CIO Executive Council members say governance is key to successful identity management. “The only way you can adjudicate identity management policy questions is with a good governance structure,” says Bruce Metz, CIO of Thomas Jefferson University.
At Tufts University, where Metz was CIO prior to coming to Jefferson University earlier this year, an IT Council composed of stakeholders across the institution made decisions about IT spending priorities. An IT Policy and Security Committee that reported to the Council developed policies and security practices, including those related to identity management. Metz aims to set up a formal structure at Thomas Jefferson. He advises that CIOs setting up a security governance body in a corporate or campus setting make sure they include representatives from the following departments:
* Human resources: Identity management is all about people—who they are, what information you have about them, who has access to that information and who can modify it. “Human resources is the custodian of the people who make up the organization, and they need to be involved in governance to represent that interest,” Metz says.
* Legal: Be sure to include a legal representative on your team. “You need to make sure your policy is enforceable and that it is reasonable,” Metz says.
* Chief security and privacy officers: If your organization has a CSO or CPO, they should be on the security governance committee.
* Representatives of key business units or functions: For example, Metz tapped a representative from the head academic office and the head administrative office while at Tufts. You should include someone from from each of the company’s main business units. If customer data collection is a big issue, include a representative from sales or marketing. And in any setting you should also include someone from finance.
* Internal audit: Someone from the internal audit department will help ensure that policies are compliant with federal regulations, such as HIPPA.