At the recent SSO Summit I moderated a panel of single sign-on implementers. One of them, Christopher Paidhrin HIPAA & IT security officer for ACS Healthcare Solutions, was kind enough to let me share with you his "best practices" list which he calls: "To Do & Not To Do: SSO implementation lessons learned."

On the "To Do" side, Paidhrin stresses the “four Ps”:

Prepare:
1) Conduct a risk assessment as part of building the business case.
2) Understand your IT environment, architecture, platforms and workforce culture.
3) Set expectations - from the CXO to line staff - what the changes will mean and what constitutes “success” in the project.
4) Get “buy in” and a budget, otherwise your best efforts will be fruitless.

Plan:
Develop a solid project with all appropriate documentation:
a. Charter Document (definition).
b. Scope Document (business case objectives).
c. Change Control Document(s) (budget and authority sign-offs).
d. Communication Plan (keep everyone current and connected).
e. Risk Plan (essential for all organization-wide projects).

Partner:
1) Perform "true" due diligence in selecting a "partner."
2) Partner shall assist in development of a plan for success.
3) Require service-level agreements (SLA), if appropriate.
4) Collect real-world data from previous and current partner customers.

Proselytize: (unfortunately, "communication" does not start with a P!)
1) Acquire a CXO champion - in addition to the CIO.
2) Develop “buy-in” from trusted managers and key workforce members.
3) Demonstrate the “ease,” “power” and “beauty” of SSO.

On the “Not To Do” side, Paidhrin has only one point: “do NOT ignore doing any of the four To Dos.”

On the second “P,” the Project Plan, Paidhrin offers a few more details:

“Develop a solid project with all appropriate documentation:
Initiating Phase
a. Charter Document (definition).
b. Scope Document (business case objectives).
c. Change Control Document(s) (budget and authority sign-offs).

Planning Phase
d. Communication Plan.
e. Risk Plan.
f. Scope Change Plan (impact assessment, workflow changes, etc.).
g. Quality Plan (standards, validation, metrics, etc.).
h. Issue Plan.
i. Procurement / Cost / Schedule Plans.
j. Governance Plan.

Executing Phase
k. Operational Impact.
l. Policy & Procedures.
m. Build & Conversion specifications.
n. Training Plan.
o. Testing Plan.
p. Activation and Support Turnover Plan.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.