Introducing the Identity Governance & Access Management Lead Role
Establishing dedicated ownership to fortify our digital perimeter and drive strategic access controls.
Why…?
"Adversaries aren't breaking in; they're signing in."
— Microsoft Research Report, cited in Identity Theft Awareness Week 2026
Governance, Identity, & Access Management — Explained
Identities | Access Privileges | GIAM Role
Identities
Our organization manages over 19,600 digital identities across the enterprise—each representing a potential pathway to critical systems, sensitive data, and operational infrastructure.
Identity has become the new perimeter in cybersecurity, replacing traditional network boundaries as the primary control point for resource access.
Access Privileges
The primary enterprise risk we face is unmanaged or excessive access privileges. When identities accumulate permissions beyond business necessity, or when access remains active after role changes, we create unnecessary exposure to both internal and external threats. A single compromised credential with elevated privileges can cascade into significant operational and reputational damage.
GIAM Role
Implementing a formal Governance, Identity, and Access Management (GIAM) program establishes clear ownership, accountability, and systematic oversight of who has access to what—and why. This represents a low-cost, high-impact approach to enterprise risk reduction that directly addresses one of the most exploited attack vectors in modern cybersecurity incidents.
Audit & Compliance Alignment
Regulatory Framework
GIAM provides the structural controls required to demonstrate compliance across multiple regulatory domains that govern our operations.
Compliance Requirements Addressed
  • FERPA – Student education record access controls and audit trails
  • HIPAA – Protected health information access governance and documentation
  • COPPA – Children's data privacy and parental consent verification
  • SOX – Financial system access segregation of duties
The Framework — Explained
Role-Based Access Control
Permissions aligned to job functions rather than individual requests, ensuring consistent application of access principles and reducing administrative overhead.
Time-Bound Access Provisioning
Automatic expiration of temporary permissions and project-based access, preventing privilege accumulation and reducing the attack surface over time.
Lifecycle Access Management
Systematic provisioning and de-provisioning tied to HR events—onboarding, role changes, departures—ensuring access rights remain synchronized with employment status.
Documented Access Reviews
Quarterly certification by data owners and managers, creating an auditable record of access validation and demonstrating ongoing governance oversight.
12-Month Identity Governance Maturity Roadmap
Each quarter builds on previous capabilities while delivering measurable security improvements.
1
Q1: Foundation Phase
Identity Inventory & Ownership
  • Complete discovery of all identity stores and directories
  • Map identities to business owners and data stewards
  • Establish baseline access reporting capability
  • Define governance roles and responsibilities
2
Q2: Governance Phase
Access Reviews & Role Definition
  • Launch quarterly access certification campaigns
  • Design role-based access control (RBAC) framework
  • Implement workflow for access requests and approvals
  • Deploy identity analytics for anomaly detection
3
Q3: Enforcement Phase
Least Privilege Implementation
  • Remove dormant accounts and orphaned access
  • Enforce just-in-time privileged access
  • Implement separation of duties controls
  • Establish access recertification standards
4
Q4: Maturity Phase
Automation & Continuous Audit
  • Deploy automated provisioning and de-provisioning
  • Enable real-time policy enforcement
  • Integrate with SIEM for identity-based threat detection
  • Conduct external identity governance audit
Cyber Insurance Risk Profile Improvement
Identity governance directly addresses the risk factors that cyber insurance underwriters scrutinize most carefully during policy evaluation and renewal. With credential-based attacks representing over 80% of security breaches, insurers increasingly require formal identity management programs as a condition of coverage.
Reduces Credential-Based Incident Risk
Systematic access controls and monitoring decrease the probability of successful phishing, credential stuffing, and privilege escalation attacks—the leading causes of insurance claims.
Limits Breach Impact Scope
When incidents occur, least-privilege access and segregation of duties contain the blast radius, reducing potential claim severity and demonstrating active risk management to insurers.
Improves Underwriter Confidence
Documented governance processes, regular access reviews, and audit trails demonstrate mature security practices that support favorable premium negotiations and coverage terms.
Strengthens Renewal Outcomes
Proactive identity governance positions the organization favorably during renewal underwriting, potentially avoiding coverage restrictions or premium increases facing organizations without formal programs.
The Decision: Strategic Investment in Identity Governance
This is not just another IT initiative; it's a high-impact, low-cost strategic decision that directly addresses our most critical enterprise risks and strengthens our foundational security posture.
Risk Reduction
With 80% of breaches involving compromised credentials, GIAM directly addresses our highest-probability threat vector, significantly lowering the risk of a major security incident.
Compliance Imperative
Regulatory requirements like FERPA, HIPAA, COPPA, and SOX demand formal identity governance. Implementing GIAM moves us from a reactive to a proactive and defensible compliance stance.
Insurance Protection
Cyber insurers increasingly require robust GIAM programs as a condition of coverage. This investment protects our insurance coverage, helps secure favorable premium terms, and strengthens our resilience.
Why GIAM Matters for Our IT Department & District
17,500 Students + 2,100 Staff
We're operating identity at enterprise scale—managing approximately 19,600 human identities across our organization.
Service Accounts
Automated systems and application identities requiring secure access.
