Estimating Security Resources Needed for Support O...

Former Member · ‎05-10-2010

Hi Gurus,

As our implementation winds down, I've been tasked with the pleasure of defining the security resource requirements needed for the future state support organization.

Some high level details of the environment:

-ECC 6.0, SCM SNC 7.1, BI, XI/PI; expected to be approximately 10 instances in stable environment between DEV, Q, Prod

-10000 users

-100 business roles; 1000 single roles

-Custom security for one area that will require incremental additions of sales group/sales office across the BI, SNC and ECC systems in the roles (not too often)

-90 day password reset enforcement

-Manual access request forms

-Use of SPM and RAR

I've done some searches and found a fair amount of forum postings, but I'm seeing all types of different responses. While I understand it can vary, I am curious if any of you have (from your experience) developed a helpful equation that can help us deteremine whether 2, 3 or 10 resources are needed.

Please let me know if there is any more context I can provide. If you are aware of another thread that already discusses this, please let me know. Thanks in advance.

Sincerely,

Chris

Former Member · ‎05-10-2010

Hi Chris,

This is just rough idea of resource setup for support task in Landscape described by you as I have experience with similar type of project. Better you divide your security team in two areas..one is role and maintenance and second is in user request authorization and password reset etc works.

So, better you have atleast team of 5-6 members, so that 2 can take care of role modificattion related task and rest will take care of user request as password reset and role assignmnet , user creation type of task is more as copmare to role modification. In case of any resource crisis in any of two team, you can take help of other team , same as load balancing.

Hope this helps, It's just my view.

Former Member · ‎05-10-2010

Depending on your frequency of role changes, user changes I would expect a team of 3 (2 reasonably strong + 1 admin) to be able to comfortably manage that landscape with some capacity for performing additional project support work & holiday cover.

If you have low complexity/change then there is no reason why 1 or 2 people would not be able to cover the admin side once the solution is mature.

Unfortunately no equation for it but based on what I see clients operating effectively over the last few years. Automation (position based assignment, use of CUP etc) can help reduce the administrative workload.

If you have metrics for expected user and role changes (difficult to come up with at the end of an implementation) then you can be more scientific about it. There are many variables that have a material impact on the support requirements.

All the consultancies & out sourcers have models that they use for this. Usually I find them to be a bit generous on the resource side as they have to provide contingency for the unknown stuff. One of my clients has out sourced some admin tasks and the out sourcing firm applied their metrics to it and fell quite short due to the complexity of it. This isn't a criticism of those firms, rather that even these companies who do this stuff for a living can miss many things.

Former Member · ‎05-10-2010

I would support the count quoted by Alex here. You need to continue with them atleast 6 months to calculate the "work load". By this time you will have more figures and required time efforts for the same. Later on you can check with 2-3 organizations (if you want to outsource) and lock the best deal.

Regards,

Gowrinadh

Former Member · ‎05-11-2010

Thank you all for your thoughtful insight.

Estimating Security Resources Needed for Support Organization