Site Search

Roadmap - Home PDF Version Executive Summary 1. Concepts/Terms 2. The Need for Change2.1. The Change Itself 3. Develop your Plan for Change 3.1. Define the Problem 3.2. Define the Guiding Principles3.3. Inventory your Campus 3.4. Develop your Direction 4. Implement Change 4.1. Policy, Business Process and Technology4.2. Develop Policy Framework 4.3. Develop Business Processes 4.4. Develop Technology Infrastructure 4.5. Migrate to Production 5. Resources

<< previous | next >>

3.3. Inventory your Campus

• Policy Framework
• Current Approaches
• Context

Now that you have a set of guiding principles in hand, you should now develop an inventory of information about the current policies, processes, and technology practices and requirements, both on campus and in the wider higher-education community. The questions encompass identity management issues relating to authentication and are intended to frame your future discussions and raise awareness of existing issues. Recommended areas for your inventory include:

• Policy Framework - This section helps you to understand the broad policy landscape (or the currently stated "what" and "why") on your campus, navigate the policy-making process (or advocate the establishment of one), and identify the gaps and possible approaches when the time comes.
• Current Approaches - This section provides guidance for taking a snapshot of how policy is implemented, including the architecture and related processes, such as identity vetting and credentialing. Information gleaned in this section will illuminate what LoA your credentials have at present.
• Context - This section offers a set of issues to review to determine what drivers and context information can help guide your planning. It includes a more detailed inventory of drivers and feedback about the services and constituents of the future.

Policy Framework

• Policy Frameworks - Do you have institutional, information technology, identity, or security policy frameworks that already contain authentication- related policies, or into which, newly developed policies can fit?
• Principles and Policies - What broad governing principles or policies do you currently have which may relate to managing authentication and access to electronic resources in general, e.g., policies on responsible or acceptable use, computer account eligibility, change management, log review, and audit?
• Existing Authentication Policies - What specific policies, guidelines, or other documentation does your organization have on authentication-related elements, such as identity proofing, identifier assignment, account eligibility, password, or other credential issuance and re-issuance?
• Governance - What is your policy governance approach, e.g., with respect to policy development, review, approval, and interpretation?
• Audit and Regulations - Do you perceive current, or future, audit and regulatory requirements that may affect the approach you take to managing access to electronic resources?

Current Approaches

• Degree of Centralization - Is all of your authentication currently being performed on a per-application or per-system basis, or are integrating or centralized approaches (e.g., LDAP, Kerberos, Single Sign-On) in use, and if so to what extent?
• Identifiers - How do you assign identifiers (usernames) to members of your community? How early in the admissions or hiring process are identifiers assigned? Do you have a unified institutional approach to identifier assignment, or are their many identifiers assigned to individuals by different authorities?
• Credentials - How do you assign passwords or other credentials to members of your community? Do you have a self-service capability in place for initial password setting and for password re-set? Do you use any authentication techniques or credentials other than username/password? What evidence of identity do you require to be presented by users in order for credentials to be issued? Are your passwords sufficiently protected in transit by the use of encryption?
• Authentication Level - Do you categorize different applications, services, or communities as requiring different levels or types of authentication?
• Management - Organizationally, who is responsible for the management of any shared or centralized authentication services? Do you have the internal resources and expertise to evolve your authentication approach if you so choose? How do you tend to balance the authentication mechanisms of commercial, open-source, and internally developed solutions?
• Issues - What problems do you perceive with your current authentication approaches? What are your architectural or technical requirements?

Context

• Peers - What are your peer institutions doing with respect to managing authentication and other identity management services? What can your organization learn from them to apply to your own environment?
• Partners - What external service partners do you have and how do you address access to resources you don't directly manage?
• External Drivers - To what extent do you perceive pressures for changes to your authentication approaches along the lines outlined above in the "Drivers for Change" section?
• Leverage - Do you have information technology projects now beginning or underway that you can leverage or coordinate with closely as you evolve your management of authentication?
• Return on Investment - What application or systems do you have which would most benefit from improvement in their use of authentication, either in the interest of enhancing security or improving end-user experience?
• Communities - To what groups of people beyond on-campus faculty, staff, and students do you provide services? Are additional groups being considered?

Now that you have a more complete understanding of what is in place, move to the [next] section to find out how to develop your plan.

<< previous | next >>