Short Description:
There will be customers who are starting their IGA journey, or re-baselining their IGA journey. In both scenarios, it is a good idea to revisit your IGA KPIs and KRIs and re-align with their IGA objectives. This document talks about some of the measurable metrics which can be used to measure the KPIs before and after the IGA implementation. Saviynt provides ways to measure the technical KPIs using Control Center Analytics and other configuration options like outlier analysis, recommendations, Peer Analysis etc.
KRI is Key Risk Indicator which is an early warning for a potential threat. KPI is the Key Performance Indicator to measure the effectiveness of an IGA program.
Application Version
All versions
Detailed Best Practice
During the project implementation:
- Data Clean-up KPIs
- Users with no manager or other critical attributes (Department, Country, email etc. (KPI)
- Entitlements with missing metadata (KPI)
- Number of days for foundation Go Live (KPI)
- The foundation go live timeline should be less between 60 and 90 days.
- Application Integration Timelines (KPIs)
- How long it takes to integrate an application with IGA.
- Standardization of Integration Patterns (KPIs)
- Percentage of Applications that sticks to an approved application Integration pattern.
After the foundation go live:
- Access and approval Provisioning time (KPI)
- We can measure how fast the access requests are approved and how much time it took to provision the request after approval. Based on the numbers, we can tweak the approval process and the provisioning process by workflow improvements, automation, and instant provisioning.
- Adherence to Principle of Least Privilege (KRI)
- Define and measure the minimum access requirements per job role.
- Number of accounts in Active state for future hires (KRI)
- All accounts for future hires should be in disabled state.
- Access De-provisioning Time (KPI)
- If an event is identified to de-provision an access (termination, certification, change in birth-right attributes, how long it took to remove the access. If it exceeds the threshold, process improvements must be identified.
- Provisioning failures (KPI)
- Keep this number below a manageable threshold and introduce RCA and corrective actions for each type of failures.
- Access Certification adherence (KPI)
- Introduce User Manager certification with a smaller and manageable team to start with and introduce to the entire manager community. Provide communication before the certification (mailers, fliers, remind to delegate etc.) and after the launch. Send reminders and ensure access removal for actions not taken.
- Easiness of Access Certification (KPI)
- Number of accesses to be reviewed by a single manager. This number should be at a manageable level to avoid review fatigue.
- Entitlements with No Risk value (KRI)
- All entitlements should carry an appropriate risk value.
- High Risk entitlements with account assignments above a threshold (KRI)
- The number of accounts for each high-risk entitlements should be within a threshold.
- In Active accounts with high-risk entitlements (KRI)
- Number of roles relative to the total number of active users (KRI)
- Keep the number of roles less than a threshold value (20%)
- Number if Orphan accounts (KRI)
- Outliers with excessive access (KRI)
- Number of unassigned roles (KRI)
- Roles with many approvers (KRI)
Key Benefit (Quantitative/qualitative)
- Clear and measurable KPIs and KRIs
Reference documentation
https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter18-Control-Center/Managing-C...
