INTEGRATED IDENTITY MANAGEMENT (IIM) ESR INTERFACE TO UIM: DEPLOYMENT ASSESSMENT
Approvals: Paul Spooner ESR Programme Director (Acting) David Booth Interface Team Manager
Author: Date: Document Ref: Version:
Date: Date:
Chris Price 14 July 2011 ESR-RPP0010: ESR Interface to UIM: Deployment Assessment v 1.1
1. Contents 1. Contents.................................................................................................................................... 2 2. Introduction.............................................................................................................................. 3 3. Deployment Assessment Process..........................................................................................3 4. ESR Interface to UIM: Deployment Assessment â&#x20AC;&#x201C; Assessment for <insert trust name>. . .4 5. Possible Assessment Outcomes and Next Steps..................................................................8
tmpst2h5C
Page 2 of 9
2. Introduction
This document is the ESR Interface to UIM: Deployment Assessment and is relevant to organisations that have activated the ESR interface to UIM as part of a strategic approach to Integrated Identity Management (IIM). The assessment should be completed locally by organisations and used as a Quality Control checkpoint to confirm the completion of the Integrated Identity Management implementation and specifically that of the deployment of the ESR interface to UIM. Successful completion of the assessment will ensure that the interface functionality is being fully utilised to maximise benefit realisation and also identify areas where further support and guidance may be required. The details of organisations that have successfully completed the Deployment Assessment will be published on the ESR IIM Web page. The activities being measured within the assessment were selected because of their critical nature in completing the deployment of the ESR interface to UIM. The purpose of the assessment is to ensure that your organisation has successfully completed the deployment of the ESR interface to UIM.
3. Deployment Assessment Process
The following section outlines the specific process for completing the Deployment Assessment. •
The ESR RPP Regional Project Manager is responsible for organising a meeting with your organisation to go through the assessment criteria.
•
The meeting will require specific evidence to verify the completion of the stated criteria. It is the responsibility of the organisation to deliver this.
•
If necessary the organisation, with advice from the ESR RPP Regional Project Manager, and where necessary the Central Teams, will produce a corrective action plan for any specific criteria that is incomplete.
•
If the assessment confirms that the Deployment Assessment is complete then the organisation has completed the deployment of the ESR interface to UIM. The checkpoint assessment should then be signed by the IIM Executive Sponsor and returned to the ESR RPP Regional Project Manager.
•
If the assessment confirms that any of the criteria is incomplete then the escalation procedure, described in Section 5 will be activated.
•
The details of organisations that have successfully completed the Deployment Assessment will be published on the ESR IIM Web page.
tmpst2h5C
Page 3 of 9
4.
ESR Interface to UIM: Deployment Assessment – Assessment for <insert trust name>
Either embed evidence in this document or use the Deployment Assessment Spreadsheet provided below. Interface Deployment Assessment v0.3.xls
ESR Interface to UIM Deployment Assessment – Criteria and Evidence Required Actions IIM Strategic Decision
HR, RA Process review and integration
Mandatory / Recommended Mandatory
Mandatory
Assessment Criteria Strategic decision communicated by the IIM Executive Sponsor and has the Trust Board Support. Further details available via the strategic decision toolkit. Review and revise process and procedure
Yes / No Yes / No
Yes / No
ESR Interface to UIM Business Process Scenarios document.
HR, RA processes integrated.
Yes / No
Further details available via the HR/RA integration toolkit.
Position Based Access Control (PBAC)
Mandatory
Position Based Access Control – Definition of NHS CRS Access Control Positions. Further details available via the PBAC toolkit.
tmpst2h5C
Confirmation from Trust Board or Executive with responsibility for HR or IG of decision. Letter / email provided to the ESR RPP Regional Project Manager. Note: This activity should have been completed prior to activation.
