Chapter 37
Service Operation Processes: Access Management

THE FOLLOWING ITIL INTERMEDIATE EXAM OBJECTIVES ARE DISCUSSED IN THIS CHAPTER:

  • ✓  Access management is discussed in terms of its
    • Purpose
    • Objectives
    • Scope
    • Value
    • Policies
    • Principles and basic concepts
    • Process activities, methods, and techniques
    • Triggers, inputs, outputs, and interfaces
    • Critical success factors and key performance indicators
    • Challenges
    • Risks

Access management is the process of granting authorized users the right to use a service while preventing nonauthorized users from gaining access. It is also sometimes referred to as rights management or identity management. Access requirements can change frequently, and service operation is responsible for granting access quickly, in line with the needs of the business, while ensuring that all requests are properly authorized.

Purpose

In Chapter 15, “Service Design Processes: Information Security Management and Supplier Management,” we discussed information security management and its role in defining security policies. The process for implementing many of these policies is access management. This process provides users who have the required authorization with the ability to use the services they require. Ensuring that only authorized individuals are given access to data is a concern of every IT service provider; failure to carry this out correctly can be damaging and possibly breach legal or regulatory requirements. Consider the damage that could be done to an organization discovered to have allowed unauthorized access to medical or banking records because of poor access management processes.

Organizations need to ensure that access is managed not only when a new member of staff is appointed and set up with access to the systems, but also when the staff member leaves. A challenge many organizations face is keeping up-to-date with changing access requirements as a staff member moves between departments. Often new access rights are requested, but it’s never determined whether the existing access rights are still required in the new position; therefore, the individual may amass significant rights over a period of years if this step is not carried out. It is dependent, in part, on the business informing the IT service provider of staff moving between departments; the IT provider should routinely query whether existing access is still required when additional access is requested.

There may also be occasions when access is restricted, perhaps, for example, during an investigation into suspected wrongdoing to prevent any evidence from being destroyed. Such requests would normally be made by senior management or human resources.

Objectives

The objectives of the access management process are to do the following:

  • Manage access to services, carrying out the policies defined within information security management (see Chapter 15).
  • Ensure that all requests for access are verified and authorized. This may include requests to restrict or remove access.
  • Ensure that requests are dealt with efficiently, balancing the requirement for authorization and control with the need to be responsive to business requirements.
  • Ensure (once access rights are granted) that the rights that have been granted are used in accordance with security policies. This might include, for example, Internet access for personal use. Although some personal use may be allowed, there are likely to be categories of websites that may not be accessed.

Scope

The scope of access management, as we have said, is the efficient execution of information security management policies. By carrying these out, the confidentiality, integrity, and availability (CIA) of the organization’s data and intellectual property are protected. Confidentiality here means that only authorized users are able to see the data. Integrity means that the data is kept safe from corruption or unauthorized change. Access management ensures that the service is made available to the authorized user. This does not guarantee that it will always be available during service hours, which is the responsibility of availability management.

A request for access will often be made through the request management process. Some organizations will maintain a specialized team to carry out requests, but more commonly they are carried out by other functions. Technical and application management functions are involved, and a significant part of the process may be handled within the service desk. There should be a single coordination point to ensure consistency.

Value

The access management process provides a number of benefits to the business:

  • First, by controlling access to services, it protects the confidentiality of the organization’s information. Customer confidentiality, for example, is a significant concern for many organizations.
  • A second benefit is that staff have the right level of access to perform their roles.
  • A third benefit is that the process provides a means of tracking the use of services by users.
  • Sometimes there may be a need to revoke access rights quickly—for example, if a user is suspected of criminal behavior. The process enables this to be done.
  • Finally, the process will support regulatory and legal compliance not only by managing access, but also by being able to demonstrate that access is managed.

Policies

The ITIL Service Operation publication describes five useful policies for access management.

  • The first policy is a formal statement of things we have already mentioned, especially that the management of access to services is led by the policies and controls defined by information security management. An implication of this is that if an unusual request for access is received, and it doesn’t appear to fall within the guidelines laid down by information security management, then the request should be escalated to information security management. It cannot be granted at the discretion of access management.
  • Another policy is that the use of services should be logged and tracked. Tracked here implies that access should be monitored in real time and events triggered as appropriate. There are also implications here for service designers—services must have the means of logging activity built into them.
  • The third policy is that the process must keep the access rights up-to-date. In particular, it should modify rights as individuals change roles or leave the organization.
  • The fourth policy is related to the second. It says that the process should maintain an accurate history of successful and unsuccessful attempts to access services. This information would be useful, for example, for later examination by auditors.
  • The final policy is that escalation procedures should be defined for any events that threaten security.