Third-Party Vendor Access
SIS, testing vendors, LMS, HR, and finance system integrations.
Parent/Guardian Portals
Family access to student information and communications.
Student Devices & Shared Logins
Classroom technology and shared resource access.

Identity is now our primary security control plane. When identity fails, everything else fails. GIAM certification ensures we can design, govern, and enforce identity safely at scale—not just manage admin accounts.
What Breaks Without GIAM-Level Capability (1-3)
At our size, these are not theoretical problems:
1. Excess access never gets removed
  • Staff change roles constantly (teacher → admin → contractor → exit)
  • Students move schools, grades, programs
  • Without formal identity governance:
  • Old permissions linger
  • FERPA violations occur silently
  • Compromised accounts have far more access than intended
GIAM focuses on lifecycle access governance, not just disabling accounts.
2. Compliance Risk Scales with Identity Count
FERPA
(student records)
HIPAA
(health, special education, counseling)
COPPA
(under 13 data)
State Privacy Laws
(often layered on top)
Regulators don't care if exposure was "accidental."
They care if:
3. Identity Incidents — Most Likely Breach Vector
In K–12, the top breach causes are:
Phished staff accounts
Shared credentials
Over-privileged accounts
Vendor access with no governance
With ~2,100 staff:
  • Statistically, multiple accounts will be compromised every year
  • The difference between “contained incident” and “major breach” is how identity is governed

A GIAM-trained leader designs:
  • Tiered access models
  • Privilege boundaries
  • Emergency access that’s logged and time-bound
  • Real review processes (not checkbox exercises)
Why GIAM is Different from General IT or Security Certs
GIAM is not about:
  • Firewalls
  • Endpoint tools
  • Antivirus
GIAM is about:
  • Who should have access
  • Why they have it
  • How long they should keep it
  • What happens when roles change or accounts are abused
At our scale, identity errors create systemic risk, not isolated mistakes.
One GIAM-Certified Leader Can:
Reduce breach likelihood
Reduce audit findings
Reduce over-licensing
Provide defensible decisions during incidents or investigations
Reduce admin workload through automation

“At our scale, identity is our security perimeter. Without formal identity governance leadership, we are accepting unnecessary compliance, breach, and reputational risk.”
GIAM vs. “Experienced Admin”
GIAM Certified
What you get (SUHSD & Supported Districts)
  • Designed identity governance at scale
  • Formal access reviews and lifecycle control
  • Clear compliance narratives during audits/incidents
What it prevents
  • Excess permissions
  • Silent FERPA/HIPAA violations
  • Identity chaos during staffing changes
Best for
  • Districts with large student populations and regulatory exposure (us)
Non-Certified but “Experienced” Admin
What you get
  • Keeps systems running
  • Knows the environment
Risks
  • Access decisions based on habit, not governance
  • No formal access review structure
  • Weak audit defensibility
This is where many K–12 districts get burned
Proposed Position — GIAM Lead
Duties & Responsibilities
Position Summary
The Identity Governance & Access Management (IGAM) Lead is responsible for ensuring that only authorized individuals have appropriate access to district systems and data throughout their lifecycle. This role provides governance, oversight, and accountability for identity and access decisions that directly impact student data privacy, regulatory compliance, cybersecurity risk, and operational continuity.
This position serves as the district authority on identity governance, aligning access controls with FERPA, HIPAA, COPPA, and cybersecurity best practices, while enabling safe and efficient use of technology across instructional and administrative environments.
Core Responsibilities
Identity Lifecycle Governance
  • Own and govern identity lifecycle processes for:
  • Students
  • Instructional staff
  • Classified staff
  • Administrators
  • Contractors and vendors
  • Ensure timely and accurate provisioning, modification, and deprovisioning of access based on role changes, transfers, and separation.
  • Prevent orphaned, shared, or excessive access across systems.
Access Control & Governance
  • Design and maintain role-based access control (RBAC) models for district systems.
  • Enforce least-privilege access principles.
  • Define approval and exception processes for elevated or sensitive system access.
  • Serve as escalation authority for access-related disputes or risks.
Access Reviews & Attestation
  • Coordinate and oversee periodic access reviews for high-risk systems, including student records, health, finance, and administrative platforms.
  • Ensure review results are documented, tracked, and remediated.
  • Provide evidence and explanation during audits, investigations, or incident response.
Continued on next slide...
Core Responsibilities (Continued)
Privileged Access Oversight
  • Govern administrative and elevated IT access.
  • Ensure separation of standard and privileged accounts.
  • Establish and maintain emergency ("break-glass") access procedures.
  • Review and monitor privileged access activity.
Third-Party & Vendor Access
  • Govern vendor and third-party system access to district data.
  • Ensure access is time-bound, justified, and reviewed regularly.
  • Coordinate with procurement, legal, and IT teams on access-related requirements.
Incident Response & Risk Reduction
  • Support cybersecurity incident response involving compromised identities.
  • Quickly assess access exposure and reduce blast radius.
  • Partner with security and IT teams to implement corrective actions.
