2013 GRC Value Award: Identity & Access GRC

GRC 20/20 Research awarded AlertEnterprise, Inc. its 2013 GRC Value award in the Identity & Access GRC category. Enterprise Guardian™ from AlertEnterprise was deployed at a large utility corporation. The implementation provided the utility insight into its identity repository and multiple IT systems to identify risks and eliminate threats, while meeting NERC and NERC CIP compliance. AlertEnterprise estimates the utility sees annual benefits of $1 million perhaps greater as a direct result of the implementation (see exhibit, below).

Value Drivers

Technical Baseline/ Benchmarks

Estimated

Improvements (%)

Estimated

Benefit ($)

Improve compliance and audit FTE efficiency

10 FTEs allocated for 6 months

12%

$150,000

Improve IT FTE efficiencies for enterprise security

(IT + physical + SCADA) = 10 FTE

15%

$200,000

Reduce noncompliance penalties (NERC/CIP)

Avoid reg. fines ($1M max/violation)

10%

$100,000

Reduce O&M costs

(truck rolls, etc.)

$2,000 per incident

10%

$300,000

Reduce incident response costs

10 FTEs allocated

15%

$150,000

Reduced costs due to an integrated platform

Converged security and compliance

15%

$200,000

Total Annual Benefits (Recurring/One-Time)

$1,000,000

Source: AlertEnterprise, Inc. and GRC 20/20, 2013

The main short-term benefits include immediate identification of risk and conformity with regulatory standards. AlertEnterprise helped the utility remain complaint with NERC CIP regulations via automation of various business processes and procedures.

Enterprise Guardian leverages IT-OT convergence capabilities by linking SAP and other IT applications with physical access control systems and SCADA/operational systems to deliver critical infrastructure protection by eliminating organizational silos. Industry-specific content packs deliver fast and effective means to meet regulations, automate contractor-employee onboarding/offboarding, identity, access and role lifecycle management, simplify badging process and leverage identity analytics while reducing the complexity of provisioning across all these systems.

Customer challenges

As one of the largest electric utilities in the United States, the company required an all-encompassing enterprise access management system and solution. Primary challenges included:

  • Multiple legacy applications lacking common centralized processes to assign and monitor access
  • Large identify and access management application deployment from major vendor that did not link to internal applications
  • Contractor access to applications tracked manually, lacking documentation and evidence
  • Decentralized process for NERC CIP 004 access management
  • Tracking of certification required for CIP access is manual and time-consuming systems (PACS)

AlertEnterprise’s solution delivers these capabilities to address these challenges:

  • More efficient access management of individuals within the company
  • Establishment of one integrated system with oversight over multiple departments and systems
  • Establishment of a central repository of contractors (contract management system)
  • Complete integration for onboarding and offboarding across SAP, IAM application from major vendor, and multiple legacy applications
  • Overall, centralizing processes, automating manual tasks and providing efficiencies around compliance activities for NERC CIP 004 R1, R2, R3 and R4

A legacy system that become ungovernable

For more than a decade, the utility built a variety of tools and applications to manage identity and access within its organization. The utility also incorporated an identity and access management (IAM) system from a major vendor. The utility soon faced challenges bridging its home-grown system with this system, which created a conflict when trying to manage access across logical systems, or when it attempted to customize workflow and enforce policies. Adding to the challenge was that none of the utility’s homegrown systems could be retired as planned.

Before the implementation of AlertEnterprise solution, the process was managed manually by various teams, which were mostly technical in nature. This was due to the fact that multiple systems operated in silos with no interconnectivity or insight. These processes were expensive and time consuming, and the result was unsatisfactory.

Instead of spending days requesting various departments to reconcile user access via spreadsheets, AlertEnterprise allows the utility users to pull a report of user access at any time. AlertEnterprise also automates manual tasks, and drives these processes through a quality-driven application. AlertEnterprise helped the utility cut costs and human capital needed to operate its complex IT solutions. The unified solution allows business, as well as technical users to operate IT related tasks. Fewer resources are needed to ensure compliance regulations are met and duties are completed across systems.

A bright future outlook

AlertEnterprise will allow the utility continue its day-to-day processes and automatically enforce policies in place to meet NERC CIP compliance and other regulatory requirements. The utility can also expect these features in long term across IT, Physical and OT (Industrial Control/SCADA ) systems:

  • Automated user and access lifecycle management
  • Automated user and role certifications
  • Unified identity warehouse
  • Comprehensive audit and reporting
  • Automation of processes for security, compliance, internal audit and business enablement

To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients

No comments yet.

Leave a Reply