Enabling Government Entities with Smarter Security
Norfolk County Council is the top tier governing body in Norfolk, England, providing services to approximately 900,000 residents under seven local district councils. The council employs 22,000 people across various departments including adult social care, children’s social care, procurement, customer services, community and environmental services, and others. Norfolk County Council (NCC), was the winner of the SC Awards Europe 2015 for its innovative approach to its identity governance program. The SC Award recognized Norfolk’s belief that a holistic view of identity governance is an important part of the modern organization.
As a government entity, Norfolk County Council is subject to government policies and legislation, and therefore needs to comply with certain security and audit standards in the UK. Security is a top priority.
In 2013, when they were going through a large IT transformation NCC reviewed the legacy form-based process for managing identities. The process was time-consuming for managers and lacked an audit trail. It was completely siloed from the HR system, which meant employee access to applications and data was not automatically instated for new employees or revoked upon termination. Temporary staff’s access to systems and data was not routinely monitored. which created a potential security risk. An end-to-end program automating provisioning, ensuring identity governance, and enabling self-service functionality was designed and implemented using SailPoint IdentityIQ. This enabled tracking the evolution of all employees from the start of their employment and the access they needed for their roles. Norfolk needed to ensure the right people accessed the right data, and in the unfortunate event of a breach, they needed visibility into the point of exposure.
SailPoint has now been a strategic vendor in their IT security portfolio since 2014, enabling NCC’s identity program. Norfolk County Council prioritized their program by implementing access for joiners and the de-provisioning of leavers first, through the integration with the HR systems. This was followed by automated, self-service password management. Over 700 orphaned accounts were terminated after implementing the SailPoint solution, mitigating the risk of a wrongful user gaining inappropriate access through these accounts. They have also started self-service provisioning of the procurement and finance systems.
Claire Evans, Norfolk County Council Project Manager, suggests others starting their identity program should set up quick wins. “This helps to quickly get the organization onboard for the changes that are going to affect employees day-to-day work,” Evans said. “The faster you show the value of the solution, the faster the users will adopt the tool.” The team also manages self-service email distribution list and shared mailbox subscriptions via SailPoint, which has allowed a greater percentage of the employees to feel the benefits of the program. Next on the roadmap is verification and provisioning of all employees for payroll so they can access pay stubs, via the Payroll system, from any device and not just from their office PC. Norfolk also plans to onboard additional apps and systems for more secure provisioning.
Norfolk has several different types of users with varying access rights, and all are required to complete mandatory Data Protection and Information Management training before access is granted to systems. Once training is complete, SailPoint is notified and provisions access for the user based on their role.
The Service Desk has felt the most impact with a reduction in calls and tickets, but with the controlled self-service model Norfolk has implemented, managers are also seeing a decline in manual work and chasing requests for access. Their employees are more productive from day one, and processes are now streamlined. “Employees have a much more efficient start when they begin their employment at the council, which has drastically improved quality of work for managers and their teams,” Evans said.
Another piece of advice Evans gave was identifying stakeholders across the business and at the right level. Evans and her team relied on these stakeholders to shed light on their team’s roles, responsibilities and the access to applications needed. “We regularly update the stakeholders on our identity program progress to keep communication across the business flowing so the team is aware of progress, and what we expect from them to help us deliver,” Evans said. “This keeps the organization up to date on the identity program, and gives the various teams a sense of investment in the overall success.”