A Project that went wrong ”

Download Report

Transcript A Project that went wrong ” 

„A Project that went wrong ”
Version 1.0
Dr. Horst Walther, SiG Software Integration GmbH,
2004-10-20 Lefkosia / Cyprus
SiG
The company








A state owned German bank.
Attempts to become a global
player.
Global approach and national
organisation mismatch.
Powerful local ‘rulers’.
Affiliations in LON, NY, TOK
Costs have never been an
issue
But winds of change could be
felt already.
EU commission requires the
abolishment of state
guarantees.
SiG
The History







Need for a User and privilege
management was felt since
long time.
Earlier attempts by the CISO.
Several failed projects in the
headquarters.
A amazingly functional
Evidence solution in LON.
An cleverly automated fulfilment
process in NY.
Demand for an enterprise wide
solution was rising.
Requests came from
Information security and
auditors.
SiG
The Situation



High IT-penetration
No central user repository.
No answer to the questions:



Administrative processes were …









Not unified.
Not documented.
Not automated.
Inaccessible paper archives.
No documentation of …


„Does this user belong to the bank?“
Are his actual privileges matching the
corporate intentions?
Intended privileges
Actual privileges
No cost consciousness at the using
departments
Heterogonous entitlement concepts
Historically grown roles &
responsibilities
Application processes, administration,
naming conventions differ throughout
the enterprise.
SiG
The Mission








Meet the evidence requirements of
internal auditors.
Comply to international regulations
(Basel II), similar regulations in US,
the UK and Germany (MAH).
Support the access rights
management of all employees,
contractual staff and other
authorised users.
Acquire or develop and implement
a global system for the
management of user access rights
for selected systems with
appropriate associated processes.
Target systems are the systems on
a (long) list of systems.
No automation through connectors.
Enterprise approach: all users – all
systems – all resources.
The system will be rolled out
globally.
SiG
The Team

The project leader:












A failed consultant
A technical guy
His own best worker
Digging into details
Not able to sell his ideas.
A consultant who was imposed.
The ‘father’ of the LON solution.
The ‘mother’ of the NY solution.
A system administrator
Hired process modellers
Corporate IT members.
Sponsor was the CISO.
SiG
The Systems





A huge list of systems to
support.
Many legacy systems
(mainframe)
Some all-user systems like
W2K, Lotus NOTES
Some very sensitive few-user
systems.
HR-system had a hybrid
function
Carrying authoritative data
 But not serving as the process
trigger (too late)


Cross-system unique identifier
neither implemented nor
foreseen.
SiG
The Approach




Analyse the LON Evidence System
Analyse the NY Fulfillment System.
Try to combine these two systems.
Three subprojects …




Phases






Processes.
Evidence
Fullfilment.
Pre-study – lay the foundation
Vendor selection  business layers
Process modelling
Piloting
Implementation
A ‘very sensitive few-user system’
was selected for 1st implementation
SiG
The Project progression
NY Mgt
Change
Pre Study
ROI
Lon Mgt
Change
Approval
Ops Mgt
Involvement
Vendor Selection
Process Definition
Initial Build
Pilot
Budget
Tightens
Company
Splits
0
3
6
9
12
15
18
21
SiG
The End
The production deployment
never happened.
 The ‘customers’ were reluctant
to take additional costs
 After one year duration and
huge efforts and monetary
investment all activities were
stopped.
 Project successful – mission
failed?

SiG
The Lessons
Why did the project fail?
 What were early indicators for
failure?
 What lessens could be
learned?

Please come up with your
suggestions.
SiG
Questions, Suggestions, Hints?
Thank
You !!
SiG
Stop,
Appendix
From here on the back-up-slides follow ...
SiG
Lessons – watch out for …
Roles and privileges
 Most provisioning support roles
 If nor roles are / can be defined you should skip roles.
 You can’t afford to define roles in a deployment project (watch the
scope).
Human Resource Dep.
 In most cases owner of employee data
 The often are not used to work in projects.
 Are not used to real-time processes.
„Politics“
 Access control systems affect many departments.
 20% is technology – 80% „politics“
 Achieve user ‘buy-in’ – or leave them out.
 Use of force only with backing of the senior management.
SiG