How to establish your functional requirements for an Identity and Access Management System

1st November 2016

In order for organisations to determine the effectiveness and efficiency of their identity and access management (IAM) systems, they first need to assess the extent to which their deployed systems fulfil their functional requirements. Simply put, do these IAM systems do what is needed by the organisation and its intended users? It is therefore necessary and logical to establish the functional requirements before assessing the features and functions of candidate IAM systems.

Functional requirements for an IAM system depend upon an understanding of several factors relevant to the organisation, stakeholders (including users) and application context(s). This and an analysis of the acquired data then allows for the production of functional performance and assurance requirements for an IAM system.

We categorise these interrelated factors into ten themes:
1. Business case: An understanding of the business problems and the rationale for organisations to introduce or revise an IAM system is fundamental.
2. Applications and resources: An understanding of the nature and scope of the assets and the operations of those assets need to be acquired.
3. Assessment of risks on assets: Knowledge of the operations and technology platforms that underpin business processes are essential as organisations migrate towards heterogeneous IT environments and distributing processes.
4. Business objectives: The sponsor’s objectives to introduce or revise an IAM system need to be fully understood and articulated.
5. User community’s characteristics: An understanding of the characteristics of the user community creates advantages (and limitations) for utilising certain types of user authentication methods.
6. Usage environments: It is important to understand the physical and logical characteristics of the environments in which the user communities operate, including the types of ubiquitous devices utilised.
7. Constraints: An understanding of constraints, ranging from technical limitations to social norms accepted by the user community, is vital.
8. Organisational policies: Organisations’ security policies are most relevant to defining the functional requirements for identity and access management systems.
9. Privacy protection: The IAM system owner, as the data controller, needs evidence to demonstrate compliance with privacy, social accessibility and discrimination legislation.
10. Management data: Finally, it is necessary to gain an understanding of the data that are required to perform periodic audit reviews, security investigations and information for compliance purposes.
To find out more about Ilex International’s range of Identity and Access Management solutions, click here.

Written by Steve Mullan, UK Operations Manager, Ilex International