If you just turned to this section from the Table of Contents, you might be expecting a list of important principles for creating an IMA. Sorry to disappoint you. Rather, this section is about creating your own set of guiding principles that reflect the culture and objectives of your organization.
As I described earlier in this chapter, we created a process for defining how we'd make e-government the standard way of doing business for Utah government. One of the most important things to come out of that process was a set of principles for e-government in Utah (see "Principles for E-government in Utah").
We created these principles using a facilitated process where over 100 people broke into smaller groups, brainstormed principles, and then chose the ones they thought were most important. We brought all those groups back together, had them present their results, and then the entire group determined a short list of seven principles that were the most important.
I'm confident that we ended up with a set of principles that represented the feelings of the business and IT leaders in Utah state government. Over the coming months, these principles served as a charter of sorts that we could refer to. These principles grounded the discussion in important objectives and kept it on course.
Building a similar list of principles for your IMA process will bring the people whose support you need together and make them feel like a part of the process and the decision making. You'll be more sure that the decisions made further down the road will gain widespread support if they are based on principles that everyone helped create.
An important part of this process is the up front work to educate the participants in the crucial ideas and let them form educated opinions. We were lucky in Utah that we'd been discussing e-government for several years, so almost everyone had a core set of beliefs and ideas. In addition, Governor Leavitt had been a strong proponent of e-government, and had made his own views evident in cabinet meetings and other venues. These things made our job easier.
One way to jumpstart the process is to get people thinking about where they stand on some key, strategic choices. Burton Group has published a list of IT architecture principle areas that can be used to start a discussion of principles and guide people to an enterprise-wide set of core principles. I've adapted these to issues relevent to an IMA. The revised areas are shown in Table 14-2.
Table 14-2. IMA principles
Management |
Vendor |
User |
Identity |
---|---|---|---|
Technology risk acceptance |
Single vendor versus "best of breed" |
Must use versus optional service |
Accountability versus access control |
General versus optimal solution |
Second sourcing |
Billing and chargeback |
Partners and federation |
Cost center versus competitive advantage |
Proprietary versus openness |
Universal service |
Security versus business enabler |
Degree of autonomy |
Vendor risk |
Privacy | |
Project justification |
Outsourcing |
Online versus Traditional |
Areas in the Management column raise questions about how management feels. Is your organization risk averse? Does management expect an optimal solution? Is IT (and hence and the identity infrastructure) treated as a cost center or a means of competitive advantage? What degree of autonomy does the IT organization have? Do projects have to be justified in strict ROI terms?
Areas in the Vendor column raise questions about the enterprise's feelings toward your organization's relationships with vendors. Do you prefer to work with single vendors or are you comfortable integrating products from multiple vendors? Is it important that you have a second source for mission critical products and services? Do you prefer open solutions? What level of vendor risk is your organization comfortable with? What is your philosophy toward outsourcing?
Areas in the User column raise questions about the enterprise's feelings toward users. Are users required to use services and infrastructure created by the IMA or is such use optional? Does IT bill for services? Is IT expected to support all users or just some?
Areas in the Identity column raise questions about issues we've discussed in the earlier sections of this book. Where can your organization use accountability to augment or replace strict access control? What plans do you have for federating identity information with partners? Does your business see identity in terms of security or as a business enabler? What is the attitude toward privacy? Are you engaged in self-service-style online transactions with your customers?
Don't try to come up with a principle for each area in Table 14-2. These are just areas to jump-start your discussion. In the end, you should come up with 6 to 12 principles that are the most important to your organization. This list should be communicated widely and used as the basis for the activities that follow.