In January 2019 the Chief Information Security Officer, Alistair Fenemore, initiated a new project to prepare the groundwork to develop a full Identity and Access Management (IDAM) strategy for the University. In order to achieve this PriceWaterhouse Cooper (PwC) were hired to collaborate with colleagues. Utilising pre-existing IDAM groups and specialist staff, PwC held workshops, interviews and document Q&A sessions to deliver a significant document in June.
The Identity and Access Management Review aimed to achieve the following:
Background and purpose
The digital identity of users, and the management of access to University information and services (IT and non-IT based), are key to the delivery of modern, flexible, and sustainable academic services - as well as being vital to the confidentiality, integrity, and availability of the University’s information and services.
The University of Edinburgh has requested PwC to conduct a strategic review, with stated objectives to develop and deliver:
• A maturity assessment.
• An Identity and Access Management Strategy.
• Evidence that deployment of the Strategy will deliver demonstrable benefit.
• An indicative roadmap and recommended deployment approach.
• Indicative costs for toolsets and associated licences should any new technologies be required.
Our four phase approach to meeting these objectives and the associated deliverables we will produce are described in Schedule 1.
This project will wrap a formal Project Management process around a request from Information Security to assist them and PWC in engaging with all the relevant stakeholders throughout the UoE to deliver a new IDAM roadmap. The anticipation is that this will be delivered alongside additional benefits of having a PM involved - oversight, enquiries, questions etc.
The Identity and Access Management (IDAM) Strategy project will support PWC (Price Waterhouse Coopers) in documenting the current state, review against other higher education users, perform a gap analysis and maturity assessment, concluding in defining a target state for IDAM and constructing a roadmap to get there.
The core aim links into the Information Security strategy which was signed off in early January 2019.
In mid June, the scope was increased to include PwC following up on the strategy delivery to focus in on Multi Factor Authentication.
Objectives, Deliverables and Success Criteria
|O1||Understand 'as is'|
|Schedule, document and track actions for all key stakeholders to meet PWC||
|D2||Ensure PWC have access and understand UoE strategy etc||M||PM||Achieved|
|D3||Maintain risks and issues throughout||M||PM&PWC||Achieved|
|D4||Deliver frequent project updates with PWC||S||PM&PWC||Achieved|
Define strategy, architecture and operating model
|O3||Establish the roadmap|
|D5||Agree KPI metrics||S||
|O4||Create a business plan|
|D6||Identify UoE contributors to build plan, review and approve the roadmap||M||PM||Achieved|
|The project's scope was changed in June 2019 to include a further deliverable:|
|O5||Assess immediate operational impact and longer term strategic implications of Multi-Factor Authentication (MFA)|
|D6||Delivery of MFA Report||M||PWC||Achieved|
Note that deliverable D5 was a 'Should' and was removed from the scope of the project as agreed with the Project Sponsor.
A secure area on the projects website has been created so that authorised staff can view the project documentation and recommendations. A report is available with an executive summary highlighting the key IDAM recommendations. The MFA report is also available.
The two main deliverables are clearly highlighted as Report 1 and Report 2 at the following secure page:
Analysis of Resource Usage:
Staff Usage Estimate: 40 days
Staff Usage Actual: 44 days
Other Resource Estimate: £N/A
Other Resource Actual: £N/A
Other Resource Variance: N/A
Explanation for variance
The scope of the project was changed in June 2019 to include a review of how the UoE could deliver Multi Factor Authentication (MFA). As a result, a small amount of additional PM time was needed, however the majority of the work was undertaken by consultants PwC.
The change in scope also pushed out the project timelines. The main IDAM strategy document was delivered and approved in June 2019. The MFA report was delivered in October and signed off in November.
It should be highlighted that some of the recommendations from the two main reports are already being taken forward. The ENT041 project has delivered authentication improvements and the COM051 project (Office 365 Security Hardening) aims to further strengthen the security of all email services, in particular Office 365 .
The deliverables from this project will be used as input to the longer term strategy for IDAM for the University that will be further developed in due course. If appropriate, a new project will be initiated to progress this work.