12 questions to ask before implementing an identity management system

Here are 12 questions to ask before implementing an identity management and access control system.


In this report:

Identity management a complex process with a simple goal


  1. What noninformation technology departments and systems need to work with the identity management system? For example, human resources, physical security, finance? Do they already have information or systems in place that will help the initiative?
  2. What business processes need to be put in place to support identity management? Who will create, implement and manage the processes?
  3. Is a suite or best-of-breed approach best for your organization? Does the suite have everything you need, or will you still need additional components from other vendors? Can you purchase just one part of the suite and add other components later?
  4. What existing systems will need to integrate with the identity management system? Identity management software typically works well with Web-based or commercial applications but not with custom applications. Who will do the integration?
  5. What expertise do you have in-house for implementing the system? What outside help is required?
  6. Which features of identity management will you implement first — single sign-on, provisioning, identity life cycle management, role-based access control?
  7. How will users be deprovisioned so there are no orphan accounts?
  8. Who is responsible for defining roles and access rights and assigning those to users?
  9. Besides agency employees, who else needs access — general public, vendors, contractors, state and local agencies? How will you manage and control them?
  10. What types of physical components need to be integrated — Homeland Security Presidential Directive 12 smart cards, fingerprint readers, door locks, radio frequency identification chips and sensors?
  11. What cultural barriers will you have to overcome? How?
  12. How will you balance security needs with usability? You don't want users using Post-it Notes to keep track of passwords that are too difficult to remember or have excessive help-desk calls for password resets.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above