At the recent SSO Summit I moderated a panel of single sign-on implementers. One of them, Christopher Paidhrin HIPAA & IT security officer for ACS Healthcare Solutions, was kind enough to let me share with you his "best practices" list which he calls: "To Do & Not To Do: SSO implementation lessons learned."
On the "To Do" side, Paidhrin stresses the “four Ps”:
Prepare:
1) Conduct a risk assessment as part of building the business case.
2) Understand your IT environment, architecture, platforms and workforce culture.
3) Set expectations - from the CXO to line staff - what the changes will mean and what constitutes “success” in the project.
4) Get “buy in” and a budget, otherwise your best efforts will be fruitless.
Plan:
Develop a solid project with all appropriate documentation:
a. Charter Document (definition).
b. Scope Document (business case objectives).
c. Change Control Document(s) (budget and authority sign-offs).
d. Communication Plan (keep everyone current and connected).
e. Risk Plan (essential for all organization-wide projects).
Partner:
1) Perform "true" due diligence in selecting a "partner."
2) Partner shall assist in development of a plan for success.
3) Require service-level agreements (SLA), if appropriate.
4) Collect real-world data from previous and current partner customers.
Proselytize: (unfortunately, "communication" does not start with a P!)
1) Acquire a CXO champion - in addition to the CIO.
2) Develop “buy-in” from trusted managers and key workforce members.
3) Demonstrate the “ease,” “power” and “beauty” of SSO.
On the “Not To Do” side, Paidhrin has only one point: “do NOT ignore doing any of the four To Dos.”
On the second “P,” the Project Plan, Paidhrin offers a few more details:
“Develop a solid project with all appropriate documentation:
Initiating Phase
a. Charter Document (definition).
b. Scope Document (business case objectives).
c. Change Control Document(s) (budget and authority sign-offs).
Planning Phase
d. Communication Plan.
e. Risk Plan.
f. Scope Change Plan (impact assessment, workflow changes, etc.).
g. Quality Plan (standards, validation, metrics, etc.).
h. Issue Plan.
i. Procurement / Cost / Schedule Plans.
j. Governance Plan.
Executing Phase
k. Operational Impact.
l. Policy & Procedures.
m. Build & Conversion specifications.
n. Training Plan.
o. Testing Plan.
p. Activation and Support Turnover Plan.
Controlling Phase
q. Project meetings.
r. Issues tracking.
s. Status reports.
t. Project audit review.
u. Budget tracking.
v. Project work plan (actual project documentation).
Closing Phase
w. Project team closure.
x. Organizational closure.
y. Project archives.”
So there you have it, a blueprint for a successful SSO project from start-up to rollout. Of course you’ll need to adapt it to your environment, but it should go a long way to getting you prepared.
By the way, it looks like I’ll be recreating the SSO panel at the upcoming Digital ID World conference, Sept. 8-10 in Anaheim, Calif., and Paidhrin is likely to be participating again. So come on out and bring any questions you might have.