ITIL Intermediate OSA Tutorial: Access Management
6.1 Access Management
Introduction Hello and welcome to the eLearning course, Module 6 on ITIL Intermediate OSA module preparation course by Simplilearn. In this module we will learn about Access Management. At the end of this module you will have to take up the chapter end quiz. Let us move to the next slide and look at the agenda for this module.
6.2 Access Management
Agenda Like any other module under OSA, the agenda for Access Management includes objectives, scope, policies, metrics, challenges, risks, triggers, inputs and outputs and information management of Access management. In the next slide we will learn about the purpose and objective of access management.
6.3 Access Management - Purpose and Objectives
Access Management – Purpose and Objectives Purpose: The purpose of Access Management is to provide the “Right” for users to be able to use a service or group of services. Objectives include: •Managing access to services based on policies and actions defined in information Security management and efficiently respond to requests for granting access to services, changing access rights or restricting access. •Oversee access to services and ensure rights being provided are not improperly used The next slide talks about the scope of access management.
6.4 Access Management - Scope
Access Management – Scope What is the scope of access management? Scope means the boundary within which the process should work on. •The execution of Information Security Management enabling the organisation to maintain data confidentiality, integrity and availability is the main scope of work. • Access Management ensures that users are given the right to use a service, but it does not ensure that this access is available at all agreed times – this is provided by Availability Management. • Access Management is a process that is executed by all Technical and Application Management functions and is usually not a separate function. However, there is likely to be a single control point of coordination, usually in IT Operations Management or on the Service Desk. • Access Management can be initiated by a Service Request through the Service Desk. Moving on let us look into access management as value to the business.
6.5 Access Management - Value to the Business
Access Management – Value to the Business How does access management add value to the business? Access Management provides value by controlling access to services ensuring that the organization is able to maintain more effectively the confidentiality of its information. It adds value by providing all the employees the right level of access to execute their jobs effectively. Following are the other values which will be generated • There is less likelihood of errors being made in data entry or in the use of a critical service by an unskilled user (e.g. production control systems) • The ability to audit use of services and to trace the abuse of services • The ability to easily revoke access rights when needed • An important security consideration may be needed for regulatory compliance (e.g. SOX, HIPAA and COBIT). Let us learn about the policies in the next slide.
6.6 Access Management - Policies
Access Management – Policies In this slide we will go through the different policies stated for access management. • Access Management administration and associated activities should be guided and directed by the policies and controls defined by information security management • Access Management should log and track accesses to use of services and ensure rights being provided are appropriately used • Access Management should maintain access to services in alignment with changes in personnel events such as transfers and termination • Access Management should maintain an accurate history of who has accesses or tried to access services. This provides information to those conducting auditing and compliance activities. • Policies for handling, escalating and communicating security events should be clearly defined and documented in accordance with the information security policy.
6.7 Access Management - Key Concepts
Access Management is the process that enables users to use the services that are documented in the Service Catalogue. It comprises the following basic concepts of access, identity, rights, Service groups and directory services. • Access refers to the level and extent of a service’s functionality or data that a user is entitled to use. • Identity refers to the information about them that distinguishes them as an individual and which verifies their status within the organization. By definition, the Identity of a user is unique to that user. • Rights (also called privileges) refer to the actual settings whereby a user is provided access to a service or group of services. Typical rights, or levels of access, include read, write, execute, change, delete. • Services or service groups. Most users do not use only one service, and users performing a similar set of activities will use a similar set of services. Instead of providing access to each service for each user separately, it is more efficient to be able to grant each user – or group of users – access to the whole set of services that they are entitled to use at the same time. • Directory Services refers to a specific type of tool that is used to manage access and rights. So far, we have learnt about the purpose, objective, scope, policies and concepts of access management. Let us move on to the activities or techniques in the next slide.
6.8 Access Management - Activities
Access Management – Activities Next two slides will talk about different activities of Access Management process. Requesting access would be the first activity which will actually trigger the process. Access (or restriction) can be requested using one of any number of mechanisms, including: ■ A standard request which is generated by the Human Resource system. This is generally done whenever a person is hired, promoted, transferred or when they leave the company ■ A Request for Change and ■ A Service Request submitted via the Request Fulfillment system Once the requisition of access is raised, Verification which is the next activity will kick off. Access Management needs to verify every request for access to an IT service from two perspectives: 1. The user requesting access is who they say they are 2. The user has a legitimate requirement for that service. After the verification it is time for Providing Rights Access Management does not decide who has access to which IT services. Rather, Access Management executes the policies and regulations defined during Service Strategy and Service Design. Access Management enforces decisions to restrict or provide access, rather than making the decision. As soon as a user has been verified, Access Management will provide that user with rights to use the requested service. In most cases this will result in a request to every team or department involved in supporting that service to take the necessary action. If possible, these tasks should be automated. We will learn about rest of the activities in the next slide.