Principles and Basic Concepts

We’re now going to examine a number of basic access management concepts.

Access refers to the level and extent of a service’s functionality or data that a user is entitled to use.

Identity refers to the information about a user that distinguishes them as an individual and verifies their status within the organization.

Rights, or privileges, refers to the actual settings whereby a user is provided access—for example, read, write, execute, change, and delete.

Service groups provide a means of simplifying the task of allocating rights. The idea behind service groups is that there are groups of users who will require exactly the same rights to the same set of services. Instead of rights being granted individually, a service group is created that has the required set of rights. Users are linked to the service group and will inherit the rights of the group.

Directory services refer to specific types of tools that are used to manage access and rights.

The High-Level Activities of the Access Management Process

You do not need to know the access management process in detail for the exam, but an understanding of the key points in managing access requests will help you understand the process. Figure 37.1 shows the Access Management process flow. We are going to look at each step of the process.

Flow diagram shows request reception and verification from change, service, human resources and application, user validity check, access request, identity status monitoring, rights provision, log and track access et cetera.

Figure 37.1 Access management process flow

Copyright © AXELOS Limited 2010. All rights reserved. Material is reproduced under license from AXELOS.

Request Access

A request for access can be made in a number of ways:

  • The access request could be handled as a service request through the request fulfilment portal.
  • It may result from the completion of a request form.
  • If the change of access affects many users, a request for change will probably be used. For example, the transition of a new service will mean updating the access rights of everyone who will use the service.
  • Another route is through an automated process. For example, each year a college or university will enroll possibly thousands of new students, and each of them must be granted access to student IT services. This is often done automatically by the student registration system when the student actually registers.
  • The request may also come automatically from the HR system when a new member of staff is recorded or the status of an existing employee changes, such as when someone resigns or is transferred or promoted.

All requests, whether or not they are valid, are logged.

Verifying and Validating

The access request must then be verified. The identity of the requestor must be confirmed, and the access requirement must be judged as legitimate.

Usually, an existing user’s username and password are accepted as proof of identity. In more secure environments, biometric data or physical identification devices can be used.

For new users, some physical evidence of identity will be required, such as official proof of identity (passport, driver’s license).

New users include not only new permanent staff members, but also temporary and third-party users such as visitors, contract staff, and vendors. The organization will define how a request will be verified.

The second aspect of verification is checking that the request is legitimate; that is, the user is authorized to have the rights requested. This verification must be independent of the requester. A user cannot verify the legitimacy of their own request. Often a request will be verified by a line manager or HR. Requests that come by way of a request for change (RFC) will have been authorized through the change management process.

Some services will be available for use by anyone who requests them; there should be a policy that defines them. If the request is not valid, then it will be logged and returned to the requester. An incident may be raised to investigate why an invalid request was raised, if thought necessary. A valid request will be actioned appropriately.

Provide Access

The task of providing rights is often devolved to a specialist technical or application team that has the necessary knowledge and skills. This task can be automated by using access management tools that interface with multiple applications. This is only possible, of course, if the design of the applications included this as a requirement.

Access rights are associated with a role: a payroll clerk has the right to use the payroll system. Users can occupy multiple roles, each of which brings a set of rights, and sometimes these conflict with some enterprise policy such as the separation of duties. For example, it is usual practice to ensure that a person who places an order with a supplier is not able to authorize payment. Where a role conflict occurs, access management should escalate the issue to the appropriate stakeholder, who will be someone in the business area concerned. (For example, if the roles are within the finance department, the issue would be referred to the appropriate stakeholder in that department; if the roles are within the IT department, the appropriate IT manager would be consulted.)

Monitor Access

Once the access has been granted, the status of the user should be monitored to ensure that they still have a valid requirement for the access. In practice, this can be difficult to achieve. Access management should be notified of staff that leave so that their access can be revoked, and many organizations have robust procedures to ensure that this is done. Many organizations encounter difficulty in tracking the changing roles and accompanying access requirements of users, especially those who have been in the organization for many years. In this situation, new access requirements are added to existing rights, with no verification that the existing rights are still required. Consideration should be given to adding questions about existing access requirements to the access request form. The human resources department needs to be made aware of the importance of supplying information regarding changing job roles to access management in order to protect the organization’s data. Access management should understand these different types of staff changes and determine how it will become aware of them. Ideally, this will be automated by an interface with the HR system. The failure to respond to changes in status is a common security issue. It leads, for example, to computer accounts remaining available for use even though the users have left the organization.

