My summary of the salient points addressed in each Burton Group Catalyst Conference session I attended on Thursday, June 26, 2008, are
included below:

Bob Blakley: Governance, Risk and Compliance

• “GRC” is a four letter word. It is not a market or solution.
• Governance, Risk Management and Compliance are distinct activities, performed by different people.
• Governance works best when it acts as round trip management.
• Don’t allow your risk management and compliance software be a substitute for risk management and compliance though
• Measure compliance on loss avoidance, not just liability avoidance.

Nick Leeson: Risk Management in the Real World

• Good risk management and good corporate governance doesn’t automatically transfer from the classroom.
• In rapidly-expanding markets, not all controls are in place. Control mechanisms don’t develop anywhere near as quickly as trading mechanisms.
• The interface between systems and human element is the key – need humans to interpret results shown by systems.
• The need for success creates a chasm between humans and systems. He was driven by a need for success and fear of failure.
• Each company’s internal controls should be beyond reproach.

Jay Leek (Nokia, Inc.): Enterprise Risk Management – Seeing the Forest and the Trees

• Risk management is not just about security. It is a business requirement.
• Without identified owners for risk and assets, nothing is actionable.
• Data from multiple data sources must be collected, correlated and reconciled to better evaluate who owns the risks and what the risk posture is for the organization.
• Enterprises should work toward a unified Risk Management Program by consolidating existing data, turning data into risk information and effectively communicating risk information to multiple stakeholder organizations in their language.
• Risk management is not a destination. It is an ongoing process.

Ken Anderson, Trent Henry: The Tools Landscape for Orchestrating Risk and Compliance

• A unified view of risk and compliance at higher level in organization usually doesn’t happen, because operational groups take care of themselves.
• Enterprise risk management is not so much a tool as a way to look at risk.
• Burton proposes a risk and compliance product pyramid with 1) a foundation of Identity Management, resources, people and process, 2) a middle layer of security compliance policy, orchestration controls and monitoriing and 3) a top layer of audit automation and risk data collection.
• A key issue is providing information executives need, when they need it.
• Dashboards man not provide the answers a CEO wants or needs. A phone call to a responsible subordinate is usually faster.

Randall Gamby: Creating “Security Embassies” in your Information Landscape

• Organization are struggling with a myriad of geographic regulatory and governing rules.
• The number of security policies has exploded to cope with expanded regulatory demands from multiple nations.
• A “Security Embassy” model favors centralized authority (enterprise-defined policy) and distributed execution (locally deployment).

Homan Farahmond: Going Global – Notes from the Field in Controlling Extended Enterprise

• Global enterprises struggle with compliance as they attempt to scale to address global complexity and globally build transparency and consistency.
• Creating a global controls structure must span cultural and language differences, must be implemented across geographical regions and encompass broadly different understanding of risk and policy.
• It is difficult to create a business case for global control program because budgets are regional.

Kevin Kampman, Ken Anderson: “Return on Organization” – Beyond RBAC

• Discussion of roles and RBAC require that IT leaders speak in the language of the executive, focusing on the impact of RBAC on the business.
• Discussion of roles should focus on efficiency, compliance, transparency and effectiveness of outcomes.
• Roles can give an executive view of the organization by giving visibility into what the organization is really doing.
• Addressing roles within a “Return on Organization” framework can show how roles can impact organizational effectiveness.
• Role management is a strategic enabler between business and technology. It isn’t a project. It is a discipline.

Tim Weil (Booz Allen Hamilton): RBAC Implementation and Interoperability Standard (RIIS)

• The INCITIS CS1.1 standard addresses RBAC implementation and interoperability, including the abilty to exchange roles between systems.
• Role exchange and interoperability can be helpful for companies who grow through merger and acquisition and for the integration between components in a Identity Management product suite.
• Role based access control vs. attribute access control is sometimes a religious war. A blended approach may be necessary to meet some requirements.

Craig Cooper (IT Manager, Thrivent Financial): Implementing a Role Based Identity Management System

• Benefits they gained are improve controls and increased efficiencies.
• An unexpected benefit was that business was actively engaged with the IT project.
• Active executive sponsorship is the #1 critical success factor.
• The started role discovery and definition activities first, selecting high risk areas for roles. Then the Identity Management system was implemented in parallel with the Role Management .
• Be aware of dependencies and avoid interdependent IAM and RBAC activities at the same time.

Panel Discussion: Role Management and Provisioning – Co-existence or Convergence.
Panel Participants:

• Jim Duchame (Aveksa)
• Ron Rymon (Eurekify)
• Lori Rowland (Burton Group)
• Kevin Kampton (Burton Group)
• Nick Crown (Sun Microsystems0
• Darran Rolls (Sailpoint Technologies)
• Jeff Shukis (Oracle)

Discussion:

• Roles are a language that allows us to communicate in business terms about information access
• Roles are presently focused on enabling provisioning and access control, but may provide much broader value for the business
• Role management and provisioning can be successfully implemented in parallel. Initial emphasis on either depends on underlying business drivers and what infrastructure is in place.
• Policy management is not as mature as role management. Policy infrastructure needs to take advantage of role infrastructure.
• There is a convergence between role management and entitlement management.

Homand Farahmond, Lori Rowland: Provisioning – A Recipe for Success

• Key needs for a provisioning project include addressing needs of many stakeholders, high level sponsorship, reconciling isolated business policies, overarching governance framework and aligning different perspectives.
• Identity management resources are still scarce, expensive and have a high turnover rate.
• Plan that reengineering identity repositories to handle unique ID’s takes a long time.
• Understand the relative benefits of virtual indentities vs. identity store. There are advantages and disadvantages in either approach.
• Vendors need skin in the game. Don’t allow vendors to abandon you after the sale.

Matthew Costello (Solution Architect, Boeing): Selecting and Implementing a COTS-based IdM Solution at Boeing

• Governance and sponsorship are critical, even at the RFP and vendor selection phase.
• Recognize that the RFP is a project in and of itself, which will require a lot of work for your company and the vendors.
• Leverage the use cases you have defined for your enterprise in a POC.
• Focus on differences, not similarities between products – and implications on the enterprise.
• Vendor selection is only the first step – after procurement, the real work begins.

Technorati Tags: Identity,
Digital Identity,
Identity Management,
Catalyst Conference,
BurtonGroupCatalyst08