SAF E Physical Identity & Access Management (PIAM) Scoping Workshop Guide 2012 v1 Table of Contents 1 2 INTRODUCTION ....................................................................................................................................................................................... 3 1.1 WORKSHOP OBJECTIVES .................................................................................................................................................................................. 3 1.3 POTENTIAL WORKSHOP PARTICIPANTS ................................................................................................................................................................ 4 1.4 PREPARATION & LOGISTICS .............................................................................................................................................................................. 5 1.5 WORKSHOP OUTPUTS ..................................................................................................................................................................................... 6 1.6 CONFIDENTIALITY ........................................................................................................................................................................................... 6 TYPICAL SCOPING WORKSHOP AGENDA .................................................................................................................................................. 7 APPENDIX: MUTUAL NON-DISCLOSURE AGREEMENT ....................................................................................................................................... 9 Quantum Secure Confidential Scoping Workshop Guide Page 2 of 9 1 Introduction Quantum Secure SAFE solution suite is a comprehensive, enterprise level suite of physical security automation, compliance, and operational tools that can be formed to meet an exact customers needs through its modular structure and configurability. Determining the right approach to meeting full strategic objectives may require consultative discussions with key stakeholders within the business areas affected to understand priorities, benefits, and implications of implementing the SAFE suite both technically and functionally. This document defines the typical participants, agenda, and outputs for this type of workshop. 1.1 Workshop Objectives Inform all potential stakeholders of the potential capabilities and benefits the solution to their respctive areas of responsibility. These may not be security related people, for example: Compliance, Legal, IT, HR, Health & Safety, Facilities Management, Contracted Third-parties, etc.. Identify clear goals / metrics and ROI to support customer business case justification Assist the customer to develop strategic goals using SAFE and build a roadmap of appropriate steps and phases to align with business, commercial, and technical constraints Help the customer sponsor(s) identify any responsibilities and required activities within a typical implementation to help determine the right project team, level of effort, and required coordinations Apply Quantum Secure’s general security and industry experience to identify best practices and additional benefits or applications of the SAFE solution in the customer’s environment Answer all customer questions about Quantum Secure Products & Techncologies, Professional Services and Customer Support capabilities and practices Quantum Secure Confidential Scoping Workshop Guide Page 3 of 9 1.3 Potential Workshop Participants To fully evaluate the comprehensive value proposition the SAFE solution may provide your business it frequently makes sense to invite stakeholders from inter-dependent business organizations to participate in all or part of the planned workshop. The table below attempts to describe the typical business functions that it may be appropriate to request representation as they may all find benefits in the SAFE solution as well as play a role during implementation. There may be others appropriate to your business not listed here: Potential Workshop Participants Organization Description Security Strategy (Sponsor) Individuals / Organization responsible for setting overall customer security program and policies; Typically project sponsor Security Operations Individuals / Organization responsible for manning operational aspects of meeting security policies for guarding, access control, etc.. May be third-party organization Compliance, Audit, & Legal (risk management) Individuals / Organization responsible for insuring business critical security practices are interpreted and followed adequately to mitigate business financial, security, and reputational risks; Represent industry and governmental regulations Secure Area Stakeholders Individuals / Organization responsible for monitoring access privileges granted to “high security” areas of business critical importance; May be approvers for access requests to these areas; May manage liability Human Resources Individuals / Organization responsible for managing ‘trusted’ identities and the processes around their relationship to the business Contracts Managers Individuals / Organization responsible for managing relationship with contracted personnel providers (Companies); Manage global contract relationship, not identities Badge Production & Operations Individuals / Organization responsible for producing electronic and non-electronic badges or credentials used to gain physical access to any facilities under the customers security remit Visitor Management Operations Individuals / Organization responsible for producing electronic and non-electronic visitor badges or credentials used to manage ‘un-trusted’ identities requiring escorted physical access to any facilities under the customers security remit Facilities Management Individuals / Organization responsible for managing all administrative aspects of buildings; Contracts with cleaners and infrastructure personnel Real Estate / Building Planning Individuals / Organization responsible for planning real estate usage and needs for large organizations Information Technology Individuals / Organization responsible for network and data centers where SAFE application may be installed and run; May be considered for system and / or application maintenance Keys Management Operations Individuals / Organization responsible for managing issuance of metal keys to individuals requiring physical access to areas controlled by traditional or “cyber” locks, etc… Physical Access Control System Administrators Project / Program Management Individuals / Organization responsible for planning, configuring, and maintaining all physical access control systems (PACS) used in customer business globally Individuals / Organization responsible for coordinating and managing customer projects Quantum Secure Confidential Scoping Workshop Guide Page 4 of 9 1.4 Preparation & Logistics