SlideShare une entreprise Scribd logo

Dit yvol5iss38

Rick Lemieux
Rick Lemieux
TechnologieBusiness
1  sur  3
Télécharger pour lire hors ligne
The workable, practical guide to Do IT Yourself Vol. 5.38 • September 24, 2009 6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management By Janet Kuhn We have all been in this situation. We know that managing security is a mandate in today's IT environment, but calls are swamping the Service Desk. "I've been on vacation. I've forgotten my password." "I have a new employee starting today. She needs to be able to log into X application." "I've been promoted. How do I get Manager privileges?" And, the dreaded "Some unauthorized changes were made. Who has access to the system?" It is like herding cats to stay current on who is who in the corporate structure, and who should have which level of authority. Access Management, one of the Service Operation processes, provides key guidance to help rein in those Security lions lying in the bushes. One of the outstanding features in the ITIL V.3 Service Lifecycle is that it separates operational and execution activities from strategic and design ones. For example, the Service Operation volume clearly defines the boundaries around Access Management, the operational process that grants users’ right to use a particular service, versus the security policies defined and established in Security and Availability Management. ITIL V3 is adamant about it. Access Management does not define security standards; it solely and exclusively executes the Security and Availability policies and actions that are in place. As such, it performs six key activities – requesting access, verification, providing rights, monitoring identity status, logging and tracking access, and removing or restricting rights. The following paragraphs take a closer look at each of these areas. You will see that bringing each one of these under control will help avoid the morass of issues depicted above. #1 Requesting Access This is an excellent place to start defining your Access Management procedures, as requests to change an access level generally emanate from only a few, well-defined areas. For instance, the Human Resources system could generate a standard request for access whenever someone is hired, promoted or transferred or leaves the company. Other entry points for a request for access could be a Request for Change (RFC) into the Change Management System (Service Transition) or a Service Request from the Request Fulfillment System (Service Operation). You can include the procedure for requesting access as part of the Service Catalog (Service Design). In general, the Security policies will define which areas and departments may request access, and the Access Management process will design the mechanisms to carry out that request. # 2 Verification The verification activity verifies a request for access to ensure that the user requesting the access is who he/she says he/she is, and that the user has a legitimate requirement for the service. There are many methods for verifying the user’s identity, ranging from low-tech personal recognition to high-tech biometric data. Establishing the legitimacy of the request requires a few more verification steps. For instance, you may require the Human Resources department or the appropriate manager to co-sign requests to add new users. The Change Management process should include a review of Access Management rights as it evaluates RFCs to specify Page 1 of 3
who should have access to the service and whether existing users are still valid. Depending on the levels of risk to the organization, the Security policies may define different levels of verifications to access different services. For example, a request to access the banking system may carry a much higher level of verification than a request to add a new employee to the internal network. #3 Providing Rights Once it has verified a user, Access Management provides the appropriate rights to him/her. However, Access Management should also be on the lookout for any role conflicts that might occur. For example, two separate accesses might be granted by different requesters to a single contract worker – one authorizing him to log time sheets for a project and the other authorizing him to approve all payment on work for the same project. In addition, large organizations may have many roles and groups, and sometimes a user may end up with mutually exclusive roles. Access Management does not fix role conflicts or duplications itself, but it informs the originators of the access requests about the issues. Again, the Security policy defines the rights that should be available to an individual, and Access Management grants rights based on this information. The Security team and the Access Management team must work together to build awareness within Access Management regarding potential role conflicts and mutual exclusions. #4 Monitoring Identity Status One of the problems with many manual Access Management systems in use today is that there is no easy way to monitor when a user changes roles or Identity Status. Typical events that trigger a change in Identity Status are job changes, promotions or demotions, transfers, resignation or death, retirement, disciplinary action, dismissals. By identifying trigger events similar to the above, it is possible to seek Access Management tools that will automate the Access Management process and provide an audit trail. Security policies define such trigger events, and Access Management builds ways to capture them. #5 Logging and Tracking Access All Technical and Application Management monitoring activities should include reviews of Access rights and utilization to ensure that the rights are being properly used. The review should direct all exceptions to Incident Management for investigation. Of course, it may be necessary to restrict the view of the Incident Record to only those people with a right to know as it could reveal vulnerabilities in the organization’s security tools or policies. Furthermore, Access Management may provide access records to assist corporate investigations into user activity. The Security group develops the requirements for monitoring and tracking, and Access Management develops the pursuant capabilities. #6 Removing or Restricting Rights Users do not stay in the same jobs or roles forever, and neither should their access rights. This is another place to set up standard procedures and policies to more easily identify events requiring the removal or restriction of rights. Some examples are death, resignation, dismissal, changed user roles, and physical moves to areas with different access rights. Based on such changes in User status or access requirements, Access Management adjusts access rights according to Security policy. Concluding Thoughts The key take-away from this DITY should be that Access Management holds responsibility solely for executing the security procedures that the organization’s Security policies define elsewhere in the organization. As a corollary, the six activities defined above provide a solid framework for building your own Access Management implementation plan. Page 2 of 3
Entire Contents © 2009 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). Page 3 of 3