Further details available via the ESR -RPP0009
Recommended
Example / Evidence
Yes / No
Using the Business Process Pack and experience of using the interface functionality, review all local process and procedures impacted by the introduction of the ESR interface to UIM. Produce revised local processes (flowcharts) and procedures (documented procedure) as evidence. This should include agreed processes for new starters, completing identity checks, changes to person details, changes to positions/position linking etc. Processes integrated between HR and RA as evidenced by single point of identity checks, time for granting and revocation of access to NHS CRS for starters and leavers is ideally within 1 day and confirmed by the Information Governance Executive or Caldicott Guardian. NHS CRS Access Control positions have been defined and applicable to all areas of the organisation where NHS CRS applications are in use. Signed off mapping table based on a list of all ESR positions with maps to equivalent NHS CRS Access Control Positions. Signoff must be by an Executive with responsibility for information governance. Formal letter / email / board minutes required.
Page 4 of 9
ESR Interface to UIM Deployment Assessment â&#x20AC;&#x201C; Criteria and Evidence Required Actions
Mandatory / Recommended Mandatory
Assessment Criteria Processes in place for definition and approval of future ESR Positions and NHS CRS Access Control Positions.
Yes / No Yes / No
Further details available via the PBAC toolkit.
Example / Evidence New ESR positions may require NHS CRS access and consequently a map/link to an NHS CRS Access Control Position. Conversely, when new NHS CRS Access Control Positions are defined these will need to be mapped and linked to ESR positions as appropriate. Processes need to be in place to ensure these considerations are taken into account when new ESR positions/NHS CRS Access Control Positions are defined. The mappings of new ESR positions to NHS CRS Access Control Positions will need to be approved as deemed appropriate by each organisation.
ESR Interface Deployment
Mandatory
Processes in place for the review of NHS CRS supplementary roles defined in ESR. The ESR NHS CRS Sponsor supplementary role has been reviewed following interface activation and additional sponsors defined and added to the workstructure hierarchy where appropriate.
Yes / No
Produce revised local processes (flowcharts) and procedures (documented procedure) as evidence. Confirmation from the IIM Project Lead that the NHS CRS Sponsor/NHS CRS RA Agent supplementary roles assigned in ESR have been reviewed and are fit for purpose. Evidence of processes in place to review the NHS CRS Sponsor/ NHS CRS RA Agent supplementary roles periodically.
The ESR NHS CRS RA Agent supplementary role has been reviewed following interface activation and additional RA Agents defined where appropriate. Further details available via the ESR-RPP0007
ESR set-up preactivation quick reference guide.
tmpst2h5C
Page 5 of 9
ESR Interface to UIM Deployment Assessment â&#x20AC;&#x201C; Criteria and Evidence Required Actions
Mandatory / Recommended Mandatory
Assessment Criteria The ESR NHS CRS notification roles (below) have been reviewed following interface activation and amendments made where required.
Yes / No Yes / No
Example / Evidence Confirmation from the IIM Project Lead that the NHS CRS notification roles assigned in ESR have been reviewed and are fit for purpose. Evidence of processes in place to review the NHS CRS notification roles periodically.
NHS CRS RA Agents NHS CRS Add Employee Errors NHS CRS Add Applicant Errors
Further details available via the ESR-RPP0007
ESR set-up preactivation quick reference guide. Mandatory
The ODS/NACS code in ESR has been reviewed following interface activation and accurately reflects organisation structure.
Yes / No
Evidence of processes in place to review periodically.
Further details available via the ESR-RPP0007
Note: Any amendments to the ODS code in ESR should be discussed with the ESR RPP Regional Project Manager before being updated in ESR.
ESR set-up preactivation quick reference guide. Mandatory
The Worklist(s) defined in ESR has been reviewed following interface activation and additional Worklists have been added to the workstructure hierarchy where appropriate.
Confirmation from the IIM Project Lead that the ODS/NACS code assigned in ESR is accurate.
Yes / No
Confirmation from the IIM Project Lead that the Worklist(s) assigned to the ESR hierarchy have been reviewed and are fit for purpose. Evidence of processes in place to review periodically.