The following items should be considered and prepared in order to have an effective workshop: Customer team and Quantum Secure should be briefed on expected outcomes of workshop and next steps, responsibilities, etc. This type of workshop is always more effective if able to be performed face to face, but dial-in participants are possible and plans for their participation should focus on their areas of interest during a pre-agreed time It is helpful if each business area represented pre-prepares a short list of agenda items or areas of interest (pain points) to schedule their participation and guide the discussions to meet their expectations; A planned schedule of participation needs to be coordinated to insure people’s time is used effectively Quantum Secure will prepare presentations and information gathering tools to insure all information is conveyed and captured effectively, but the customer is encouraged to assist by providing similar materials for conveying current systems, processes, etc. These may include at least the folowing: Explanation of and sample access to relevant systems (PACS, other related systems (screenshots)) All related paper forms, process descriptions and policy documentation Relevant identity attributes from HR, badging, vetting, etc.used All badge type examples – vistors, contrctors, employees, different technologies, etc. A projector with large screen to display example of customer systems as well as present Quantum Secure slides and demos Any non-disclosure agreements (NDAs) required should be in place to protect business confidentiality Customer internal network access for customer employees as well as guest internet access (if possible) Quantum Secure Confidential Scoping Workshop Guide Page 5 of 9 1.5 Workshop Outputs Depending on specific customer situation a few different deliverable may be produced as output of the workshop. The following are examples of typical outputs and it should be agreed which are appropriate at the beginning of the workshop exercise: Indicative Pricing – A non-binding quotation estimating software license, service, and support/maintenance prices for customer use to support budget planning, business justification, project phasing scenarios, commercial scenarios, etc. Business Case Justification – Quantum Secure standard deliverable providing agreed business benefit descriptions including metrics gathered to quantify projected ROI Statement of Work - Quantum Secure standard deliverable stating the agreed scope, license requirements, initial professional services time estimates and schedule. Formal Quotation – A binding quotation of software license, service, and support/maintenance prices valid for 60 calendar days associated with an accompanying Statement of Work 1.6 Confidentiality Due to the nature of security procedures and systems discussed, Quantum Secure considers confidentiality as critical and insures that no information of any type is shared outside of your organization. All notes and deliverables are shared only with your appointed sponsors, and we recommend to have mutual non-disclosure agreements in place. The Quantum Secure MNDA is attached in this documents appendix and can be printed and used if you do not wish to provide your own. In addition, if any Quantum Secure participating personnel vetting is required, we are happy to submit information to meet your requirements. Please coordinate with your Quantum Secure Regional Sales Executive or Reseller. Quantum Secure Confidential Scoping Workshop Guide Page 6 of 9 2 Typical Scoping Workshop Agenda A typical workshop could be from one to three days depending on scheduling of participants, complexity, required outputs, etc. The table below provides and example of a typical workshop content and order of priority. Suggested attendees, duration, and order can all be adjusted if required (suggest a planning call with key stakeholders to agree final agenda): Scoping Workshop Agenda (1/2 to 1 Day Example) Section Activities Introductions SAFE Overview Round table introductions, reconfirmation of goals, scope of discussions, and outputs Review Agenda SAFE Physical Identity & Access Management solutions and concepts overview Discuss customer strategic goals Attendees Security Strategy Security Operations Project Management HR Security Strategy Security Operations Contracts Mgmt. Visitor Operations Duration 15 mins. 30 mins. Functional / Operational “As-Is” Identity Management Analysis Metric Gathering Detailed Process Mapping Agree terminology used around IDs and categories Identify priorities for improvement, pain points Identify relevant authoritative systems Identify relevant reference systems Gather relevant metric about operational organization and staff counts Identify areas for automation Review current audit, reporting, compliance processes Map as-is processes to SAFE capabilities for automation Create ID Matrix – on/off board & change Identify relevant, applicable SAFE modules HR Security Strategy Security Operations Contracts Mgmt. Visitor Operations 1 hr. HR Security Strategy Security Operations Contracts Mgmt. Visitor Operations 30 mins. HR Security Strategy Security Operations Badge operations Contracts Mgmt. Visitor Operations 45 mins. – 3 hours 15 mins. Questions Technology SAFE Infrastructure / Admin Quantum Secure presents server infrastructure options - SW/HW Quantum Secure Confidential Scoping Workshop Guide Page 7 of 9 IT Security Operations 45 mins. High-availability Options Scalability Supported equipment and peripherals Discuss maintenance and support terms Integrations PACS Review Asses each system integration proposed HR Contracts IT 15 mins. Diagram PACS infrastructure Discuss strategic plans fo PACS, biometrics, cards, etc.. Physical Access Control System Administrators Security Operations Security Strategy 15 mins. 15 mins. Questions Project Planning Deployment Methodology Present Quantum Secure deployment methodology phases and deliverables Project Management Security Strategy Security Operations Review modules and software pricing methods (no pricing) Discuss implementation team structure and responsibilities Project Management Security Strategy Security Operations Commercials Approach / Phasing Q&A Identify key dependencies Agree procurement methods for HW or peripherals needed Propose phasing options based on priorities, technical constraints, etc. 15 mins. 30 mins. Project Management Security Strategy Security Operations 30 mins. Roll-out planning, training, etc. Questions and answers applied to each sections above 15 mins. each Questions 15 mins. Quantum Secure Confidential Scoping Workshop Guide Page 8 of 9 Appendix: Mutual Non-Disclosure Agreement Please detach and use this Quantum Secure MNDA or provide your own: ------------------------------------------------------End of Document------------------------------------------------------ Quantum Secure Confidential Scoping Workshop Guide Page 9 of 9