Recommandé

Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
Rick Lemieux
 
Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
Rick Lemieux
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
Rick Lemieux
 
Dit yvol5iss40
Dit yvol5iss40Dit yvol5iss40
Dit yvol5iss40
Rick Lemieux
 
Business-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersBusiness-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach Matters
EMC
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
Chris Farwell
 
Approaching Information Management from a Framework Perspective
Approaching Information Management from a Framework PerspectiveApproaching Information Management from a Framework Perspective
Approaching Information Management from a Framework Perspective
Rob Gerbrandt CD, PMP
 
AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21
AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21
AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21
Greg Clark
 

Recommandé

Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
Rick Lemieux
 
Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
Rick Lemieux
 
IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
Rick Lemieux
 
Dit yvol5iss40
Dit yvol5iss40Dit yvol5iss40
Dit yvol5iss40
Rick Lemieux
 
Business-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersBusiness-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach Matters
EMC
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
Chris Farwell
 
Approaching Information Management from a Framework Perspective
Approaching Information Management from a Framework PerspectiveApproaching Information Management from a Framework Perspective
Approaching Information Management from a Framework Perspective
Rob Gerbrandt CD, PMP
 
AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21
AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21
AIIM Info360 Conference - What ECM Success Looks Like - 2010 04 21
Greg Clark
 
Dit yvol2iss30
Dit yvol2iss30Dit yvol2iss30
Dit yvol2iss30
Rick Lemieux
 
Chief information officer Assignment
Chief information officer AssignmentChief information officer Assignment
Chief information officer Assignment
Rabia Rajput
 
Transformation of legacy landscape in the insurance world
Transformation of legacy landscape in the insurance worldTransformation of legacy landscape in the insurance world
Transformation of legacy landscape in the insurance world
NIIT Technologies
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
EMC
 
Role of a CIO (Hidayatul Haq Hidayat)
Role of a CIO (Hidayatul Haq Hidayat) Role of a CIO (Hidayatul Haq Hidayat)
Role of a CIO (Hidayatul Haq Hidayat)
Hidayatul Haq Hidayat [HHH]
 
Business Operation
Business OperationBusiness Operation
Business Operation
TimothyNdakalu
 
Database Security Analysis
Database Security AnalysisDatabase Security Analysis
Database Security Analysis
Brendan Mc Sweeney
 
Aiim electronic records management trends
Aiim electronic records management trendsAiim electronic records management trends
Aiim electronic records management trends
Vander Loto
 
Enterprise Computing - A Vision of Future Today (Presentation to DCU students)
Enterprise Computing - A Vision of Future Today (Presentation to DCU students)Enterprise Computing - A Vision of Future Today (Presentation to DCU students)
Enterprise Computing - A Vision of Future Today (Presentation to DCU students)
Castlebridge Associates
 
Ema itsm-summary report-symponysummitai
Ema itsm-summary report-symponysummitaiEma itsm-summary report-symponysummitai
Ema itsm-summary report-symponysummitai
SymphonySummit
 
