Assessing Identity and Access Management Process Maturity: First Insights from the German Financial Sector

ABSTRACT

We develop an Identity and Access Management (IAM) process maturity model and provide a first assessment of four organizations in Germany’s financial industry. We find that the assessed organizations show merely average IAM maturity levels, and especially lack maturity and compliance in user registration and logging and tracking. Information technology (IT) managers, consultants, and auditors can use the model to (self)-audit, compare, or benchmark IAM process maturity, or identify weaknesses in organizations’ IAM processes.

KEYWORDS:

• Identity and access management
• IAM
• maturity models
• IT security
• IT auditing
• financial sector

Acknowledgments

We thank the senior editor, two reviewers, as well as the reviewers and attendees of the ‘IT-Sicherheit für Kritische Infrastrukturen’ [IT Security for Critical Infrastructures] track of the Multikonferenz Wirtschaftsinformatik [Multi-conference on Business Information Systems] 2016 in Ilmenau, Germany for their very helpful comments and feedback.

Disclosure Statement

At the time the research was conducted, the first and third author were employed by the auditing service firm that initiated the research project, provided access to the case materials, and may use the developed maturity model as an assessment framework in their auditing practice. The second author – the university representative – had no access to the case data to ensure client anonymity and auditing process compliance.

Supplementary material

Supplemental data for this article can be accessed on the publisher’s website.

Notes

1. IDW stands for “Institut der Wirtschaftspruefer“ – the German Institute of Public Auditors. AuS is the abbreviation for Auditing Standard. AuS 330 is documented in (IDW, 2013).

2. The first and third author were accounting firm employees at the time the research was conducted. The second author – the university representative – had no access to the actual analysis and the underlying audit data, to ensure client anonymity and auditing process compliance.

Additional information

Notes on contributors

Andre Schrimpf

Andre Schrimpf holds a master’s degree in information systems from the University of Duisburg-Essen, Germany and is a Certified Information Systems Auditor (CISA). His working experience comprises auditing of information systems and IT general controls in the financial sector within the annual audit, and special audits like ISAE 3402 as well as consulting services to comply with regulatory requirements for information systems.

Andreas Drechsler

Andreas Drechsler is a Senior Lecturer of Information Systems at Victoria University of Wellington, New Zealand. He holds a doctorate degree in information systems from the University of Duisburg-Essen, Germany and has also been a visiting scholar at the University of South Florida in the United States. His research interests comprise IS/IT and information security management, agility in projects and organizations, and enterprise architecture. His work has been published in the International Journal of Project Management, Communications of the Association of Information Systems, Information Systems and E-business Management and other journals as well as numerous conferences.

Konstantinos Dagianis

Konstantinos Dagianis has been working for PricewaterhouseCoopers as a risk assurance director in financial services in Düsseldorf, Germany and Los Angeles, USA and led a number of IT audit, IT consulting and digitalization projects in the financial service sector. His skills cover the digitalization of business processes, cyber-security, blockchain, information security management, IT compliance and external and internal audit and data management. Konstantinos is a business information systems graduate, and is a Certified Information Systems Auditor (CISA) and a Certified Information Security Manager (C).