AG [email protected]