Dit yvol2iss43
Dit yvol2iss43Dit yvol2iss43
Dit yvol2iss43
Rick Lemieux
 
Scott_article_120307
Scott_article_120307Scott_article_120307
Scott_article_120307
John Scott
 
ITAM and CCM - A Unified Approach
ITAM and CCM - A Unified ApproachITAM and CCM - A Unified Approach
ITAM and CCM - A Unified Approach
David Messineo
 
7 information management trends
7 information management trends7 information management trends
7 information management trends
Vander Loto
 
IT-as-a-Service Solutions for Healthcare Providers
IT-as-a-Service Solutions for Healthcare ProvidersIT-as-a-Service Solutions for Healthcare Providers
IT-as-a-Service Solutions for Healthcare Providers
EMC
 
Improving decision making and managing knowledge
Improving decision making and managing knowledgeImproving decision making and managing knowledge
Improving decision making and managing knowledge
Prof. Othman Alsalloum
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 
Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33
Rick Lemieux
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
TakishaPeck109
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
Gord Reynolds
 

Contenu connexe

Tendances

Aiim electronic records management trends
Aiim electronic records management trendsAiim electronic records management trends
Aiim electronic records management trends
Vander Loto
 
Scott_article_120307
Scott_article_120307Scott_article_120307
Scott_article_120307
John Scott
 
ITAM and CCM - A Unified Approach
ITAM and CCM - A Unified ApproachITAM and CCM - A Unified Approach
ITAM and CCM - A Unified Approach
David Messineo
 
7 information management trends
7 information management trends7 information management trends
7 information management trends
Vander Loto
 
Improving decision making and managing knowledge
Improving decision making and managing knowledgeImproving decision making and managing knowledge
Improving decision making and managing knowledge
Prof. Othman Alsalloum
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 

Tendances (18)

Dit yvol2iss30
Dit yvol2iss30Dit yvol2iss30
Dit yvol2iss30
 
Chief information officer Assignment
Chief information officer AssignmentChief information officer Assignment
Chief information officer Assignment
 
Transformation of legacy landscape in the insurance world
Transformation of legacy landscape in the insurance worldTransformation of legacy landscape in the insurance world
Transformation of legacy landscape in the insurance world
 
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...Forrester: How Organizations Are Improving Business Resiliency with Continuou...
Forrester: How Organizations Are Improving Business Resiliency with Continuou...
 
Role of a CIO (Hidayatul Haq Hidayat)
Role of a CIO (Hidayatul Haq Hidayat) Role of a CIO (Hidayatul Haq Hidayat)
Role of a CIO (Hidayatul Haq Hidayat)
 
Business Operation
Business OperationBusiness Operation
Business Operation
 
Database Security Analysis
Database Security AnalysisDatabase Security Analysis
Database Security Analysis
 
Aiim electronic records management trends
Aiim electronic records management trendsAiim electronic records management trends
Aiim electronic records management trends
 
Enterprise Computing - A Vision of Future Today (Presentation to DCU students)
Enterprise Computing - A Vision of Future Today (Presentation to DCU students)Enterprise Computing - A Vision of Future Today (Presentation to DCU students)
Enterprise Computing - A Vision of Future Today (Presentation to DCU students)
 
Ema itsm-summary report-symponysummitai
Ema itsm-summary report-symponysummitaiEma itsm-summary report-symponysummitai
Ema itsm-summary report-symponysummitai
 
Dit yvol2iss43
Dit yvol2iss43Dit yvol2iss43
Dit yvol2iss43
 
Scott_article_120307
Scott_article_120307Scott_article_120307
Scott_article_120307
 
ITAM and CCM - A Unified Approach
ITAM and CCM - A Unified ApproachITAM and CCM - A Unified Approach
ITAM and CCM - A Unified Approach
 
7 information management trends
7 information management trends7 information management trends
7 information management trends
 
IT-as-a-Service Solutions for Healthcare Providers
IT-as-a-Service Solutions for Healthcare ProvidersIT-as-a-Service Solutions for Healthcare Providers
IT-as-a-Service Solutions for Healthcare Providers
 
Improving decision making and managing knowledge
Improving decision making and managing knowledgeImproving decision making and managing knowledge
Improving decision making and managing knowledge
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 

