In early January 2019, the UOE CISO Alistair Fenemore signed an agreement with PriceWaterhouseCoopers to perform an 'Identity and Access Management Review'. It states the following:-

"Background and purpose

The digital identity of users, and the management of access to University information and services (IT and non-IT based), are key to the delivery of modern, flexible, and sustainable academic services - as well as being vital to the confidentiality, integrity, and availability of the University’s information and services.

The University of Edinburgh has requested PwC to conduct a strategic review, with stated objectives to develop and deliver:

• A maturity assessment.

• An Identity and Access Management Strategy.

• Evidence that deployment of the Strategy will deliver demonstrable benefit.

• An indicative roadmap and recommended deployment approach.

• Indicative costs for toolsets and associated licences should any new technologies be required.

Our four phase approach to meeting these objectives and the associated deliverables we will produce are described in Schedule 1 (see below)."


This project will wrap a formal Project Management process around a request from Information Security to assist them and PWC in engaging with all the relevant stakeholders throughout the UoE to deliver a new IDAM roadmap. The anticipation is that this will be delivered alongside additional benefits of having a PM involved - oversight, enquiries, questions etc.

The Identity and Access Management (IDAM) Strategy project will support PWC (Price Waterhouse Coopers) in documenting the current state, review against other higher education users, perform a gap analysis and maturity assessment, concluding in defining a target state for IDAM and constructing a roadmap to get there. 

The core aim links into the Information Security strategy which was signed off in early January 2019.



PWC Key Engagement Objectives:-

1. A maturity assessment of the current approach to the user identity, authorisation and authentication management lifecycle within the University that covers relevant aspects of people, process and technology.

2. An Identity and Access Management Strategy that defines an optimal target state, detailing people, process and technology requirements. The strategy should include details of typical ‘user


3. Evidence that deployment of the Strategy will deliver demonstrable benefit to the University through increased efficiency in user identity management, reduced information security risks etc that can be used in support of any required business case.

4. An indicative roadmap and recommended deployment approach that will deliver sustainable improvements.

5. Indicative costs for toolsets and associated licenses should any new technologies be required.

Other Considerations/Points confirmed by UoE:-

Business engagement interviews should be performed across a wide selection of stakeholders including IT, Applications, Service Owners, College and Support Group representatives, Student Systems, HR, the IdAM User Group, Development and Alumni, and other interested parties.

Specific user journeys (JML) to be included and which will be considered along with other common JML based use cases. We will look at key capabilities based on our market knowledge including:

1. High volume of student joiners during registration and how to handle applicants, both pre and post joining. How to provide students with zero-day provisioning, so they have appropriate access available on day 1.

2. Users who join with elevated privileges, move role, then leave and possibly become Alumni. Look at Role Based Access Control and automation of the leavers and movers processes so that only appropriate access is retained regardless of user type.

Demonstrate that an IdAM strategy will deliver the following key goals:

1. Increased efficiency in user identity management.

2. Reduction of security risk.

There are four phases planned within the PWC and UoE agreement:-

Phase 1 — Understand the ‘As-is” Environment

Understand the as-is environment, establish the current state, target state, and provide a gap analysis.

• Review existing documentation; user identity, identity lifecycle, processes, system landscape, IdAM policies and standards, architecture and control frameworks, operating model, Authentication and Authorisation Services Review and review University of Edinburgh’s IT Strategy

• Hold up to 10 stakeholder workshops (over 4 days) to identify strengths and weaknesses across people, processes and technology for IdAIVI including (but not limited to) CISO, IS

Directorate, HR, Director of IT, Service Owners, College Representatives, Faculties, Student System, the IdAM User Group, and other interested representatives

• Establish a current and target IdAM state using our PwC IdAM maturity framework across all IdAM domains (Strategy and Policy, Directory Services, Identity Management, Authentication and Authorisation, Access Governance, Privileged Access Management, and Auditing and Logging).

• Perform a gap analysis, based on the established current and desired target states, with details on the key findings within each IdAM domain and proposed improvements.

Phase 2— Strategy, Architecture and Operating Model

Use the information gathered in Phase 1 to propose a strategy, architecture, and high level operating model required to deliver and run the capability.

