6Access management

6.1PURPOSE AND OBJECTIVES (SO 4.5.1)

Access management grants authorized users the right to use a service, or group of services, while preventing access to non-authorized users.

The objectives of access management are to:

• Manage access to services based on policies in information security management
• Respond efficiently to requests for granting, changing or restricting access rights; verifying whether requests are granted appropriately
• Oversee access to services and ensure that rights provided are not improperly used.

6.2SCOPE (SO 4.5.2)

Access management is the execution of policies and actions defined in information security management, managing the confidentiality, availability and integrity of an organization’s data and intellectual property.

Access management ensures the right of access but not availability of access, which is provided by availability management.

Access management can be initiated via a service request, but is executed by technical and application management functions, coordinated by the service desk or IT operations management.

6.3VALUE TO THE BUSINESS AND SERVICE LIFECYCLE (SO 4.5.3)

Access management provides value by:

• Controlling access to services so that the organization effectively maintains the confidentiality of its information and achieves regulatory compliance (if required)
• Giving employees the appropriate access that they need in order to be effective
• Revoking access rights when needed
• Enabling the use of services to be audited, or abuse to be traced.

6.4POLICIES, PRINCIPLES AND BASIC CONCEPTS (SO 4.5.4)

Examples of access management policies might include:

• Access management administration and activities are directed by the policies and controls in the information security policy
• Accesses to use services are logged and tracked, ensuring rights provided are appropriately used
• Access to services is maintained in alignment with changes in personnel events such as transfers and terminations
• An accurate history is maintained of who has accessed, or tried to access, services
• Procedures for handling, escalating and communicating security events are defined and aligned to the information security policy.

Access management enables users to access services documented in the service catalogue.

Key concepts include:

• Access The level and extent of a service’s functionality or data that a user is entitled to use
• Identity Information that distinguishes each user and verifies his or her status in an organization; each identity is unique
• Rights (or privileges) Settings that enable a user to access a service in a particular way; for example, read, write, execute, change or delete
• Service or service groups As most users do not use just one service, and users with similar roles use a similar set of services, it is more efficient to grant each user or group of users access to a set of services in a group
• Directory services Tools used to manage access and rights.

6.5PROCESS ACTIVITIES, METHODS AND TECHNIQUES (SO 4.5.5)

6.5.1Requesting access

Access can be requested in a number of ways, including:

• Standard request generated by an HR system, such as for a new starter, promotion or leaver
• Request for change (RFC) or service request
• Execution of a pre-authorized script.

Rules for requesting access are usually documented in the service catalogue.

6.5.2Verification

For every request, access management verifies that:

• The user requesting access is who they say they are. This type of verification depends on an organization’s security policy; this is usually achieved by the user providing his or her username and password
• The user has a legitimate requirement for the service. This requires independent verification; for example:
  • Notification from HR or authorization from an appropriate manager
  • Submission of an RFC or service request, with supporting evidence, through change management
  • A policy stating the user is allowed access to an optional service if needed.

The RFC for new services specifies the users or user groups to be given access. Access management verifies that these users remain valid and then automatically provides access as specified in the RFC.

6.5.3Providing rights

Access management does not decide who has which access rights; it executes the policies and regulations defined in service strategy and service design, enforcing decisions to restrict or provide access.

Following verification, the user is provided with the rights to use the requested service. Typically, this requires a request to action, which is sent to the relevant team supporting the service. Where possible, these actions should be automated.

Role conflict can occur where there are many roles and groups. It arises when two specific roles or groups, if assigned to a single user, create issues with separation of duties or conflicts of interest, such as:

• One role requires detailed access, while another prevents access
• Two roles allow a user to perform conflicting roles such as logging time and approving payment for that time.

Any conflict is documented and escalated for resolution.

For any role or group, there may be users who need something slightly different from the predefined role. Each exception is coordinated by access management and approved via the originating process.

Regular reviews of the roles and groups are performed to ensure that they remain appropriate, and unwanted or obsolete groups are removed.

6.5.4Monitoring identity status

Users’ roles and access needs change over time, for example, as a result of:

• Job changes, promotions, demotions or transfers
• Resignation, death or retirement
• Disciplinary actions or dismissals.

Access management documents the user lifecycle for each type of user and automates the process based on this.

Access management tools require facilities to change user states or move users between groups and maintain an audit trail.

6.5.5Logging and tracking access

Access monitoring and control activities need to be included in the monitoring activities undertaken by technical and application management and all service operation processes.

Exceptions are handled by incident management. Specific incident models can be designed to handle abuse of access rights.

Information security management can use intrusion detection tools to detect unauthorized access and check what rights have been provided by access management.

Access management may be required to provide access records for forensic investigations. This is usually provided by operational staff, but working as part of the access management process.

6.5.6Removing or restricting rights

Access management is responsible for revoking rights and executing the decisions and policies made during service strategy and service design.

Access is usually removed following a death, resignation, dismissal, role change or transfer.

Applying tighter restrictions, such as reducing levels, time or duration of access, should occur when a user changes roles, is demoted, is under investigation or is away on a temporary basis.

6.6TRIGGERS, INPUTS, OUTPUTS AND INTERFACES (SO 4.5.6)

Access management can be triggered when access is requested, as detailed in section 6.5.1.

Inputs include:

• Information security policies
• Operational and service level requirements for granting access to services, performing access management administrative activities and responding to access management related events
• Authorized RFCs to access rights
• Authorized requests to grant or terminate access rights.

