THE FOLLOWING ITIL INTERMEDIATE EXAM OBJECTIVES ARE DISCUSSED IN THIS CHAPTER:
Access management is the process of granting authorized users the right to use a service while preventing nonauthorized users from gaining access. It is also sometimes referred to as rights management or identity management. Access requirements can change frequently, and service operation is responsible for granting access quickly, in line with the needs of the business, while ensuring that all requests are properly authorized.
In Chapter 15, “Service Design Processes: Information Security Management and Supplier Management,” we discussed information security management and its role in defining security policies. The process for implementing many of these policies is access management. This process provides users who have the required authorization with the ability to use the services they require. Ensuring that only authorized individuals are given access to data is a concern of every IT service provider; failure to carry this out correctly can be damaging and possibly breach legal or regulatory requirements. Consider the damage that could be done to an organization discovered to have allowed unauthorized access to medical or banking records because of poor access management processes.
Organizations need to ensure that access is managed not only when a new member of staff is appointed and set up with access to the systems, but also when the staff member leaves. A challenge many organizations face is keeping up-to-date with changing access requirements as a staff member moves between departments. Often new access rights are requested, but it’s never determined whether the existing access rights are still required in the new position; therefore, the individual may amass significant rights over a period of years if this step is not carried out. It is dependent, in part, on the business informing the IT service provider of staff moving between departments; the IT provider should routinely query whether existing access is still required when additional access is requested.
There may also be occasions when access is restricted, perhaps, for example, during an investigation into suspected wrongdoing to prevent any evidence from being destroyed. Such requests would normally be made by senior management or human resources.
The objectives of the access management process are to do the following:
The scope of access management, as we have said, is the efficient execution of information security management policies. By carrying these out, the confidentiality, integrity, and availability (CIA) of the organization’s data and intellectual property are protected. Confidentiality here means that only authorized users are able to see the data. Integrity means that the data is kept safe from corruption or unauthorized change. Access management ensures that the service is made available to the authorized user. This does not guarantee that it will always be available during service hours, which is the responsibility of availability management.
A request for access will often be made through the request management process. Some organizations will maintain a specialized team to carry out requests, but more commonly they are carried out by other functions. Technical and application management functions are involved, and a significant part of the process may be handled within the service desk. There should be a single coordination point to ensure consistency.
The access management process provides a number of benefits to the business:
The ITIL Service Operation publication describes five useful policies for access management.
We’re now going to examine a number of basic access management concepts.
Access refers to the level and extent of a service’s functionality or data that a user is entitled to use.
Identity refers to the information about a user that distinguishes them as an individual and verifies their status within the organization.
Rights, or privileges, refers to the actual settings whereby a user is provided access—for example, read, write, execute, change, and delete.
Service groups provide a means of simplifying the task of allocating rights. The idea behind service groups is that there are groups of users who will require exactly the same rights to the same set of services. Instead of rights being granted individually, a service group is created that has the required set of rights. Users are linked to the service group and will inherit the rights of the group.
Directory services refer to specific types of tools that are used to manage access and rights.
You do not need to know the access management process in detail for the exam, but an understanding of the key points in managing access requests will help you understand the process. Figure 37.1 shows the Access Management process flow. We are going to look at each step of the process.
A request for access can be made in a number of ways:
All requests, whether or not they are valid, are logged.
The access request must then be verified. The identity of the requestor must be confirmed, and the access requirement must be judged as legitimate.
Usually, an existing user’s username and password are accepted as proof of identity. In more secure environments, biometric data or physical identification devices can be used.
For new users, some physical evidence of identity will be required, such as official proof of identity (passport, driver’s license).
New users include not only new permanent staff members, but also temporary and third-party users such as visitors, contract staff, and vendors. The organization will define how a request will be verified.
The second aspect of verification is checking that the request is legitimate; that is, the user is authorized to have the rights requested. This verification must be independent of the requester. A user cannot verify the legitimacy of their own request. Often a request will be verified by a line manager or HR. Requests that come by way of a request for change (RFC) will have been authorized through the change management process.
Some services will be available for use by anyone who requests them; there should be a policy that defines them. If the request is not valid, then it will be logged and returned to the requester. An incident may be raised to investigate why an invalid request was raised, if thought necessary. A valid request will be actioned appropriately.
The task of providing rights is often devolved to a specialist technical or application team that has the necessary knowledge and skills. This task can be automated by using access management tools that interface with multiple applications. This is only possible, of course, if the design of the applications included this as a requirement.
Access rights are associated with a role: a payroll clerk has the right to use the payroll system. Users can occupy multiple roles, each of which brings a set of rights, and sometimes these conflict with some enterprise policy such as the separation of duties. For example, it is usual practice to ensure that a person who places an order with a supplier is not able to authorize payment. Where a role conflict occurs, access management should escalate the issue to the appropriate stakeholder, who will be someone in the business area concerned. (For example, if the roles are within the finance department, the issue would be referred to the appropriate stakeholder in that department; if the roles are within the IT department, the appropriate IT manager would be consulted.)