Systems & Platforms Overseen
The IGAM Lead governs identity interaction with, but does not necessarily administer, the following categories of systems:
  • Identity platforms (e.g., Active Directory, Entra ID, Google Identity)
  • Student Information Systems (SIS)
  • Learning Management Systems (LMS)
  • Assessment and testing platforms
  • Special education and health-related systems
  • HR, payroll, and finance systems
  • Cloud applications and single sign-on environments
  • Privileged access to infrastructure and administrative platforms
  • Vendor-integrated systems and service accounts
Frameworks & Standards Alignment
This role operates in alignment with:
  • FERPA, HIPAA, COPPA, and applicable state privacy laws
  • NIST Cybersecurity Framework (CSF)
  • NIST SP 800-53 (Access Control and Identity Management)
  • CIS Critical Security Controls (Controls 5 & 6)
  • Zero Trust security principles (identity as a control boundary)
How to Qualify
Required Qualifications
  • Strong experience in identity and access management, systems administration, or cybersecurity governance
  • Demonstrated understanding of access control, least privilege, and identity lifecycle management
  • Ability to make and defend access decisions involving sensitive data
  • Experience supporting audits, compliance reviews, or investigations
  • Strong written and verbal communication skills
Preferred Qualifications
  • GIAM or equivalent identity governance certification
  • Experience in K–12, education, healthcare, or regulated environments
  • Familiarity with Google Workspace and Microsoft Entra environments
  • Experience coordinating across IT, HR, instructional, and administrative teams
Positional Level Statement
This position requires senior judgment, accountability, and authority. While execution tasks may be delegated, ownership of identity governance cannot be assigned to junior staff due to regulatory, security, and operational risk.
Strategic ROI Summary:
  • Minimal Capital Investment: Leverages existing infrastructure and expertise.
  • 12-Month Implementation: Delivers value quarterly, starting immediately.
  • Immediate Risk Reduction: Tangible security improvements observed from Q1.
  • Long-Term Cost Avoidance: Prevents costly breaches and ensures favorable insurance terms.

Board Approval Requested: Authorize the 12-month Identity Governance & Risk Management implementation roadmap and establishment of the dedicated GIAM Lead role.
Recommended Next Steps
01
Board Authorization
(Week 1)
Approve GIAM roadmap and the dedicated GIAM Lead position.
02
Position Development
(Weeks 2-4)
Finalize role requirements, compensation structure, and reporting relationships for the GIAM Lead.
03
Selection
(Weeks 5-10)
Post position, conduct interviews, and select the most qualified candidate for the GIAM Lead role. Interested applicants should have over 6+ years of IT experience, hold a certification in CIAM or GRC and hold a degree in Information Systems.
04
Program Launch
(Week 11-12)
Onboard the GIAM Lead and initiate Q1 Foundation Phase activities of the implementation roadmap.
We are prepared to begin implementation immediately upon Board approval and look forward to providing quarterly progress updates as we strengthen our identity governance posture.
Thank You
I sincerely appreciate your time and thoughtful consideration of this critical strategic investment.
"Identity compromise has become one of the most persistent operational risks for organizations today... because the security perimeter has fundamentally changed. With identity as the new gateway, a single compromised credential can cascade across an entire enterprise."
— Grassi Advisors, Identity Theft Awareness Week 2026
Contact Information
Questions or additional information needed? Contact mchaney@suhsd.net
Sources & References:
  • Slide 1: Enterprise identity statistics and risk framework - Internal IT Security Assessment 2024
  • Slide 1: Microsoft quote - "Adversaries aren't breaking in; they're signing in." Microsoft Research Report, cited in Identity Theft Awareness Week 2026, Grassi Advisors
  • Slide 3: Regulatory compliance requirements - FERPA (20 U.S.C. § 1232g), HIPAA (45 CFR Part 164), COPPA (15 U.S.C. §§ 6501-6506), SOX (15 U.S.C. § 7241)
  • Slide 4: Implementation roadmap methodology - NIST Special Publication 800-63, Digital Identity Guidelines
  • Slide 5: Breach statistics and insurance trends - Verizon 2024 Data Breach Investigations Report, Cyber Insurance Market Analysis 2024
  • Slide 9 (Implementation Roadmap): Identity governance framework methodology - NIST Special Publication 800-63, Digital Identity Guidelines
  • Slide 10 (Cyber Insurance): Credential-based attack statistics and cyber insurance risk factors - Verizon 2024 Data Breach Investigations Report; Cyber Insurance Market Analysis 2024
  • Slide 11 (Enterprise Scale): Identity count statistics (19,600 identities, 17,500 students, 2,100 staff) - Internal IT Security Assessment 2024, SUHSD
  • Slide 13 (Compliance): Regulatory compliance requirements - FERPA (20 U.S.C. § 1232g), HIPAA (45 CFR Part 164), COPPA (15 U.S.C. §§ 6501-6506), SOX (15 U.S.C. § 7241)
  • Slide 14 (Breach Statistics): "80% of breaches involve compromised credentials" - Verizon 2024 Data Breach Investigations Report
  • Slide 26 (Thank You): Identity security quote - "Identity compromise has become one of the most persistent operational risks..." Grassi Advisors, Identity Theft Awareness Week 2026