The tracking access activity might trigger a security incident if, for example, an unsuccessful attempt to access a service is made by a valid user.

Remove Access

The last activity that we’ll look at is removing or restricting a user’s rights. There are a number of circumstances when this might be necessary. Although in many cases the modification is permanent, such as in the case of dismissal or promotion, there may be situations where this is only temporary. For example, in some organizations, a user’s computer account is suspended when they go on leave.

Access should be permanently revoked when a user leaves an organization; again, the human resources department needs to understand the importance of informing access management quickly in this situation.

Access management has to ensure that rights are not improperly used, which will require that access is logged and tracked. The degree of oversight required is determined when the service is designed and the appropriate logging mechanisms are provided. Should possible misuse be detected, the process must respond appropriately. This will usually entail raising a security incident and alerting stakeholders. In this situation, access may be temporarily revoked during the investigation, with access being restored if the misuse is deemed to have been an innocent mistake, or permanently revoked if it is found to be deliberate. The access management process may be required to provide a record of access, perhaps in the context of the investigation of criminal behavior.

Triggers, Inputs, Outputs, and Interfaces

Next we consider the triggers for the process, its inputs and outputs, and the interfaces it shares with other processes.

Triggers

Access management is triggered by a request for a user or users to access a service or group of services. This could originate from a number of circumstances.

The first possible trigger is an RFC, especially where a large number of access changes are required, perhaps as part of a rollout or project.

Another possible trigger is a service request. This is usually initiated through the service desk, or input directly into the request fulfilment system, and executed by the relevant technical or application management teams.

A request from human resources is another possible trigger. In this situation, human resources management personnel make the request through the service desk. These requests are usually as a result of hiring, promoting, relocating, termination, or retirement.

The final trigger may be a request from the manager of a department, who could be performing a human resources role or who could have made a decision to start using a service for the first time.

Inputs

The inputs to the process are those that relate to the triggers, such as these:

  • Authorized RFCs and authorized requests to grant or terminate access rights
  • The security policies of the enterprise
  • Any information about the identity of users

Other inputs are the operational and service level requirements for granting access to services, performing access management administrative activities, and responding to events related to access management.

Outputs

The access management process has the following outputs:

  • The provision of access to IT services in accordance with information security policies
  • The access management records showing when access has been granted or denied and the reasons for the denial
  • Timely communications concerning inappropriate access or abuse of services

Interfaces

The access management process interfaces with a number of other service management processes.

A key interface is the one with information security management. As already stated, access management acts under the guidance and instruction of information security management and plays an essential part in ensuring that the requirements of the information security policies are met.

Many requests for access will come from the change management process in the form of authorized requests for change or even standard changes.

It is through the service level management process that access requirements and criteria are agreed on with the business on a service-by-service basis.

The relationship of the process with IT service continuity management is interesting. Access requirements may need to be varied should the continuity plan be invoked. Also, there may be a need to grant temporary access when the plan is being tested.

Request fulfilment provides a route for users to submit access requests.

Critical Success Factors and Key Performance Indicators

The ITIL Service Operation publication suggests three critical success factors (CSFs) for access management.

The first is “Ensuring that the confidentiality, integrity, and availability of services are protected in accordance with the information security policy.” The key performance indicators (KPIs) show whether the critical success factors are being achieved. The first KPI is percentage of incidents that involved inappropriate security access or attempts at access to services. You can see that this is measuring actual consequences of poor access management. The second KPI is the number of audit findings that discovered incorrect access settings for users who have changed roles or left the company. This is measuring the potential for security lapses caused by poor access management.

The second CSF for access management is “Provide appropriate access to services in a manner that’s timely enough to meet business needs.” The example KPI for this is percentage of requests for access that were provided within established SLAs and OLAs.

The last CSF for access management is “Provide timely communications about improper access or abuse of services.” This, and the suggested KPI of a reduction in the average duration of access-related incidents (from time of discovery to escalation), are about ensuring that any issues are dealt with expeditiously.

Challenges

For access management to be successful, it must overcome a number of challenges. It must be able to do the following:

  • Verify the identity of both the user and the approving person or body
  • Verify that a user qualifies for access to a specific service
  • Link multiple access rights to an individual user
  • Determine the status of the user at any time, such as to assess if they are still employees
  • Manage changes to a user’s access requirements
  • Restrict access rights to unauthorized users
  • Keep a database of all users and the rights that they have been granted

Meeting these challenges requires a considerable effort.

Risks

Finally, we consider the risks faced by access management. Failure to meet any of the challenges described in the preceding section is a risk, of course. There are five additional risks:

  • The first risk is a lack of appropriate supporting technologies, causing a reliance on error-prone manual involvement.
  • Another risk is controlling access from “backdoor” sources such as application interfaces.
  • A third risk is managing and controlling access to services by external third-party suppliers. Third parties may need access for a variety of legitimate reasons, but the access is often occasional and unplanned, which makes it difficult to manage.
  • Lack of management support for the process is a risk for all service management processes. A particular issue here is that management can often see security controls as obstructing them and their staff from accomplishing their tasks and therefore do not support them.
  • There is a risk that access controls will hinder the ability of users to conduct business.

Summary

This chapter explored the remaining process in the service operation stage, access management. It covered access management’s purpose, objectives, scope, and value. We discussed policies, principles, and basic concepts; process activities, methods, and techniques; triggers, inputs, outputs, and interfaces; critical success factors and key performance indicators; and challenges and risks.

You learned about the key ITIL concepts of access, identity, rights, and service groups.

We discussed the importance of access management in preventing unauthorized access to data and some of the issues that arise in monitoring access rights.

Exam Essentials

Understand the purpose, objectives, and scope of access management. Explain the relationship between access management and information security management. Access management is not just granting access, it is also restricting or removing it as required.

Understand the main process activities of access management. Explain the following access management activities: requesting access, validating and verifying a request, providing a request and monitoring how it is used, and finally, where necessary, removing it.

Review Questions

You can find the answers to the review questions in the appendix.

  1. Which of the following is the best description of access management?

    1. Access management enables authorized access to services and data. Information security management prevents nonauthorized staff from gaining access.
    2. Access management grants authorized users the right to use a service while preventing nonauthorized users from gaining access.
    3. Access management is responsible for setting security policies.
    4. Access management decides what services users should have access to.

  2. Why is effective access management important for an organization?

    1. Because there may be legal requirements to require control over access to data.
    2. Because poor access management may lead to data that should have been protected being made available to unauthorized individuals, leading to negative press that could damage the reputation of the organization.
    3. Because effective access management will reduce costs.
    4. Because without it, potential customers may hesitate to deal with the organization, concerned that their data will not be protected.
    5. Because otherwise, deciding what access to allow will be an IT rather than a business decision.
      1. 1, 2, and 4 only
      2. 1, 4, and 5 only
      3. All of the above
      4. 1, 2, 4, and 5 only

  3. Which of the following is NOT a challenge for access management?

    1. Verifying identity
    2. Validating access requests
    3. Tracking access rights when users change names (such as upon marriage) or have the same name as another user
    4. Tracking changes in requirements as users change jobs

  4. When might access management reduce or remove access?

    1. If the user is on long-term leave
    2. If the user has left the organization
    3. If the user is under investigation for wrongdoing
    4. If the user has changed jobs within the organization
      1. All of the above
      2. 1, 3, and 4 only
      3. 2, 3, and 4 only
      4. 1, 2, and 3 only

  5. Which of the following is the best description of why access management monitors the use of the access rights granted to users?

    1. To understand if users are accessing forbidden websites
    2. To ensure that the security policy is being adhered to
    3. To monitor users’ personal emails
    4. To understand how often users attempt to breach security

  6. When it’s used in the context of access management, what does the acronym CIA stand for?

    1. Corruption, insecurity, and authorization
    2. Contingency, integration, and accessibility
    3. Configuration, integrity, and availability
    4. Confidentiality, integrity, and availability

  7. Who might be involved in carrying out the access management process?

    1. A specialized team
    2. Technical and application management functions
    3. The service desk
    4. The information security process owner
      1. Any of the above
      2. 1, 2, and 3 only
      3. 1 and 2 only
      4. 1, 3, and 4 only

  8. Which of the following is NOT an example of how a business benefits from the access management process?

    1. By controlling access to services, it protects the confidentiality of the organizations information.
    2. It defines the levels of protection required for different classes of data.
    3. It ensures that staff have the right level of access to perform their roles.
    4. It provides the means of tracking the use of services by users.

  9. Which of the following is the correct definition for the term identity?

    1. The level and extent of a service’s functionality or data that a user is entitled to use.
    2. The specific types of tool used to manage access and rights.
    3. The information about a user that distinguishes them as an individual and verifies their status within the organization.
    4. The actual settings whereby a user is provided accessfor example, read, write, execute, change, and delete. It provides the means of tracking the use of services by users.

  10. Which of the following are valid triggers for the access management process?

    1. An RFC
    2. A service request
    3. A request from human resources
    4. A request from the manager of a department
      1. Any of the above
      2. 1, 2, and 3 only
      3. 1 and 2 only
      4. 1, 3, and 4 only
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset