OCIO PPMOWashington University in St. Louis

Project Charter – AD/IAM Integration (part of the IIP)

Integrated Infrastructure

Project Charter–Identity and Access Management 2.0

Prepared by: Sundos Masri

Project Sponsor: Kevin Hardcastle

Date Last Modified: 09/15/2017

Revision History

Name / Date / Change and Reason For Changes / Version
Tom Imlay / 8/13/2015 / Initial draft / 1.00
Jennifer Zayed / 8/17/2015 / Second draft to include IAM proposal metadata / 2.00
Tom Imlay / 8/27/2015 / Updated to shift focus onto IAM – less about AD / 2.01
Tom Imlay / 9/1/2015 / More updates to shift focus to IAM / 2.02
Tim Kelly, et al / 9/1/2015 / Updated per conference call / 2.03
Tom Imlay, et al / 9/11/2015 / Polished / 2.04
Dan Zweifel, et all / 11/25/2015 / Third draft / 3.00
Tim Kelly, et all / 1/25/2016 / Incorporated feedback from John to improve scope and benefits.Added introductory paragraph to more clearly tie this project to the AD work being done as part of shared services. / 3.01
Tom Imlay / 1/26/16 / Formatting change on revision history table / 3.02
Kevin Hardcastle, et al / 2/2/2016 / Updated cost estimate and scope items / 3.03
Sundos Masri / 3/1/2017 / Recreated an Up to date Charter / 3.04
Sundos and Dan Zweifel / 3/13/2017 / Made Edits / 3.04

Contents

Revision History

1.Approvals

2. Scope Summary

2.1. Project Purpose

2.2. Problem Statement

2.3. Goal Statement

2.4. Project Scope Phase 1

2.5. Project Scope Phase 2

2.6. Out of Scope

3. Milestones

4. Core Level Requirements

5. Impact Assessment

5.1. Impacted Systems, Processes, Services

5.2. Assumptions, Constraints, and Dependencies

5.2.1. Assumptions

5.2.2. Constraints

5.2.3. Dependencies

5.3 Guiding Principles

6. Project Structure

6.1. Project Team Roles

6.2. Project Team Members/Stakeholders

7. Project Approach/Methodology

1.Approvals

Role & Approval Detail / Name of Approver, Approval Date and Approval Method
Project Sponsor / Kevin Hardcastle
Chief Information Security Officer- WashU IT - CISO
Director / Zweifel, Dan
Director Shared Infrastructure-WashU IT - Enterprise Engineering

2. Scope Summary

The project scope is to conduct an IAM current state analysis, business process review, IAM project prioritization, and define high-level future state requirements to support the goal of implementing a consolidated, centralized IAM solution.

2.1. Project Purpose

A new user and resource authentication system based on Microsoft Active Directory is being implemented as part of the Shared IT Services program. The new system will serve as the point of consolidation for all user authentication systems within the university.

The purpose of this Identity and Access Management (IAM) Project is to leverage thenew consolidated Active Directory environment that will be put into place by the Shared It Services Program. This project willImplement additional technologies, create the policies and processes necessary to operate a new Identity and Access Management service. The new IAM service is intended to enable a single identity and secure authentication/authorization throughout the lifecycle of their affiliation for all Washington University in St Louis faculty, staff, students, alumni and certain affiliates.Additionally, the IAM system will be federated with standardized identity management systems to allow Washington University credentials to be used with a larger number of peer institutions and granting agencies.

2.2. Problem Statement

The problem/opportunity / Affiliates currently have multiple identities to authenticate into and gain authorization for use of university resources. Additionally, the current fragmented administration and lack of an authoritative directory result in complexity that makes provisioning slow and compromises the security posture of the environment.
which affects / Ease of access to university resources for ALL university constituents
the impact of which is / Lack of interoperability between Wash U departments and business partners such as BJC.
a successful solution would / Provide a single identity for access to all/most systems and simplify administration of credentials.
consequences of inaction are / Affiliates will continue to work around structural barriers and security complexities resulting in inconsistent experience

2.3. Goal Statement

The goals of this project are:

1)Create a service that provides a single identity and secure authentication/authorizationthroughout the lifecycle of affiliation for all Washington University in St Louis faculty, staff, students, alumni and certain 3rdparty affiliates.

