Definition of requirements and gap analysis.
The first step is to identify statutory and regulatory requirements. These requirements are then reflected in the target processes for authorisation management. A gap analysis is conducted to determine any variance between the status quo and the target processes.
We work together with you – and relevant external partners if necessary – to determine which standardised requirements are already fulfilled and where adaptations remain necessary. We use the findings as a basis to infer the activities and measures, along with the necessary workload for implementation.
Furthermore, the identified courses of action enable us to prepare an accurate quotation for the specific consultancy services your company needs.
The software tools available on the market focus on different areas and have corresponding strengths but also weaknesses. It is therefore imperative to ensure during tool selection that the company’s requirements are covered to the greatest possible extent.
ARCA-Consult has developed a custom procedure to make a selection that is tailored to the needs of individual companies.
The development of a roles concept is a vital building block in establishing an IAM system. ARCA-Consult therefore attaches a lot of importance to precise preparation of this work step.
Well-conceived role modelling can significantly enhance the effectiveness of an authorisation management system. This builds on the classification of different types of roles in the company and the allocation of which elements or activities are applicable within the entire role life cycle. An automated role assignment algorithm for the identities is then applied on this basis. A role/risk classification and role taxonomy add the finishing touches to the roles concept.
The individual rights and groups of rights for each IT application/system can be accessed in an authorisation concept. Naturally, it also includes the authentication and authorisation rules and how they must be applied. Risk classification and a rights SoD (segregation of duties) round off the concept.
We support you in this process with our proprietary templates and other elements and in doing so ensure a uniform concept structure.
SoD matrix / segregation of duties
Preparing a segregation of duties matrix is a particular challenge to ensure safe operation and to prevent conflicts of interest.
In this context, a top-down approach of assigning roles according to a set of duties and positions must be combined with a bottom-up approach based on the current system of access rights. This requires job descriptions and authorisation concepts, which form the basis for preparing the SoD matrix. Benefit from our experience to obtain a clear and practicable application.
Fundamentally: An IAM system can only be as good as the underlying risk analysis of managed authorisations. The assignment of rights and roles, as well as the resulting authorisation processes, must build on the principles of integrity, availability, authenticity and confidentiality analysis. As a result, the processing and escalation pathways inferred on this basis ensure that an organisation adheres to the compliance requirements.
The ARCA-Consult Risk Construction Kit simplifies and standardises implementation of your risk management.
The issue of the application process is frequently one to which the individual departments adopt a critical stance. The question of who is entitled to apply for authorisations and how they should do so tends to create a lot of uncertainty. The same is true of the rules that need to be adhered to in the request process.
Rights and application owners are often driven to distraction in these cases, as the knowledge they require is often unrelated to their actual skill sets. It is therefore advisable to include this group before getting started.
In addition, clearly and understandably worded roles and rights management is a very important issue.
A common practice used in many companies – “just copy Jim’s profile” – flies in the face of the need-to-know principle. This means that rights analysis prior to migration is absolutely vital.
The ARCA-Consult rights analysis processes your current rights status in a neat overview and helps you to create a robust design for your system of rights.
The migration phase is among the principal tasks when introducing an IAM system. Many companies face tough challenges when defining the migration method. Long migration cycles with significant outlay on time and resources can incur considerable costs, especially if one considers the aspect of maintaining parallel operation.
Implementing smooth migration processes is among the most pronounced competencies of ARCA-Consult.
Re-certification is used to check the correctness and currency of the authorisation concept for role contents and the assignment of roles to identities. ARCA-Consult develops recertification plans on your behalf and in doing so defines processes and activities that need to be carried out based on the recertification findings.
This is a time-consuming affair but can be made more efficient thanks to the significant experience of our consultants.
Reconciliation is used to compare the current and target status of accounts and their authorisations in the IAM and authorisation systems and to check them for consistency.
Our consultants are experts in the identification of reconciliation execution sequences, while still maintaining high performance and ongoing operations.