Further details available via the ESR-RPP0007
ESR set-up preactivation quick reference guide.
tmpst2h5C
Page 6 of 9
ESR Interface to UIM Deployment Assessment – Criteria and Evidence Required Actions
Mandatory / Recommended Mandatory
Assessment Criteria Ensure the allocation of the following ESR RA URPs (User Responsibility Profiles) has been reviewed following interface activation and are only assigned to RA Agents.
Yes / No Yes / No
Example / Evidence User report from ESR listing appropriate users and their user profiles. Confirmation from the IIM Project Lead that only RA Agents have access to the RA URPs. Evidence of processes in place to review periodically.
xxx HR Data Entry (With RA) xxx HR Administration (With RA) xxx RA Workbench xxx NHS Recruitment & Applicant Enrolment Administration Navigator (With RA)
Further details available via the ESR-RPP0007
ESR set-up preactivation quick reference guide. Mandatory
The linking of ESR Positions to NHS CRS Access Control Positions is complete.
Yes / No
Further details available via the ESR-RPP0008
ESR set-up post activation quick reference guide.
Recommended
Training strategy defined
Yes / No
The linking of ESR positions to NHS CRS Access Control Positions is complete for all employees within the scope of the implementation. Confirmation from the IIM Project Lead that deployment is complete. This should reference the number of staff members managed via the interface and an explanation provided for employees requiring access to NHS CRS but considered outside the scope of the implementation. Based on the training options / materials available produce a strategy for how all existing and new ESR users will be trained in the new interface functionality. A documented training strategy will be required as evidence.
The above assessments are complete and accurate, and have been evidenced as described above. Signed ………………………Executive Sponsor
Date ………………….
Signed ………………………ESR RPP Regional Project Manager Date ………………….
tmpst2h5C
Page 7 of 9
5. Possible Assessment Outcomes and Next Steps The possible outcomes from the checklist will be one of: •
Scenario 1: The Deployment Assessment confirms the completion of all mandatory and recommended criteria.
•
Scenario 2: The Deployment Assessment confirms the completion of all mandatory criteria but some or all of the recommended criteria is incomplete.
•
Scenario 3: The Deployment Assessment confirms that some or all of the mandatory criteria and some or all of the recommended criteria is incomplete.
The table below shows the three scenarios and the actions to take when the Deployment Completion Assessment has been completed. Scenario 1
2
tmpst2h5C
Mandatory Complete
Complete
Recommended Complete
Not Complete
Action • Organisation’s Project Manager / Lead delivers report to the Project Board (may also be attended by the ESR RPP Regional Project Manager). •
Subject to Project Board ratification the organisation has completed the deployment of the ESR interface to UIM.
•
The Checkpoint Assessment (Word document) should be signed by the organisation’s IIM Executive Sponsor and returned to the ESR RPP Regional Project Manager.
•
Organisation’s Project Manager / Lead delivers report to the Project Board (may also be attended by the ESR RPP Regional Project Manager).
•
Organisation’s Project Manager / Lead identifies and informs the Project Board on possible quality impact of incomplete recommended criteria.
•
Organisation’s Project Manager / Lead advises the Project Board on remedial actions to rectify incomplete recommended criteria.
•
Organisation’s Project Board agrees to undertake remedial actions.
•
Subject to Project Board ratification the organisation has completed the deployment of the ESR interface to UIM with agreed actions and timeframes in place to complete outstanding activities.
•
The Checkpoint Assessment (Word document) should be signed by the organisation’s IIM Executive Sponsor and returned to the ESR RPP Regional Project Manager. Page 8 of 9
Scenario
Mandatory
3
Not Complete
tmpst2h5C
Recommende d Not Complete
Action •
Organisation’s Project Manager / lead delivers report to the Project Board (may also be attended by the ESR RPP Regional Project Manager).
•
Organisation’s Project Board understands reasons for failing to complete the assessment.
•
Organisation’s Project Board agrees and commits to corrective actions within timeframes agreed with the ESR RPP Regional Project Manager.
•
Organisation’s Project Board and ESR RPP Regional Project Manager agree timeframes for completing the assessment and resubmitting to the Project Board.
Page 9 of 9