25 Biggest Mistakes Flashcards
Name internal items to prep for that may affect customers timeline?
Getting accounts and credentials, remote access for implmenters, csv files created and operationlized, database view set up, permission to access HR and other target systems, role/group/entitlement descriptions, orphans remediated
Why shouldn’t you wait until after kick off to start collecting data?
There a lot of decisions and internal requests that can be made that can cut your project time down
Right Now you could be:
- Identifying your target systems
- Getting your .csv files
- Getting your accounts, credentials and database access
- Getting permission to access target system data
- Identifying who will do reviews
What causes delays in validating objects?
not having the person updated that will delay objects. This keeps us from configuring and you reviewing. That person should be delegated ahead of time to save project time.
What is the fastest and second fast deployment of a customer that started collecting data in advance?
The fastest deployment for a company that had their data was 17 days from kick-off to go-live. The 2nd fastest was 35 days. Most companies don’t prepare anything in advance and their average is 3-6 months from kick-off to go-live.
What are two common use cases with delays in validating objects?
Not identifying who is responsible for validating specific objects (collectors, roles, rules, reports, reviews, etc) up front, and having to do it case by case as we finished configuring those objects
No sense of urgency on those validating to get us their feedback so we can remediate as needed
How can just planning to close aduit gaps negatively affect your project/implementation?
You could make short-term and often limiting decisions if you are just trying to remediate the audit finding.
You don’t leverage the tool to get maximum value for your investment
What are some added uses of the ACM outside of resolving audit findings
- Enforcing policies (developers shouldn’t have access to production)
- License monitoring and reduction
- Fraud investigation evidence
- Application usage and reduction strategies
- Monitoring of request/approval routines and eliminating provisioning churn
Why do efforts in ACM need to be actively managed?
A team is needed to actively remedate orphans, get new descriptions for entitlements, roles, groups monitor remind, escalate, and re-route reviews, on-board new applications, provide assistance and training, etc.
What is the reference regarding the set it and forget it attitude?
Had an executive that came to believe that when implementation was over….any user in his company would be able to generate a review of any application by pressing a single button, and that no staff was needed to manage the product ongoing. He admitted he thought it was going to be like a maintenance free ATM machine.
How can not involving your operations team up front hurt your project?
IAM projects implemented by a project team only - with the expectation that they will then be handed over to an operations team to run – typically fail or have to be entirely re-worked
The operation folks have a perspective that is very valuable during implementation and whole segments of effort are often left out by project professionals
Why is letting individual Applicaiton owners drevie your program not a good idea?
1 process for all is easier to manage than a customized process for everyone.
It aplso prevents scaling
If every app owner had a seperate tab for each app in the review, it means a user would have open 80 tabs to determine if they had anything in that tab to review
f they close and come back - no way to tell which tabs they’ve completed or looked at and which they haven’t
What is an example of too much customization by app owners?
Currently have a large company where they let each application owner dictate how the review screens for ‘THEIR’ application should look. Consequently every supervisor gets a different looking tab for all 50 apps being reviewed. Problem 1 is that the reviewer gets a tab for every application – whether they have anything to review in that application or not…and has to pop each one open to see if they have something to review. They also don’t remember which tabs they’ve done and which they haven’t. Problem 2 is that they want to add 200 more applications to their reviews and their current situation won’t scale.
Why is it better to start with a small roll out instead of large one?
Starting small allows you to get feedback and identify issues quietly in preperation for the whole organization
You only get one chance to make a good first impression, good impressions last a little while and bad ones linger for years
How is too much or too little auditor involvement not good?
Giving auditors too much control over your program could result in much more manual process or labor-intensive work that would prohibit your from adding more targets into your program
Extracting periodic approvals from the audit team throughout the year makes it much more difficult for them to then fail you come audit time
Why should you have a road map or extended plan with ACM?
Having a strategy written up that you can share with others in your organization does 3 things:
- Helps you answer the question, what do I focus on next
- Keeps other groups from answering the that question for you
- Markets your program as something valuable to the organization…something worth investing in
An existing strategy will allow you do deflect or defer requests from others that are of lower value to the organization in favor of opportunities of higher value….so you don’t get caught up doing a bunch of grunt work that won’t generate a lot of value
Why is it necessary to not rely on the tool solely?
The tool is just that. Its a tool to help automate processes
Orphan Remediation Process
Executive Delegate Process
Recertification Campaign Processes
End User Training
End User Support
Metrics & Reporting
Collector Scheduling and Data Validation
Appliance/Database Escalation & Support
On-boarding/Off-boarding Applications
Capturing Audit Evidence
How is trying to cling to manual processes not a good idea?
The tool is designed to automate processes and make lives easier, allow it to do that
What are some examples of clinging to manual processes?
One Client wouldn’t give up collecting a lot of the data manually
One Client wouldn’t give up emailing copies of the review to reviewers rather than have them log into ACM
One client didn’t want to tell target system owners to clean up their bad data – so she wrote tons of scripts and routines that would improve bad data in ACM. Her 26 separate routines required a lot of effort to run each day and they slowed the system down to a crawl. When she left, no one could figure out her routines so they pulled them out…and then after 4 years, they had all bad data coming from their target systems.
Why is it not good to put your entire process in the hands of one person
If something happens to that person, your left with no one that can complete the project or who has any knowledge of configurations.
I.E. Put the whole project on 1 PM to make all the decisions. The PM turned it over to 1 security admin to run when it was built. The security admin identified 23 different problems the PM had missed or caused. Then the security admin resigned leaving the company with a badly configured system and no one else in the company who knew the software.
Why is it not wise to roll out all modules at one time?
The modules feed off each other. The outputs of one are often the inputs of another.
Mining for roles only works once access has been cleaned up through reviews.
Access Request only works if you have more than 3 things in your catalog to request.
Trying to do Roles, Reviews, Reports, Rules, and Access Request for small number of apps gives you no experience, no maturity, no time to shake out your processes.
