Technology Portfolio Management (TPM) Best Practices

Overview

Every technology in the portfolio that handles organizational data, provides access to organizational systems, or supports business operations creates access control obligations: who is authorized to use the technology, what actions they are authorized to take within it, and how that authorization is governed, reviewed, and revoked when it is no longer appropriate. Access control failures — excessive permissions granted and never revoked, shared accounts whose usage cannot be attributed to individuals, service accounts with broad privileges created for a specific purpose and then left in place — are among the most consistently exploited vulnerability categories in enterprise security incidents.

Best Practice

Govern technology access controls and identity management at the portfolio level through standards defined in the Technology Standards Register and enforced through the technology assessment framework. The portfolio-level access control standards should address: the identity management standards that all approved technologies must support, including integration with the organization’s enterprise identity provider through standard protocols such as SAML, OIDC, or SCIM; the minimum access control model that all approved technologies must implement, including role-based access control with least-privilege defaults, multi-factor authentication enforcement, and session management controls; the access review standards that apply to all approved technologies, defining the frequency at which access rights must be reviewed, the process for identifying and revoking inappropriate access, and the documentation required to demonstrate compliance with the review standard; and the privileged access management standards that apply to administrative and service accounts, defining the controls required to prevent misuse of high-privilege access.

Connect technology-level access control governance to the People, Skills, Roles, and Responsibilities Inventory to ensure that access rights are reviewed and updated when individuals change roles, leave the organization, or transfer between teams. Access rights that are not connected to current organizational roles cannot be reviewed systematically; making the connection between technology access and organizational role explicit in the inventory is the governance requirement that makes systematic access review feasible.

Benefit(s)

Portfolio-level access control governance enforced through technology standards produces an access control posture that is consistent across the full technology portfolio rather than varying by the security maturity of individual teams. Technologies that cannot meet the access control standards are identified at assessment time and governed through an exception process rather than deployed with inadequate access controls that are then accepted as the permanent state. And the portfolio-wide access review discipline produces a systematic reduction in the access accumulation that creates the attack surface that most enterprise identity-related security incidents exploit.