Closure Report

Project Summary

In January 2019 the Chief Information Security Officer, Alistair Fenemore, initiated a new project to prepare the groundwork to develop a full Identity and Access Management (IDAM) strategy for the University. In order to achieve this PriceWaterhouse Cooper (PwC) were hired to collaborate with colleagues. Utilising pre-existing IDAM groups and specialist staff, PwC held workshops, interviews and document Q&A sessions to deliver a significant document in June.

The Identity and Access Management Review aimed to achieve the following:

Background and purpose

The digital identity of users, and the management of access to University information and services (IT and non-IT based), are key to the delivery of modern, flexible, and sustainable academic services - as well as being vital to the confidentiality, integrity, and availability of the University’s information and services.

The University of Edinburgh has requested PwC to conduct a strategic review, with stated objectives to develop and deliver:

• A maturity assessment.

• An Identity and Access Management Strategy.

• Evidence that deployment of the Strategy will deliver demonstrable benefit.

• An indicative roadmap and recommended deployment approach.

• Indicative costs for toolsets and associated licences should any new technologies be required.

Our four phase approach to meeting these objectives and the associated deliverables we will produce are described in Schedule 1.


This project will wrap a formal Project Management process around a request from Information Security to assist them and PWC in engaging with all the relevant stakeholders throughout the UoE to deliver a new IDAM roadmap. The anticipation is that this will be delivered alongside additional benefits of having a PM involved - oversight, enquiries, questions etc.

The Identity and Access Management (IDAM) Strategy project will support PWC (Price Waterhouse Coopers) in documenting the current state, review against other higher education users, perform a gap analysis and maturity assessment, concluding in defining a target state for IDAM and constructing a roadmap to get there. 

The core aim links into the Information Security strategy which was signed off in early January 2019.

In mid June, the scope was increased to include PwC following up on the strategy delivery to focus in on Multi Factor Authentication.


Objectives, Deliverables and Success Criteria




Owner      Status
O1  Understand 'as is'      


 Schedule, document and track actions for all key stakeholders to meet PWC 


 PWC Achieved
D2  Ensure PWC have access and understand UoE strategy etc  M  PM Achieved
D3  Maintain risks and issues throughout  M  PM&PWC Achieved
D4  Deliver frequent project updates with PWC  S  PM&PWC Achieved


 Define strategy, architecture and operating model


O3  Establish the roadmap      
D5  Agree KPI metrics  S


Not required
O4  Create a business plan      
D6  Identify UoE contributors to build plan, review and approve the roadmap  M  PM Achieved
  The project's scope was changed in June 2019 to include a further deliverable:      
O5 Assess immediate operational impact and longer term strategic implications of Multi-Factor Authentication (MFA)      
D6 Delivery of MFA Report M PWC Achieved


Note that deliverable D5 was a 'Should' and was removed from the scope of the project as agreed with the Project Sponsor.


Project Documentation

A secure area on the projects website has been created so that authorised staff can view the project documentation and recommendations.  A report is available with an executive summary highlighting the key IDAM recommendations.  The MFA report is also available.

The two main deliverables are clearly highlighted as Report 1 and Report 2 at the following secure page:


Analysis of Resource Usage:

Staff Usage Estimate: 40 days

Staff Usage Actual: 44 days

Other Resource Estimate: £N/A

Other Resource Actual: £N/A

Other Resource Variance: N/A


Explanation for variance

The scope of the project was changed in June 2019 to include a review of how the UoE could deliver Multi Factor Authentication (MFA).  As a result, a small amount of additional PM time was needed, however the majority of the work was undertaken by consultants PwC. 

The change in scope also pushed out the project timelines.  The main IDAM strategy document was delivered and approved in June 2019.  The MFA report was delivered in October and signed off in November.


Outstanding Issues


Next Steps

It should be highlighted that some of the recommendations from the two main reports are already being taken forward.  The ENT041 project has delivered authentication improvements and the  COM051 project (Office 365 Security Hardening) aims to further strengthen the security of all email services, in particular Office 365 .


The deliverables from this project will be used as input to the longer term strategy for IDAM for the University that will be further developed in due course.  If appropriate, a new project will be initiated to progress this work.


Project Info

Identity and Access Management (IDAM) Strategy
ISG Portfolio Projects (OTHISG)
Management Office
Project Manager
Adam Wadee
Project Sponsor
Alistair Fenemore
Current Stage
Project Classification
Start Date
Planning Date
Delivery Date
Close Date
Programme Priority
Overall Priority