Removing unathorised access to data was the driver for financial institution, ING Direct Australia, to implement an identity and access management control system in 2011. Speaking at the Gartner Security and Risk Management Summit in Sydney, ING Direct Australia head of IT performance, Anthony Sestanovic, told delegates that prior to the implementation of SailPoint IdentityIQ, the bank had too many users with unverified access to core banking systems. This problem needed to be solved in order for it to comply with the Australian Prudential Regulatory Authority (APRA) regulations covering access rights. After going to tender and selecting IdentityIQ, which was implemented by service provider ,First Point Global, it rolled out the access management control system, which included 30 Sarbanes-Oxley (SOX) applications covering access rights, to 1200 users. According to Sestanovic, within two months of the project commencing, ING Direct Australia had implemented a system which enabled it to enforce access control related business policies and processes to better manage risk and remove the possibility of a rogue employee gaining access to financial records. “We were able to gain visibility into user access privileges and remove error-prone manual processes for user access reviews,” he said. In addition, management also had access to the system so they could now view which staff members had appropriateness access rights to banking applications. “The information about a user is clear and the reviewer can approve or reject access [by the staff member] to certain systems,” he said. Since the system went live in February 2011, the bank has integrated 90 more SOX applications and conducted annual reviews of the identity and access management system as new staff members join the organisation and need to be approved to have certain access. According to Sestanovic, ING Direct Australia learnt nine lessons from the identity and access management implementation. The importance of upfront analysis According to Sestanovic, enterprises should not jump into “just do it mode” with IT projects but take time with the implementation. “Prototyping and iterative development are valuable for gathering and refining detailed requirements, and ensuring that functionality, and business value, is delivered as early as possible,” he said. Secure project sponsorship Senior executive sponsorship was critical as identity governance offering often spans many business areas that need to commit to identity and access management. Engage business users “Get buy-in from the top and drive the program top down,” Sestanovic said. “Select champions from the business who will work with you on testing the functionality and enhancements of the system.” Establish a governance committee, working group “This allows different business units to share and leverage work and will accelerate enterprise level deployment,” he said. Use a small team for delivery According to Sestanovic, IT executives should avoid engaging different organisations or teams and dividing the design, build and test responsibilities between them. “The technical delivery works best if dedicated and centralised.” Secure commitment of subject matter experts These experts should include application support, technical infrastructure, information security and risk managers because systems such as identity and access management affect the whole business, he said. Employ a technical project manager “This technical project manager should have a deep knowledge of governance, risk management and compliance,” Sestanovic said. Ideally, this person should also understand the company’s environment and be able to guide the implementation team through company standards and policies. Engage audit and compliance Engage an auditor to work with the company as early as possible and be a joint stakeholder in the program. Stick to your guns Sestanovic said that IT staff needed to hold true to the scope and the problem they were trying to resolve. “It is easy to give into the temptation of taking short cuts just to get the project implemented. This project took us over a year to implement,” he said. “Stay focused and work through the challenges, the benefits will come.” Follow Hamish Barwick on Twitter: @HamishBarwick Follow CIO Australia on Twitter: @CIO_Australia Related content brandpost Sponsored by Freshworks When your AI chatbots mess up AI ‘hallucinations’ present significant business risks, but new types of guardrails can keep them from doing serious damage By Paul Gillin Dec 08, 2023 4 mins Generative AI brandpost Sponsored by Dell New research: How IT leaders drive business benefits by accelerating device refresh strategies Security leaders have particular concerns that older devices are more vulnerable to increasingly sophisticated cyber attacks. By Laura McEwan Dec 08, 2023 3 mins Infrastructure Management case study Toyota transforms IT service desk with gen AI To help promote insourcing and quality control, Toyota Motor North America is leveraging generative AI for HR and IT service desk requests. By Thor Olavsrud Dec 08, 2023 7 mins Employee Experience Generative AI ICT Partners feature CSM certification: Costs, requirements, and all you need to know The Certified ScrumMaster (CSM) certification sets the standard for establishing Scrum theory, developing practical applications and rules, and leading teams and stakeholders through the development process. By Moira Alexander Dec 08, 2023 8 mins Certifications IT Skills Project Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe