Access Management

Access management is the process of granting authorized users the right to use a service while preventing access to nonauthorized users. It also is sometimes referred to as rights management or identity management. Access requirements can change frequently, and service operation is responsible for granting access quickly, in line with the needs of the business, while ensuring that all requests are properly authorized.

Purpose

In Chapter 6, we discussed information security management and its role in defining security policies. The process for implementing many of these policies is access management. This process provides users, who have the required authorization, with the ability to use the services they require. Ensuring that only authorized individuals are given access to data is a concern of every IT service provider; failure to carry this out correctly can be very damaging and possibly breach legal or regulatory requirements. Consider the damage that could be done to an organization discovered to have allowed unauthorized access to medical or banking records because of poor access management processes.

Organizations need to ensure that access is managed not only when a new member of staff is appointed and set up with access to the systems but also when the staff member leaves. A challenge many organizations face is keeping up-to-date with changing access requirements as a staff member moves between departments. Often the new access requirement is requested, but there is no questioning of whether the existing access rights are still required in the new position; therefore, the individual may amass significant rights over a period of years if this step is not carried out. It is dependent, in part, on the business informing the IT service provider of staff movements; the IT provider should routinely query whether existing access is still required when additional access is requested.

There may also be occasions when access is restricted, perhaps during an investigation into suspected wrongdoing, to prevent any evidence from being destroyed. Such requests would normally be made by senior management or human resources.

Objectives

The objectives of the access management process are to do the following:

• Manage access to services, carrying out the policies defined within information security management (see the service design stage).
• Ensure that all requests for access are verified and authorized. This may include requests to restrict or remove access.
• Ensure that requests are dealt with efficiently, balancing the requirement for authorization and control with the need to be responsive to business requirements.
• Ensure (once access rights are granted) that the rights that have been granted are used in accordance with security policies. This might include, for example, the use of Internet access for personal use. Although some personal use may be allowed, there are likely to be categories of websites that may not be accessed.

Scope

The scope of access management, as we have said, is the efficient execution of information security management policies. By carrying these out, the confidentiality, availability, and integrity (CIA) of the organization’s data and intellectual property are protected. Confidentiality here means that only authorized users are able to see the data. Integrity means that the data is kept safe from corruption or unauthorized change. Access management ensures that the service is made available to the authorized user; this does not guarantee that it will always be available during service hours, because this is the responsibility of availability management.

A request for access will often be made through the request management process. Some organizations will maintain a specialized team to carry out the requests, but more commonly it is carried out by other functions. Technical and application management functions are involved, and a significant part of the process may be handled within the service desk. There should be a single coordination point to ensure consistency.

You do not need to know the access management process in detail for the exam, but an understanding of the key points in managing access requests will help you understand its objectives.

The first step is to request access. This may be done through the request fulfillment process described earlier or through the completion of a request form. The access request has then to be verified before it can be actioned. The identity of the requestor must be confirmed, and the access requirement must be judged as legitimate. The identity may be confirmed by the requestor providing their username and password or, in the case of a new user, the request having been made by human resources or a line manager. The validity of the request may also be confirmed by requiring authorization from human resources or an appropriate manager.

Once the access has been granted, the status of the user should be monitored to ensure that they still have a valid requirement for the access. In practice, this can be difficult to achieve. Access management should be notified of staff that leave so that their access can be revoked, and many organizations have robust procedures to ensure that this is done. Many organizations encounter difficulty in tracking the changing roles and accompanying access requirements of users, especially those who have been in the organization for many years. In this situation, new access requirements are added to existing rights, with no questioning of whether these existing rights are still required. Consideration should be given to adding questions about existing access requirements to the access request form. The human resources department needs to be made aware of the importance of supplying information regarding changing job roles to access management in order to protect the organization’s data.

Access should be revoked when the user leaves the organization; again, the human resources department needs to understand the importance of informing access management quickly in this situation.