Similaire à Dit yvol5iss38

Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
TakishaPeck109
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
LynellBull52
 

Similaire à Dit yvol5iss38 (20)

Dit yvol3iss33
Dit yvol3iss33Dit yvol3iss33
Dit yvol3iss33
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
 
5182
51825182
5182
 
5182
51825182
5182
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
 
Mm Access Management (ITIL)
Mm Access Management (ITIL)Mm Access Management (ITIL)
Mm Access Management (ITIL)
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
Cyber_Management_Issues.pdf
Cyber_Management_Issues.pdfCyber_Management_Issues.pdf
Cyber_Management_Issues.pdf
 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptx
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Management
 
Priviledged identity management
Priviledged identity managementPriviledged identity management
Priviledged identity management
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Management
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
Audit Controls Paper
Audit Controls PaperAudit Controls Paper
Audit Controls Paper
 

Plus de Rick Lemieux

Plus de Rick Lemieux (20)

Dit yvol5iss36
Dit yvol5iss36Dit yvol5iss36
Dit yvol5iss36
 
Dit yvol5iss35
Dit yvol5iss35Dit yvol5iss35
Dit yvol5iss35
 
Dit yvol5iss34
Dit yvol5iss34Dit yvol5iss34
Dit yvol5iss34
 
Dit yvol5iss31
Dit yvol5iss31Dit yvol5iss31
Dit yvol5iss31
 
Dit yvol5iss33
Dit yvol5iss33Dit yvol5iss33
Dit yvol5iss33
 
Dit yvol5iss32
Dit yvol5iss32Dit yvol5iss32
Dit yvol5iss32
 
Dit yvol5iss30
Dit yvol5iss30Dit yvol5iss30
Dit yvol5iss30
 
Dit yvol5iss29
Dit yvol5iss29Dit yvol5iss29
Dit yvol5iss29
 
Dit yvol5iss28
Dit yvol5iss28Dit yvol5iss28
Dit yvol5iss28
 
Dit yvol5iss26
Dit yvol5iss26Dit yvol5iss26
Dit yvol5iss26
 
Dit yvol5iss25
Dit yvol5iss25Dit yvol5iss25
Dit yvol5iss25
 
Dit yvol5iss24
Dit yvol5iss24Dit yvol5iss24
Dit yvol5iss24
 
Dit yvol5iss23
Dit yvol5iss23Dit yvol5iss23
Dit yvol5iss23
 
Dit yvol5iss22
Dit yvol5iss22Dit yvol5iss22
Dit yvol5iss22
 
Dit yvol5iss21
Dit yvol5iss21Dit yvol5iss21
Dit yvol5iss21
 
Dit yvol5iss20
Dit yvol5iss20Dit yvol5iss20
Dit yvol5iss20
 
Dit yvol5iss19
Dit yvol5iss19Dit yvol5iss19
Dit yvol5iss19
 
Dit yvol5iss17
Dit yvol5iss17Dit yvol5iss17
Dit yvol5iss17
 
Dit yvol5iss16
Dit yvol5iss16Dit yvol5iss16
Dit yvol5iss16
 
Dit yvol5iss15
Dit yvol5iss15Dit yvol5iss15
Dit yvol5iss15
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Dernier (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Dit yvol5iss38