2)Enhance group management features to empower affiliates to create and consume groups

3)Identify and implement the processes, tools and technologies necessary to accomplish goal 1

4)Align with the Integrated Infrastructure project to unifythe consolidated Active Directory structure to facilitate common user sign-on across the university

5)Provideidentity federation with third parties including BJC

6)Reduce both the number of credentials that affiliates use and the frequency with which those credentials must be re-entered by:

a)Enhancing the flexibility of IAM systems to support a wider range of system integrations

b)Integrating additional clinical and mission-specific applications with the central IAM system

2.4. Project Scope Phase 1

In Scope / Benefits / Validation Measure
1) / Reduced Sign-on / Ease of authentication / An environment exists that all enterprise and departmental applications can leverage for user authentication. The environment will also support the migration of users into the user service.
2) / Implement Federation with the BJC Healthcare system / Expand sharing of resource across partners / Enable use of WashU credentials to access BJC resources

2.5. Project Scope Phase 2

In Scope / Benefits
1) / Build or acquire Identity and access management (IAM) tools that can facilitate interoperability and streamline integration across University applications. /
  • Adopt standards-based protocols and approaches to integration
  • Clearly documented guidelines and practices to enable application groups to integrate with IAM
  • Improves automation capabilities for University workflow and orchestration systems

2) / Identify, Acquire, and implement an Access Policy Management solution / Improves accountability for user provisioning and account changes by creating a single point of control with detailed audit reports
3) / Provide the capability for end-user self-service group management. / Empower customers to grant access to data and systems in a simple, on demand fashion.
4) / Facilitate definition of roles for the enterprise and implement appropriate system access controls / Discreetly and consistently control access to University technology resources.
5) / Implement Incommon Identity Certifications service. / Improve collaboration with peer institutions, government agencies and research partners by allowing the university to certify the authenticity of user credentials.
6) / Define necessary notifications to be generated as a result of identity lifecycle events / Automatically provides information about role changesto relevant system administrators and business process owners.

2.6. Out of Scope

Out of Scope / Reason for Exclusion
1) / Make IAM authoritative / Will not replace HRMS, ADIS, etc. as systems of record
2) / Certificate Management / Improved mgmt. Secure storage, access and monitoring of certificates across systems
3) / Migration of legacy systems to new IAM solution / Not all systems are capable of certain modern interfaces. Guidance and documentation will be provided for the use of legacy system owners.

3.Milestones

Milestone / Proposed Time Frame / Description
Complete IAM Assessment / Requirements / June 1st / Statement of Work (SOW)
Approve Revised Charter / Submit Charter to governance to fulfill the request for more detail before securing funding.
Get funding approval / Money is allocated and needs to be released
Onboard project resources (PM and design/architect resources) / April 15 2017 / to develop detailed design and implementation plan
Optiv Kick off / April 24. 2017
Begin IAM Analysis and design / May 15- May 26 / Project on site discovery begins
Project Assessment/Requirements complete- Sponsor sign-off on design / August 25, 2017
RFP release / August 2017 / Get proposal and quotes
Vendor/Technology/partner selection / October 2017 / RFP process and selection
Complete implementation planning / December 2017 / Establish technology implementation plan and define migration approach and timing
Implementation begins / January 2018
WASHU- Technology implementation complete / July 2018
Environment ready for customers / July 2018 / Legacy system migrations can start

4. Core Level Requirements

Req ID / Requirement
1) / User Lifecycle Management
  • Onboarding/New User Provisioning based on authoritative source entries
  • Mass New User Provisioning (Bulk Load) based on a defined CSV flat file upload
  • Manual Provisioning via Solution Interface
  • Offboarding/Deprovisioning based on authoritative source updates
  • Normal/planned terminations
  • Emergency/hostile terminations
  • Transfers - Job Code, Department, Location, and/or Position Code changes
  • Updates - Last Name, Job title, Address, Phone Numbers, etc. changes
  • Leaves of AbsenceRehires
  • Delegated Administration
  • Employee to Student Conversions
  • Contractor to Employee Conversions
  • Employee to Alumni Conversions
  • Self-Service Access Requests
  • Manager Access Requests