Once the access has been granted, the status of the user should be monitored to ensure that they still have a valid requirement for the access. In practice, this can be difficult to achieve. Access management should be notified of staff that leave so that their access can be revoked, and many organizations have robust procedures to ensure that this is done. Many organizations encounter difficulty in tracking the changing roles and accompanying access requirements of users, especially those who have been in the organization for many years. In this situation, new access requirements are added to existing rights, with no verification that the existing rights are still required. Consideration should be given to adding questions about existing access requirements to the access request form. The human resources department needs to be made aware of the importance of supplying information regarding changing job roles to access management in order to protect the organization’s data. Access management should understand these different types of staff changes and determine how it will become aware of them. Ideally, this will be automated by an interface with the HR system. The failure to respond to changes in status is a common security issue. It leads, for example, to computer accounts remaining available for use even though the users have left the organization.
The tracking access activity might trigger a security incident if, for example, an unsuccessful attempt to access a service is made by a valid user.
The last activity that we’ll look at is removing or restricting a user’s rights. There are a number of circumstances when this might be necessary. Although in many cases the modification is permanent, such as in the case of dismissal or promotion, there may be situations where this is only temporary. For example, in some organizations, a user’s computer account is suspended when they go on leave.
Access should be permanently revoked when a user leaves an organization; again, the human resources department needs to understand the importance of informing access management quickly in this situation.
Access management has to ensure that rights are not improperly used, which will require that access is logged and tracked. The degree of oversight required is determined when the service is designed and the appropriate logging mechanisms are provided. Should possible misuse be detected, the process must respond appropriately. This will usually entail raising a security incident and alerting stakeholders. In this situation, access may be temporarily revoked during the investigation, with access being restored if the misuse is deemed to have been an innocent mistake, or permanently revoked if it is found to be deliberate. The access management process may be required to provide a record of access, perhaps in the context of the investigation of criminal behavior.
Next we consider the triggers for the process, its inputs and outputs, and the interfaces it shares with other processes.
Access management is triggered by a request for a user or users to access a service or group of services. This could originate from a number of circumstances.
The first possible trigger is an RFC, especially where a large number of access changes are required, perhaps as part of a rollout or project.
Another possible trigger is a service request. This is usually initiated through the service desk, or input directly into the request fulfilment system, and executed by the relevant technical or application management teams.
A request from human resources is another possible trigger. In this situation, human resources management personnel make the request through the service desk. These requests are usually as a result of hiring, promoting, relocating, termination, or retirement.
The final trigger may be a request from the manager of a department, who could be performing a human resources role or who could have made a decision to start using a service for the first time.
The inputs to the process are those that relate to the triggers, such as these:
Other inputs are the operational and service level requirements for granting access to services, performing access management administrative activities, and responding to events related to access management.
The access management process has the following outputs:
The access management process interfaces with a number of other service management processes.
A key interface is the one with information security management. As already stated, access management acts under the guidance and instruction of information security management and plays an essential part in ensuring that the requirements of the information security policies are met.
Many requests for access will come from the change management process in the form of authorized requests for change or even standard changes.
It is through the service level management process that access requirements and criteria are agreed on with the business on a service-by-service basis.
The relationship of the process with IT service continuity management is interesting. Access requirements may need to be varied should the continuity plan be invoked. Also, there may be a need to grant temporary access when the plan is being tested.
Request fulfilment provides a route for users to submit access requests.
The ITIL Service Operation publication suggests three critical success factors (CSFs) for access management.
The first is “Ensuring that the confidentiality, integrity, and availability of services are protected in accordance with the information security policy.” The key performance indicators (KPIs) show whether the critical success factors are being achieved. The first KPI is percentage of incidents that involved inappropriate security access or attempts at access to services. You can see that this is measuring actual consequences of poor access management. The second KPI is the number of audit findings that discovered incorrect access settings for users who have changed roles or left the company. This is measuring the potential for security lapses caused by poor access management.
The second CSF for access management is “Provide appropriate access to services in a manner that’s timely enough to meet business needs.” The example KPI for this is percentage of requests for access that were provided within established SLAs and OLAs.
The last CSF for access management is “Provide timely communications about improper access or abuse of services.” This, and the suggested KPI of a reduction in the average duration of access-related incidents (from time of discovery to escalation), are about ensuring that any issues are dealt with expeditiously.
For access management to be successful, it must overcome a number of challenges. It must be able to do the following:
Meeting these challenges requires a considerable effort.
Finally, we consider the risks faced by access management. Failure to meet any of the challenges described in the preceding section is a risk, of course. There are five additional risks:
This chapter explored the remaining process in the service operation stage, access management. It covered access management’s purpose, objectives, scope, and value. We discussed policies, principles, and basic concepts; process activities, methods, and techniques; triggers, inputs, outputs, and interfaces; critical success factors and key performance indicators; and challenges and risks.
You learned about the key ITIL concepts of access, identity, rights, and service groups.
We discussed the importance of access management in preventing unauthorized access to data and some of the issues that arise in monitoring access rights.
Understand the purpose, objectives, and scope of access management. Explain the relationship between access management and information security management. Access management is not just granting access, it is also restricting or removing it as required.
Understand the main process activities of access management. Explain the following access management activities: requesting access, validating and verifying a request, providing a request and monitoring how it is used, and finally, where necessary, removing it.
You can find the answers to the review questions in the appendix. Which of the following is the best description of access management? Why is effective access management important for an organization? Which of the following is NOT a challenge for access management? When might access management reduce or remove access? Which of the following is the best description of why access management monitors the use of the access rights granted to users? When it’s used in the context of access management, what does the acronym CIA stand for? Who might be involved in carrying out the access management process? Which of the following is NOT an example of how a business benefits from the access management process? Which of the following is the correct definition for the term identity? Which of the following are valid triggers for the access management process?Review Questions