Does anyone have any guidance, tips, and/or templates to share to help establish Identity Access Management governance as a part of an overarching Identity Governance and Administration program?

Process ManagementIdentity & Access Management (IAM)
4.7k viewscircle icon2 Upvotescircle icon2 Comments
Sort by:
VP of Information Security in IT Services10 months ago

Check research by Rebecca Archambault too

Director of IT in Healthcare and Biotech2 years ago

Here's a template that you can use: 

1. Executive Summary
Background: Explain the objectives and risks and reasons the IAM is needed. 
Specify the IAM governance scope (e.g., user access to systems, privileged access, etc.)
Objectives: Improve security, compliance, or operational efficiency.

2. Identify stakeholders
Business Units: Engage affected department leaders.
Legal & Compliance: Assure framework compliance.
IT Teams: System administrators, security analysts, and others will install and manage IAM systems.

3. Risk Assessment
Asset Identification: List IAM-covered systems, applications, and data.
Threat modeling: Identify insider and unauthorized access risks. 
Suggest risk mitigation strategies.

4. Policymaking
Access Control Policies: Specify roles, permissions, and assignment/revocation.
Policies: Define authentication mechanisms (e.g., two-factor authentication, biometrics).
Audit and Monitoring Policies: Decide how and when to audit access.

5. Technology Choice
Product Evaluation: Define must-have and nice-to-have features, then explore the market for IAM solutions that fulfill them.
Determine vendor competence, scalability, and system compatibility.

6. Plan Implementation Timeline: Explain the rollout of each component in phases.
Each step requires people and financial resources. 

7. Training and Awareness
Create end-user and administrative training modules.
Keep employees informed and watchful with continual awareness initiatives.

8. Audits and Monitoring
Establish KPIs to evaluate IAM governance.
Schedule frequent audits to verify policy compliance.

9. Feedback Loop
Collect end-user and stakeholder input to enhance IAM governance. 

10. Check and Update
Review the IAM governance structure periodically to reflect lessons learned, comments, and technical or business changes.

Lightbulb on2

Content you might like

Google plans to automatically set up two-factor authentication for 150 million accounts by the end of the year. Could this be a dangerous approach to securing their users?

Yes, users should be able to opt in vs. being autoenrolled.75%

No, all users should be autoenrolled for security purposes.24%

How do you manage your enterprise content efficiently, and how is your organization (specific to content)?

Where do you expect to spend the majority of your IT budget in 2022?

Hardware24%

Software55%

Hosted / cloud-based services16%

Managed Services4%

View Results

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

Digital transformation isn’t just about new tools, it’s about changing how teams work. Key lessons I’ve observed: 1. Start with process bottlenecks, not technology 2. Empower cross-functional teams 3. Measure outcomes, not outputs   What has been the most surprising lesson your teams have learned during a transformation?

Read More Comments