New Readers

 Home News and World Report Buyers Guide Global Excellence Technology Case Studies Editorial Awards About Info Security
Sallie Mae Reduces Compliance Pressured with Identity Governance

Background: SLM Corporation (NYSE: SLM), commonly known as Sallie Mae, is the nation’s leading provider of saving- and paying-for-college programs offering debt management services as well as business and technical products to a range of business clients, including higher education institutions, student loan guarantors and state and federal agencies. It manages $180 billion in education loans serving 10 million student and parent customers. Through its Upromise affiliates, it manages more than $17.5 billion in 529 college-savings plans, and is a major, private source of college funding contributions in America with 10 million members and more than $475 million in member rewards.

Challenges: As a public company handling sensitive financial data, Sallie Mae must comply with several regulations including SOX, and PCI; the company also conducts SAS 70 audits. Additionally, because the company provides contractual services to the Federal Government, Sallie Mae must comply with FISMA. The regulatory requirements for FISMA add a significant burden to Sallie Mae’s other compliance obligations, including 3,700 controls that the company must audit on a regular basis.FISMA compliance created a pressing burden on Sallie Mae’s IT organization. In addition to being costly and time-consuming, the manual processes used to verify and audit controls were prone to error due to the sheer magnitude of the identity data involved. The company had two people whose job it was to compile the access privileges of thousands of employees into spreadsheets and route them to business managers for review. Some business managers were being asked to review and validate access data in spreadsheets with more than 3,000 entries.Before beginning the identity governance project, Sallie Mae spent millions of dollars to collect evidence of compliance for FISMA – clearly this approach was not sustainable on a long-term basis.Sallie Mae’s goals were to better address the strenuous FISMA compliance requirements, and at the same time address all other regulatory requirements (SOX, SAS 70, PCI, etc) via a common approach. A second primary goal was to reduce the high costs associated with IT compliance. Sallie Mae was spending a lot of money on one-off compliance scenarios. Identity management was a piece of compliance in every case, and automating those processes would deliver immediate cost savings, among other benefits. The third goal of the project was to enhance Sallie Mae’s data protection processes and enable the company to manage operational risk more proactively.

Best Deployment Scenarios and Case Studies

Solution provided by SailPoint: To streamline their identity management governance processes, Sallie Mae initiated an automated identity governance project in December 2009 using the SailPoint IdentityIQ solution. The project was designed to:•Automate the access certification process and simplify the reports that business managers were being asked to review and validate;•Create a centrally defined role-based access control process that standardized the access privileges associated with each particular job function; and•Better assess the risk associated with user access rights in order to identify and monitor high-risk user populations.The project team wanted to make an immediate impact, but also needed to strategically roll out the identity governance implementation in a phased approach. They decided to begin with the company’s 2,600 employees who service loans. From an IT perspective, this user group was considered a “high-risk population” based on their level of access privileges to very sensitive data and applications. Strategically, automating the access certification processes for this group would immediately eliminate a portion of the funds being spent on FISMA compliance, which would help secure funding for the rest of the project. During the second half of the project, the team would focus on Sallie Mae’s 300 FISMA, SOX, SAS 70 and PCI compliance-relevant applications, covering 9,000 employees and another 2,000 contractors and third parties.In the first month of the project, Sallie Mae aggregated and correlated identity data across 9 applications with 3,400 users and conducted baseline access certifications – eliminating orphaned accounts, revoking access privileges that were no longer needed and certifying that all remaining privileges were appropriate. By the end of month 6, Sallie Mae had automated quarterly access certifications for 52 applications and eliminated the need for the time-consuming spreadsheets and the cumbersome process of manual review.

Summary: SailPoint has worked with numerous Fortune 500 companies on identity governance and compliance projects, and Sallie Mae stands out as unique for two reasons: first, many companies are dealing with compliance in an ad-hoc, reactive manner because industry regulations are onerous and time consuming. In the midst of needing to maintain their compliant posture, Sallie Mae was able to successfully take a step back, evaluate its needs and implement a well-thought-out strategy that approaches compliance proactively with sustainability in mind. The company was able to deploy its identity governance solution from SailPoint in a matter of months, and immediately realized significant cost savings over their previous manual approach.Secondly, Sallie Mae’s IT organization recognized that identity management processes are business processes, and they approached the project from that business perspective. This led to an unparalleled level of involvement and collaboration with business managers who are responsible for conducting the quarterly access certifications. IT organizations can put IT controls in place over user access privileges and provide business managers with the context needed during certification cycles, but the business managers are the ones who can best verify that a specific employee or job function requires specific access. Sallie Mae has addressed both sides of the identity governance equation, which is not an easy task – especially given the short timeframe during which the project was conducted.

6034 W. Courtyard DriveSuite 309
Austin, Texas 78730 U.S.A.

Bookmark and Share  

Follow us on twitter   Join us on LinkedIn   Photos on flickr   Watch us on YouTube   Become our fan on Facebook   Google   

Volunteer To Be A Judge
Apply today to be a preliminary-round judge for the 2011 awards. If you qualify, you'll be assigned categories based on your experience and industry. Apply now to be a Judge>>
More Best Deployment Scenarios...
Current threat scenarios, best deployment scenarios and case studies Learn more>>