• Establish an IdAM strategy with a vision, drivers and principles, and map back to the University and IT strategy

• Develop high level requirements and core use cases** for IdAM. These will support a number of key applications (currently defined as 28 downstream apps, 6 sources of authority & 7 authentication platforms), and user types, e.g. staff, students and third parties, etc. chosen by University of Edinburgh as representative of the wider estate

• Define the logical architecture of the target capability. This includes both a service architecture and a technology agnostic component architecture, as well as its placement within the organisation.

• Construct a high level operating model. This will include functional, organisational and governance models.

**NOTE: Use cases to be limited to 10 use cases, which will include, a new student, a user with enhanced access privileges who joins, moves roles and then leaves, an Alumni who is also a member of the General Council, and a typical member of staff.

Phase 3— Establish the Roadmap

Establish a proposed roadmap for transition to the target state, and metrics to measure success.

• Establish a roadmap with initiatives to transition to the target state. This will include ‘quick win’ improvements to help demonstrate success

• Identify baseline and target metrics for each roadmap initiative so that they can be measured to determine level of success

• Map roadmap activities back to goals established in the strategy

Phase 4— Business Plan Support

Support your development of a business plan to progress roadmap activities.

• Create a vendor short-list of suitable IDAM vendors in the market, based on Phase 2 outputs, that can be taken into a formal RFP

• Work to identify indicative costing for licensing and delivery (using preferred operating and sourcing models)

• Provide artefacts (deliverables from each phase) in a format that will aid in the creation of a business plan for management consumption, including realistic high-level estimates of costs (this would typically use University of Edinburgh templates).

• Support in the preparation and presentation of the business plan to senior management (up to a maximum of 2 days)





O1  Understand 'as is'    


 Schedule, document and track actions for all key stakeholders to meet PWC 


D2  Ensure PWC have access and understand UoE strategy etc  M  PM
D3  Maintain risks and issues throughout  M  PM&PWC
D4  Deliver frequent project updates with PWC  S  PM&PWC


 Define strategy, architecture and operating model


O3  Establish the roadmap    
D5  Agree KPI metrics  S


O4  Create a business plan    
D6  Identify UoE contributors to build plan, review and approve the roadmap  M  PM



Demonstrate that an IdAM strategy will deliver the following key goals:

1. Increased efficiency in user identity management.

2. Reduction of security risk.


Success Criteria

Have a signed off roadmap that allows the UoE to produce a business plan.

Project Milestones

As of Feb 12, 2019:- These milestones capture the agreed delivery milestones that PWC and the UOE have formally agreed. Each delivery milestone has additional information in the action sections further breaking down the events and activities behind the milestone and the actual deliveries.

PWC, Project Sponsor and the Project Manager agreed on February 11, 2019, that once the 'as is' information has been prepared by PWC, all contributors and additional colleagues (being identified on the stakeholder list) will have an opportunity to review and provide comments. Alistair Fenemore (UoE CISO) and Kenny Crawford (PWC) will sign off once that review and pre-approval phase is complete. The Project Manager will assist managing that process. It will then be followed for the subsequent phases where appropriate.


Stage Milestone Due Date Previous Date Complete
Initiate Commence project with agreed budget 25-Jan-2019 No date available Yes
Plan Project brief approval 15-Feb-2019 30-Jan-2019 Yes
Deliver Phase 1 - understand the 'as is' environment 08-Mar-2019 No date available No
Deliver Phase 2: define the strategy, architecture and operating model 12-Apr-2019 No date available No
Deliver Phase 3: establish the roadmap 26-Apr-2019 No date available No
Deliver Phase 4: support establishment of a business plan 10-May-2019 No date available No
Close Create closure report 07-Jun-2019 No date available No

Project Info

Identity and Access Management (IDAM) Strategy
ISG Portfolio Projects (OTHISG)
Management Office
Project Manager
Adam Wadee
Project Sponsor
Alistair Fenemore
Current Stage
Project Classification
Start Date
Planning Date
Delivery Date
Close Date
Programme Priority
Overall Priority