2) / Manager Certification –
  • User entitlement/role review for direct reports
  • Application Owner Certification – User entitlement/role review for users with access to
  • managed application/system
  • Role Composition Certification – Entitlements/applications associated with roles

5. Impact Assessment

5.1. Impacted Systems, Processes, Services

1)All university and BJC users, including staff, students, faculty and medical community

2)Access to external cloud services would be easier with a common user credential.

3)De-Provisioning credentials will be simplified, ensuring compliance standards are met with HIPAA, PCI-DSS, and other regulatory mandates.

4)Simplifies the means by which BJC grants access to medical systems and reduces the complexity of account sharing across business units.

5)New self-service interfaces will require user orientation

6)Administrative staff may require training

7)Administrative processes will need to be changed to leverage Role Based Access models

8)Potential need for additional resources for ongoing operational support based on expanded service offering

5.2. Assumptions, Constraints, and Dependencies

5.2.1. Assumptions

1)Subject Matter Experts (SME) will be assigned to the project and have sufficient time to focus on it.

2)A performance support specialist will be assigned to help with adoption of systems.

3)The Shared Infrastructure team and the End User Services team will collaborate to insure that both projects coordinate effectively.

4)Define and execute the transition to operations process

5.2.2. Constraints

1)University “black-out dates” for maintenance time on key systems limit the implementation schedule. E.g. some schools will not allow maintenance/updates during the semester.

2)Ensuring that IAM go-live coincides with beginning of school year to minimize impact on the academic schedule.

3)Technology maturity of IAM solutions may limit capabilities or require custom development

5.2.3.Dependencies

1)Funding for labor and capital resources needs to be available

2)Key resources must assigned to the project and have sufficient time to focus on their task assignments

5.3 Guiding Principles

  • Design the future state AD to meet the department, school and user services requirements – current hypothesis is that we can use WUSTL Key as future state - perform fitness gap analysis on WUSTL Key environment to create plan for meeting requirements. If the WUSTL Key changes are more work than standing up new, readdress the hypothesis.
  • Keep IAM in mind during AD design sessions to make sure they click together seamlessly

