You’ve heard that you need to improve your user provisioning process. Before you dive in, it is helpful to understand the process and the process. With this framework in mind, you can guide your organization.
What Is User Provisioning Exactly?
This process is a key activity within an organization’s identity management program. According to Techopedia:
User account provisioning is the creation, management and maintenance of an end-user’s objects and attributes in relation to accessing resources available in one or more systems. Essentially, user account provisioning refers to the management of user rights and privileges. User account provisioning is one of many identity management procedures, and it defines the different ways of managing an individual’s digital identity, authentication and authorization rights.
Why Does User Provisioning Matter?
An effective user provisioning practice benefits your organization in several ways. From an internal control and audit perspective, it is a way to ensure segregation of duties. From a productivity standpoint, user provisioning makes life easier for managers because they do not have to manually arrange access for each employee. Finally, user provisioning reduces the risk of unauthorized information access by granting access only when it is needed.
Putting User Provisioning in Place Step by Step
- Assess your identity management program
Start by assessing the overall quality and maturity of your identity management program. For the sake of simplicity, look at three different areas: people, process, and technology. For people, examine whether your people, including IT, know what user provisioning is and what their responsibilities are. For process, consider the end to end steps involved in granting, altering, and overseeing user access. For technology, evaluate the security, usability, and comprehensiveness of your technology.
Carry out a review of your current solution to see if it will effectively address user provisioning. Specifically, we recommend evaluating the following factors:
- Comprehensiveness. Does the solution effectively cover all of your key systems?
- User experience. If managers and employees find the system too difficult to use, user provisioning control will suffer.
- Speed. When an employee leaves your organization, it is important to remove their access promptly. Otherwise, your organization will be exposed to increased risks.
- Productivity. Ask your managers about the administrative burden imposed by your current identity management solution.
What if you have no software solution in place? The above questions still make sense to review, but you will probably encounter greater reliance on manual processes. You will probably find gaps in your current process. Explore those gaps further by developing a business case.
- Develop the user provisioning business case
Implementing user provisioning takes time and resources away from other activities. Given that reality, you will need to build a business case. As a starting point, look at risk management and productivity. User provisioning helps you achieve risk management goals by ensuring user access is governed consistency. A user provisioning software solution saves time and effort through automation.
Note: What if you cannot make an effective business case for user provisioning? In that case, examine your organization’s strategy and goals for risk management and cybersecurity. Improving user provisioning generally aligns with one or both of those areas.
- Inventory your most important systems and applications
If your organization has hundreds or thousands of applications, you may feel overwhelmed. How can you manage access to so many different applications? There’s a simple solution. Ask yourself one question to identify the most important systems and applications:
If someone obtained unauthorized access (e.g. a hacker or disgruntled employee) to this resource, what harm could the company come to?
Answering that question will help you identify critical systems. You may also wish to consult your cybersecurity department to assess in the identification department.
- Launch a pilot program to implement (or improve!) user provisioning
At this point, you are ready to carry out a user provisioning pilot program. To encourage participation, select one or two executives to sponsor the pilot program. Once those champions are in place, select a variety of managers and users from different units to participate in the new user provisioning approach. To design your user provisioning pilot, take note of the following points:
- Success Criteria. How will you know if your pilot program is successful? One metric to consider: time saved in user provisioning.
- Scope. Which systems and users are in scope for the pilot? It’s project management 101 and needs to be considered for pilot planning.
- Schedule. Short deadlines are your friend when it comes to a pilot program. We recommend choosing a 30-60 day duration and adjusting the scope down to fit in that time frame.
- Lessons Learned. At the end of your pilot program, send out a survey to your team using a tool like Survey Monkey to gather their feedback. This feedback will help you in the next step.
- Launch an enterprise wide user provisioning process
Using the insights from your pilot program, implement user provisioning to the rest of your organization. For the best results, make sure you involve the help desk, internal audit, and other corporate functions in this program.
Tip: If you are unsure of the right approach, ask your identity management vendor support. That’s why it is important to assess a vendor’s industry experience.
- Develop continuous monitoring for user provisioning
Alas, launching a program is not enough for long term success — you need the ability to monitor your program. On a quarterly or annual basis, gather information on the following points:
- Percentage of user provisioning requests completed in less than 1 hour. Adjust the time frame to suit your organization’s size and complexity.
- Number of user provisioning requests handled by the help desk. This figure should drop over time.
- Internal audit findings related to user access. Audit findings are serious and these need to be tracked, even if they are only observations.
- User satisfaction/complaints. Technical excellence doesn’t mean much if users are annoyed, so make sure you measure that point.
Remember: choosing the right identity management solution is a critical decision. It can make the difference between a successful implementation and a time consuming exercise that doesn’t lead anywhere.