User Access Matrix Change –

DICE Analysis
MBAZG634 Assignment
Strategic Change Management
BITS Pilani Rathish Raghul G V
Pilani|Dubai|Goa|Hyderabad
2017HB58536

1
Introduction
• GVR is the regulatory reporting application which is used globally across the bank
which contains sensitive information regarding the different business units critical
data within the bank
• Each application has specific governance mechanism, in its aspect it has business
owner who is end to end accountable for maintaining the application within the
agreed standards and procedures of the bank
• Being the regulatory reporting application maintaining the information security is
crucial and the application is subjected to regular internal audits
• One such audit identified the gaps in access and identity management of the
application
• It was noted that user roles and access privileges had discrepancies where the user
accounts had toxic access
• Auditor issued observation and toxic access has to be rectified within the agreed
timeline of six months by the business owner
2

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Change Description
• As agreed in the audit report business owner is accountable for the rectification of
toxic access, in lieu of it change request was raised to perform the necessary
changes
• Since it is a bank wide application rectification of role based user access will affect
the users across the globe which will hinder their day to day deliverables
• This change was regarded as complex as many users might lose their access and
users will be in distress as they cant access the reports which they were accessing
• The challenge is making the user understand that the modified access is the actual
access privilege that they should possess and completely rework the user access
matrix which is to be implemented
• However this change was approved and project kick started

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Scope:
This project is a global one and will it cover all the existing users of
the application, where all the user access will be reviewed and right
permissions will be applied based on the revised user access matrix
that’s being developed as part of this project.

Objective:
To completely sanitize the user access of the application and all the
users to have access according to revised access matrix leaving no
gap in maintaining information security standards of the application

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Project details

Project Team:
Organization role Project role
Business Owner Project Sponsor
Business Information security officer Team Lead
Technology Head - GVR Application Project Co-sponsor
Information security Team
Development team Implementors
Quality assurance team

Duration: 6 Months

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

DICE Analysis
Duration calculation
Element Questionnaire Responses Score
How long this change project will take? 6 Months
fortnightly until
How often change review meeting will take ?
completion
will it happen regularly? yes
Duration Not more than 15 1
Time required for project approval?
working days
15 days as the project is
How long it will take to setup the project team? setup within the existing
resources

Factors Considered

Considering the Duration factor, all the timelines are supportive i.e., regular project
reviews by the Senior management – Business owner & Technology head, setup of
project team as the technology team identified is comparatively low on utilization and
can take up additional responsibilities. Hence the scoring of 1 has been awarded.
6

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Integrity Calculation
Element Questionnaire Responses Score
Yes, have handled many
is the Business information security
change projects and
officer(BISO)capable?
completed successfully

yes, Group information

is the technology team(implementers) skilled and security team along with
motivated? skilled developers will
implement
Integrity 1
Is the Business owner is supportive? yes

Yes, its been agreed that

Do the Tech & Business teams have enough bandwidth
50 % of time will be utilized
to perform the duties?
for this change

will the Business owner be able to review the changes yes along with first level
with precision and provide sign off? review by BISO
7

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Factors considered
• Team leader of this project is Business information security officer(BISO) who
capable based on the following parameters

a. Domain expert & sound business knowledge

b. Handled similar changes & completed successfully
c. Good interpersonal skills which is most required as there is a need to support users
empathy
d. Has handled multiple projects with specific cost saving measures

• The implementation team consists of business and technology experts, team that
has been setup is Highly skilled with industry certifications and experienced in
change projects
• The team members are good team players and has good ratings in the past year
performance cycle
8

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

• Since senior resources are been entrusted with the project, multi tasking is
possible and it has been agreed that this change initiative will be prioritized by
devoting 50% utilization to this

• Since this is information security project regular security reviews is mandatory

and the business owner has agreed for regular reviews and doing it

• Considering the factors involved in integrity calculation, the score of 1 has been
awarded as the team leader and team is highly capable and skilled to execute this
change

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Commitment Calculation
Element Questionnaire Responses Score
Do Business owner & Technology head regularly Yes BO held a meeting for top
communicate the reason for user access matrix management to appraise the changes &
change and importance of it its importance
The message has been emailed to all
users, same has been available in the
Commitment is the communication channel convincing ? internal communication page along with
senior FAQ's 1
Management
(C1) is the message consistent across the top
Yes
management team and overtime
Yes this project has been prioritized in
Has business owner & Technology head devoted terms of information security projects
enough resources to the change program ? handled by BISO and additional resource
has been provided
Are the GVR applications users worst affected
Commitment and do they understand the importance of yes, but the users didn’t understand the
Local need and an awareness is required
information security 3
Management
users are obstructive &worried about
(C2) Are they supportive or worried or obstructive
their reporting tasks 10

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

• While analyzing the commitment factor, the change project enjoys excellent
support from the senior management as they are aware that they being
accountable for the information security
• BISO has good communication plan for this initiative
• Most commendable effort is preparation of FAQ which is being available in the
internal pages and popup notification to the users to read and acknowledge the
proposed change
• whereas this factor completely lacks in terms of employees as they are worried in
performing their day to day activities hence awareness is required explaining the
need for this project
• Hence the senior management score is awarded 1 & 3 for local management

11

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Effort Calculation
Element Questionnaire Responses Score
It would require 20%
what is percentage of increased effort put by the business
extra efforts by business
team and technology team to implement it ?
& technology team
Effort 2
Does it overload the current team functioning ? To a considerable level
Have the teams strongly resisted the increased demands
No
on them?

Based on the responses recorded and analysis as part of integrity calculation score of
2 have been awarded

12

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

 DICE SCORE

DICE Score = D + 2I + 2C1+C2 + E

= 1+2 +2+3+3
= 10

Based on DICE score, the

depicted graph and has been
plotted which clearly indicates
the change initiative likely to
meet its objective

13

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

Recommendations

• The calculated DICE score is 10 which means the change initiative is likely
to succeed based on the studies performed by the experts
• The score needs no major improvements as it enjoys Support of Senior
management and effort by the project team members
• But Minor improvement is that users concerns need to be addressed as
they will be affected most by this change
• User obstruction might create a huge noise in the organization considering
the importance of the application
• Team leader Must plan to address this issue which will take a step forward
in successful completion of this change initiative

14

BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956

 BITS Pilani
Pilani|Dubai|Goa|Hyderabad

Thank You

15