6. Project Structure

6.1. Project Team Roles

Role / Purpose / Responsibilities
Project Sponsor(s) / Provides resources and support for the project and is accountable for enabling success / 1)Provide project objectives and goals
2)Provide funding
3)Approve Project Charter and Plan
4)Signs off on approvals to proceed to next phase
5)Vocal and visible project champion
6)Ultimate decision maker for project
7)Regularly communicate and align with governance bodies
Steering Committee (includes management representatives from key stakeholder groups) / Project Governance/Oversight / 1)Act as advisory group for the design, implementation and training aspects of the project
2)Acts as vocal and visible project champions and liaisons to stakeholders
3)Approve project deliverables
4)Approve scope changes to be presented to sponsor
5)Helps resolve issues and policy decisions
6)Provides resources (in some cases)
7)Provides subject matter expertise
Project Manager / Direct and manage project work / 1)Responsible for ensuring that the Project Team completes the project; responsible for management of project process
2)Develops Project Charter and comprehensive project planvia joint planning with the Project Team
3)Coordinates and manages the team’s performance of project tasks, ensuring integration of all project work with focus on creation of project deliverables and work performance information
4)Secures acceptance and approval of deliverables from the Project Sponsor, Steering Committee and Stakeholders
5)Responsible for communication including status of project health
6)Responsible for risk management, and escalation of issues that cannot be resolved in the team
7)Responsible for managing change requests and documenting decisions made by accountableparties: sponsor, steering team, Functional Project Lead, Enterprise Architecture, Information Security, etc.
8)Manages project procurements working with Resource Management
9)Ensures project is delivered within budget, on schedule and within scope
Technical Project Lead / Provides technical leadership / 1)Ensures project success by providing technical system expertise to guide technical work, coordinating closely with PM
2)Ensures successful translation of business requirements into technical specifications and solutions
3)Provides vision, understanding and guidance of how various pieces of solution will fit together at WUSTL to the Project Team
4)Owns entire solution from a technical design and engineering perspective and ensures it is consistent with the architectural standards of the organization; works with EA & Info Security as needed
5)Lends expertise to evaluate vendor offerings specifically around transition to new solution including any conversion activities, integrations; works with PM to size technical effort
6)Guides how solution will operate and function in the context of the larger technical ecosystem at WUSTL (interfaces, interoperability, built for support, reuse, traceability, etc.)
7)Drives change to mitigate system / technical risks; facilitates resolutions to technical system issues
8)Ensures technical testing, deployment and transition to support plans are appropriate
9)Understands the technical delivery and IT service management resources, processes and tools required for successfully deliveryof the product or service and works with Project Manager to ensure they are appropriately represented in project plans
Business Analyst or Business Systems Analyst / Requirements management / 1)Takes a leadership role in defining, analyzing and documenting requirements working with the Business / Functional Project Lead and appropriate SMEs
2)May assist / participate with defining the business case
3)Elicits requirements (business, stakeholder, solution, functional, nonfunctional, transition)
4)Organizes, translates and simplifies requirement statements for appropriate use in solution development / configuration process
5)Lead role in planning, monitoring and designing use cases and test cases as well as acceptance testing criteria
6)Participates in planning and determining content of training materials working with performance support resources.
Core Team / Provide leadership of various domains/disciplines necessary to plan and execute project work / 1)Leaders of the various functional areas/units who must create deliverables necessary to successfully complete the project; emphasis is on “doers” of work
2)Guides the work of the Extended Team – also “doers” who create project deliverables (project management deliverables and technical deliverables) for review and verification by customers, Steering Committee, and Sponsor(s)
3)Participates in joint planning session with PM
4)Always includes PM, Business/Functional Project Lead, Technical Project Lead, Business Analyst. May also include representatives from functional business areas, key IT disciplines,external entities (vendors), etc.
Extended Team / The “doers”, create project deliverables / 1)Includes all resources who provide labor to create the deliverables of the project
2)May include members of functional business departments, external entities (vendors), IT resources, customers, etc.

6.2.Project Team Members/Stakeholders

List all staff participating in the project and indicate which role(s) they belong to. List each participant only once and indicate all roles they belong to for this project.

Team Member / Title / Role
Kevin Hardcastle / CISO /
  • Project Sponsor
  • Steering Committee Chair

Dan Zweifel / Director /
  • Steering Committee
  • Core Team

Sundos Masri / Project Manager /
  • Project Manager
  • Steering Committee
  • Core Team

Core Team / Various /
  • Project Manager, Technical Project Lead, Business Analyst and Vendor lead

Sidney Johnson / Manager, Shared Infrastructure /
  • Technical Lead

Vendor lead / Project Manager /
  • Project Manager
  • Core Team

7. Project Approach/Methodology

This project will utilize a standard methodology of:

  • Initiation – Begins with project suggestion and includes the development of the project charter.
  • Planning – Includes the development of the project plan, resource allocation, and budgeting.
  • Implementation – Includes the execution of the tasks on the plan, vendor deliverables, development, testing, and user and support level training.
  • Closure – will begin after the completion of the implementation phase of the project and includes project warranty period, handing over day to day support via Operation Support Plan, and a project lessons learned review.
  • This project will be organized into 2 phases (AD and IAM). Each phase will be included in the project plans for the main project.
  • Where and when appropriate, we will investigate and/or use some form of agile/scrum methodology.
  • Review current technology capabilities and determine if they are suitable for scaling up for university-wide use.
  • The 2-phase project will leverage data and expertise from both the AD work team and the IAM work teams during the analysis, planning and implementation of each phase.

IAM Project CharterWashington University in St. Louis Page 1 of 11

Internal Use Only