Outputs include:

• Provision of access to IT services
• Access records and history of access granted to services
• Access records and history where access has been denied and the reasons for the denial
• Timely communications concerning inappropriate access or abuse of services.

Interfaces include:

• Demand management Helps to identify the necessary resource levels to handle expected volumes of requests for access
• Strategy management for IT services It may be determined that some access management activities (especially for larger organizations) could be handled more efficiently within individual business organizations rather than in a centralized access management function
• Information security management Provides the security and data protection policies and tools needed to execute access management. Interfaces are also required with human resource processes to verify the user’s identity to ensure they are entitled to the services being requested
• Service catalogue management Provides methods and means by which users can access different IT services, service descriptions and views that they are authorized for
• IT service continuity management (ITSCM) To manage access to services in the event of a major business disruption or in conditions where services have been temporarily sourced from alternative locations
• Service level management (SLM) Maintains the agreements for access to each service, including the criteria for who is entitled to access each service, the cost access and the level of access to be granted to different types of user
• Change management Controls the actual requests for access
• Service asset and configuration management To identify data storage and interrogate CIs to determine current access details
• Request fulfilment Provides methods and means by which users can request access to the standard services that are available to them.

6.7INFORMATION MANAGEMENT (SO 4.5.7)

Access management holds unique information on the identity of each user. The details include:

• Name, address and contact details
• Physical documents, such as passport, driving licence
• A reference number, such as employee number
• Biometric information
• Expiry date, if relevant.

This data may relate to employees, contractors, vendor staff or customers (in the case of internet-based services). All data held about users is subject to data protection legislation and should be protected by each organization’s security procedures.

Access management generates a username and password and has the information on the access types granted to the specific resources.

To be effective, access management needs the following information:

• Well-defined procedures between IT and HR that include fail-safe checks to ensure that access rights are removed as soon as they are no longer justified or required
• ‘User profile’, ‘user template’ or ‘user role’: used to describe the type of grouping for easier management of standard access
• The groups that users may belong to and the associated access requirements, although a user may have additional access requirements relating to their role. Some groups may have specific access requirements
• A catalogue of all the roles in the organization and which services support each role. This catalogue of roles is compiled and maintained by access management in conjunction with HR and may be automated in the directory services tools.

6.8CRITICAL SUCCESS FACTORS AND KEY PERFORMANCE INDICATORS (SO 4.5.8)

The efficiency and effectiveness of the process can be measured by identifying critical success factors (CSFs) for the process, each CSF being supported by key performance indicators (KPIs):

• CSF Ensure that the confidentiality, integrity and availability of services are protected in accordance with the information security policy:
  • KPI Percentage of incidents that involved inappropriate security access or attempts at access to services
  • KPI Number of audit findings that discovered incorrect access settings for users who have changed roles or left the company
  • KPI Number of incidents requiring a reset of access rights
  • KPI Number of incidents caused by incorrect access settings
• CSF Provide appropriate access to services on a timely basis to meet business needs:
  • KPI Percentage of requests for access (e.g. service request, RFC) that were provided within established service level agreements (SLAs) and operational level agreements (OLAs)
• CSF Provide timely communications about improper access or abuse of services on a timely basis:
  • KPI Average duration of access-related incidents (from time of discovery to escalation).

6.9CHALLENGES AND RISKS (SO 4.5.9)

Challenges include:

• Monitoring and reporting on access activity as well as incidents and problems related to access
• Verifying the identity of a user, and that he or she qualifies for access to a specific service or the approving person or body
• Linking multiple access rights to an individual user
• Determining the status of users at any time
• Managing changes to a user’s access requirements
• Restricting access rights to unauthorized users
• Building and maintaining a database of all users and the rights that they have been granted.

Risks include:

• Lack of appropriate supporting technologies to manage and control access to services, which can lead to a dependency on error-prone manual tasks
• Controlling access from ‘back-door’ sources such as application interfaces
• Managing and controlling access to services by external third-party suppliers
• Lack of management support for access management
• Access levels and management controls unnecessarily hindering the business.

6.10ROLES AND RESPONSIBILITIES (SO 6.7.9)

6.10.1Access management process owner

Responsibilities include:

• Carrying out the generic process owner role for the access management process (see section 1.5)
• Designing access request workflows
• Working with other process owners to ensure there is an integrated approach to the design and implementation of access management, incident management, event management, request fulfilment and problem management.

6.10.2Access management process manager

Responsibilities include:

• Carrying out the generic process manager role for the access management process (see section 1.5)
• Planning and managing support for access management tools and processes
• Coordinating interfaces between access management and other service management processes.

6.10.3Other access management roles

Responsibilities of service desk staff include:

• Providing a route to request access to a service via a service request. The service desk will validate the request, then pass it to the appropriate team to provide access. This team may have delegated responsibility for providing access for simple services during the call
• Communicating with the user when access has been granted and ensuring that he or she receives any other required support
• Detecting and reporting incidents related to access.

Responsibilities of technical and application management staff include:

• During service design, ensuring that mechanisms are created to simplify and control access management for each service; finding ways to detect and stop the abuse of rights
• During service transition, testing the service to ensure that access can be granted, controlled and prevented as designed
• During service operation, performing access management for the systems under their control and dealing with access-related incidents and problems
• Providing training to service desk or IT operations management to ensure that staff are adequately trained and that they have access to the appropriate tools to enable them to perform these tasks.

Responsibilities of IT operations management staff could include:

• Providing or revoking access to key systems or resources for each area
• Using the operations bridge to monitor events related to access management and provide first-line support and coordination in the resolution of those events where appropriate.