2013 GRC Value Award: Identity & Access GRC
GRC 20/20 Research awarded AlertEnterprise, Inc. its 2013 GRC Value award in the Identity & Access GRC category. Enterprise Guardian™ from AlertEnterprise was deployed at a large utility corporation. The implementation provided the utility insight into its identity repository and multiple IT systems to identify risks and eliminate threats, while meeting NERC and NERC CIP compliance. AlertEnterprise estimates the utility sees annual benefits of $1 million perhaps greater as a direct result of the implementation (see exhibit, below).
|
Value Drivers |
Technical Baseline/ Benchmarks |
Estimated Improvements (%) |
Estimated Benefit ($) |
|
Improve compliance and audit FTE efficiency |
10 FTEs allocated for 6 months |
12% |
$150,000 |
|
Improve IT FTE efficiencies for enterprise security |
(IT + physical + SCADA) = 10 FTE |
15% |
$200,000 |
|
Reduce noncompliance penalties (NERC/CIP) |
Avoid reg. fines ($1M max/violation) |
10% |
$100,000 |
|
Reduce O&M costs (truck rolls, etc.) |
$2,000 per incident |
10% |
$300,000 |
|
Reduce incident response costs |
10 FTEs allocated |
15% |
$150,000 |
|
Reduced costs due to an integrated platform |
Converged security and compliance |
15% |
$200,000 |
|
Total Annual Benefits (Recurring/One-Time) |
$1,000,000 |
||
|
Source: AlertEnterprise, Inc. and GRC 20/20, 2013 |
The main short-term benefits include immediate identification of risk and conformity with regulatory standards. AlertEnterprise helped the utility remain complaint with NERC CIP regulations via automation of various business processes and procedures.
Enterprise Guardian leverages IT-OT convergence capabilities by linking SAP and other IT applications with physical access control systems and SCADA/operational systems to deliver critical infrastructure protection by eliminating organizational silos. Industry-specific content packs deliver fast and effective means to meet regulations, automate contractor-employee onboarding/offboarding, identity, access and role lifecycle management, simplify badging process and leverage identity analytics while reducing the complexity of provisioning across all these systems.
Customer challenges
As one of the largest electric utilities in the United States, the company required an all-encompassing enterprise access management system and solution. Primary challenges included:
- Multiple legacy applications lacking common centralized processes to assign and monitor access
- Large identify and access management application deployment from major vendor that did not link to internal applications
- Contractor access to applications tracked manually, lacking documentation and evidence
- Decentralized process for NERC CIP 004 access management
- Tracking of certification required for CIP access is manual and time-consuming systems (PACS)
AlertEnterprise’s solution delivers these capabilities to address these challenges:
- More efficient access management of individuals within the company
- Establishment of one integrated system with oversight over multiple departments and systems
- Establishment of a central repository of contractors (contract management system)
- Complete integration for onboarding and offboarding across SAP, IAM application from major vendor, and multiple legacy applications
- Overall, centralizing processes, automating manual tasks and providing efficiencies around compliance activities for NERC CIP 004 R1, R2, R3 and R4
A legacy system that become ungovernable
For more than a decade, the utility built a variety of tools and applications to manage identity and access within its organization. The utility also incorporated an identity and access management (IAM) system from a major vendor. The utility soon faced challenges bridging its home-grown system with this system, which created a conflict when trying to manage access across logical systems, or when it attempted to customize workflow and enforce policies. Adding to the challenge was that none of the utility’s homegrown systems could be retired as planned.
Before the implementation of AlertEnterprise solution, the process was managed manually by various teams, which were mostly technical in nature. This was due to the fact that multiple systems operated in silos with no interconnectivity or insight. These processes were expensive and time consuming, and the result was unsatisfactory.
Instead of spending days requesting various departments to reconcile user access via spreadsheets, AlertEnterprise allows the utility users to pull a report of user access at any time. AlertEnterprise also automates manual tasks, and drives these processes through a quality-driven application. AlertEnterprise helped the utility cut costs and human capital needed to operate its complex IT solutions. The unified solution allows business, as well as technical users to operate IT related tasks. Fewer resources are needed to ensure compliance regulations are met and duties are completed across systems.
A bright future outlook
AlertEnterprise will allow the utility continue its day-to-day processes and automatically enforce policies in place to meet NERC CIP compliance and other regulatory requirements. The utility can also expect these features in long term across IT, Physical and OT (Industrial Control/SCADA ) systems:
- Automated user and access lifecycle management
- Automated user and role certifications
- Unified identity warehouse
- Comprehensive audit and reporting
- Automation of processes for security, compliance, internal audit and business enablement
To learn more about the GRC 20/20 2013 GRC Value Awards and other recipients, please visit this post: GRC 20/20 Announces 2013 GRC Value Award Recipients