  • 1. The workable, practical guide to Do IT Yourself Vol. 5.38 • September 24, 2009 6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management By Janet Kuhn We have all been in this situation. We know that managing security is a mandate in today's IT environment, but calls are swamping the Service Desk. "I've been on vacation. I've forgotten my password." "I have a new employee starting today. She needs to be able to log into X application." "I've been promoted. How do I get Manager privileges?" And, the dreaded "Some unauthorized changes were made. Who has access to the system?" It is like herding cats to stay current on who is who in the corporate structure, and who should have which level of authority. Access Management, one of the Service Operation processes, provides key guidance to help rein in those Security lions lying in the bushes. One of the outstanding features in the ITIL V.3 Service Lifecycle is that it separates operational and execution activities from strategic and design ones. For example, the Service Operation volume clearly defines the boundaries around Access Management, the operational process that grants users’ right to use a particular service, versus the security policies defined and established in Security and Availability Management. ITIL V3 is adamant about it. Access Management does not define security standards; it solely and exclusively executes the Security and Availability policies and actions that are in place. As such, it performs six key activities – requesting access, verification, providing rights, monitoring identity status, logging and tracking access, and removing or restricting rights. The following paragraphs take a closer look at each of these areas. You will see that bringing each one of these under control will help avoid the morass of issues depicted above. #1 Requesting Access This is an excellent place to start defining your Access Management procedures, as requests to change an access level generally emanate from only a few, well-defined areas. For instance, the Human Resources system could generate a standard request for access whenever someone is hired, promoted or transferred or leaves the company. Other entry points for a request for access could be a Request for Change (RFC) into the Change Management System (Service Transition) or a Service Request from the Request Fulfillment System (Service Operation). You can include the procedure for requesting access as part of the Service Catalog (Service Design). In general, the Security policies will define which areas and departments may request access, and the Access Management process will design the mechanisms to carry out that request. # 2 Verification The verification activity verifies a request for access to ensure that the user requesting the access is who he/she says he/she is, and that the user has a legitimate requirement for the service. There are many methods for verifying the user’s identity, ranging from low-tech personal recognition to high-tech biometric data. Establishing the legitimacy of the request requires a few more verification steps. For instance, you may require the Human Resources department or the appropriate manager to co-sign requests to add new users. The Change Management process should include a review of Access Management rights as it evaluates RFCs to specify Page 1 of 3
  • 2. who should have access to the service and whether existing users are still valid. Depending on the levels of risk to the organization, the Security policies may define different levels of verifications to access different services. For example, a request to access the banking system may carry a much higher level of verification than a request to add a new employee to the internal network. #3 Providing Rights Once it has verified a user, Access Management provides the appropriate rights to him/her. However, Access Management should also be on the lookout for any role conflicts that might occur. For example, two separate accesses might be granted by different requesters to a single contract worker – one authorizing him to log time sheets for a project and the other authorizing him to approve all payment on work for the same project. In addition, large organizations may have many roles and groups, and sometimes a user may end up with mutually exclusive roles. Access Management does not fix role conflicts or duplications itself, but it informs the originators of the access requests about the issues. Again, the Security policy defines the rights that should be available to an individual, and Access Management grants rights based on this information. The Security team and the Access Management team must work together to build awareness within Access Management regarding potential role conflicts and mutual exclusions. #4 Monitoring Identity Status One of the problems with many manual Access Management systems in use today is that there is no easy way to monitor when a user changes roles or Identity Status. Typical events that trigger a change in Identity Status are job changes, promotions or demotions, transfers, resignation or death, retirement, disciplinary action, dismissals. By identifying trigger events similar to the above, it is possible to seek Access Management tools that will automate the Access Management process and provide an audit trail. Security policies define such trigger events, and Access Management builds ways to capture them. #5 Logging and Tracking Access All Technical and Application Management monitoring activities should include reviews of Access rights and utilization to ensure that the rights are being properly used. The review should direct all exceptions to Incident Management for investigation. Of course, it may be necessary to restrict the view of the Incident Record to only those people with a right to know as it could reveal vulnerabilities in the organization’s security tools or policies. Furthermore, Access Management may provide access records to assist corporate investigations into user activity. The Security group develops the requirements for monitoring and tracking, and Access Management develops the pursuant capabilities. #6 Removing or Restricting Rights Users do not stay in the same jobs or roles forever, and neither should their access rights. This is another place to set up standard procedures and policies to more easily identify events requiring the removal or restriction of rights. Some examples are death, resignation, dismissal, changed user roles, and physical moves to areas with different access rights. Based on such changes in User status or access requirements, Access Management adjusts access rights according to Security policy. Concluding Thoughts The key take-away from this DITY should be that Access Management holds responsibility solely for executing the security procedures that the organization’s Security policies define elsewhere in the organization. As a corollary, the six activities defined above provide a solid framework for building your own Access Management implementation plan. Page 2 of 3
  • 3. Entire Contents © 2009 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). Page 3 of 3