6.9 Access Management - Activities
Access Management – Activities Monitoring Identity Status is another activity of the Access Management process. As users are within the organization, their roles change and so do their needs to access services. Examples of changes include: Job Change Promotions and Demotions Transfers Resignation or death Retirement Disciplinary Action Dismissals Access Management should understand and document the typical User Lifecycle for each type of user and use it to automate the process. Access Management tools should provide features that enable a user to be moved from one state to another or from one group to another, easily and with an audit trail. Logging and Tracking Access is another important activity of Access Management. Access Management should not only respond to requests. It is also responsible for ensuring that the rights that they have provided are being properly used. In this respect, Access Monitoring and Control must be included in the monitoring activities of all Technical and Application Management functions and all Service Operation processes. Removing or restricting rights access is usually done in the following circumstances: Death Resignation Dismissal When the user has changed roles and no longer requires access to the service Transfer or travel to an area where different regional access applies. Like any other process, let us look into the inputs and outputs of access management.
6.10 Access Management - Triggers
Access Management – Triggers Access Management is triggered by a request for a user or users to access a service or group of services. • An RFC can trigger the Access Management. This is most frequently used for large-scale service introductions or upgrades where the rights of a significant number of users need to be updated as part of the project. • A Service Request can trigger the Access Management. This is usually initiated through the Service Desk, or directly into the Request Fulfillment system, and executed by the relevant Technical or Application Management teams. • A request from the appropriate Human Resources Management personnel (which should be channeled via the Service Desk) could also trigger the Access Management. This is usually generated as part of the process for hiring, promoting, relocating and termination or retirement. • A request from the manager of a department, who could be performing an HR role, or who could have made a decision to start using a service for the first time can also trigger the process Like Problem management does access management work in tandem with other functional management systems? Let us get the answer to this question in the next slide.
6.11 Access Management - Inputs and Outputs
Access Management – Inputs and Outputs Inputs of the process could be Information Security Policies, Operational and Service Level Requirements, Authorized RFCs and Authorized request to grant or terminate access rights Outputs could be Provision of access to IT services in accordance with information security policies, Access Management records and history of access granted to services, Access Management records and history where access has been denied and the reasons for the denial and lastly timely communication concerning inappropriate access or abuse of services. The next slide talks about the triggers of access management.
6.12 Access Management - Interfaces
Access Management – Interfaces Access Management interfaces with Information Security Management, Change Management and Service Level Management. Information Security Management is a key driver for Access Management as it will provide the security and data protection policies and tools needed to execute Access Management. Change Management plays an important role as the means to control the actual requests for access. This is because any request for access to a service is a change, although it is usually processed as a Standard Change or Service Request (possibly using a model) once the criteria for access have been agreed through SLM. SLM maintains the agreements for access to each service. This will include the criteria for who is entitled to access each service, what the cost of that access will be, if appropriate and what level of access will be granted to different types of user (e.g. managers or staff). There is also a strong relationship between Access Management and Configuration Management. The CMS can be used for data storage and interrogated to determine current access details. We have looked at how ISM is the key driver of access management. Let us now lean how to manage information of access management in the next slide.
6.13 Access Management - Information Management
Access Management – Information Management The information management of access management will include identity and users, groups, roles and service groups. Identity: The identity of a user is the information about them that distinguishes them as an individual and which verifies their status within the organization. By definition, the identity of a user is unique to that user. Since there are cases where two users share a common piece of information (e.g. they have the same name), identity is usually established using more than one piece of information, for example: ¦ Name ¦ Address ¦ Contact details, e.g. telephone, e-mail address, etc. Users, Groups, Roles and Service Groups: While each user has an individual identity, and each IT service can be seen as an entity in its own right, it is often helpful to group them together so that they can be managed more easily. Sometimes the terms ‘user profile’ or ‘user template’ or ‘user role’ are used to describe this type of grouping. However, most users also have some specialized role that they perform. For example, in addition to the standard services, the user also performs a Marketing Management role, which requires that they have access to some specialized marketing and financial modeling tools and data. To make it easier for Access Management to provide the appropriate rights, it uses a catalogue of all the roles in the organization and which services support each role. This catalogue of roles should be compiled and maintained by Access Management in conjunction with HR and will often be automated in the Directory Services tools. To measure the efficiency of any process, metrics play a key role in the process. Let us learn about the access management metrics in the next slide.
6.14 Access Management - Metrics
Access Management – Metrics Metrics that can be used to measure the efficiency and effectiveness of Access Management include: • Number of requests for access (Service Request, RFC, etc.) • Instances of access granted, by service, user, department, etc. • Instances of access granted by department or individual granting rights • Number of incidents requiring a reset of access rights • Number of incidents caused by incorrect access settings. Like all other modules, access management faces its own challenges and risks. Let’s look into them in detail.
6.15 Access Management - Challenges and Risks
Access Management – Challenges and Risks Here are the Challenges the process might face. • Monitoring and reporting on access activity as well as incidents and problems related to access can be a huge challenge. • Verifying the identity of a user is a great challenge almost every service provider suffers because of the huge number of users. • Verifying that an user qualifies for access to a specific service is a very important task but at the same time it may become a challenge to follow every time the user asks for any kind of access • Linking multiple access rights to an individual user can be challenge. • Determining the status of users at any time and Managing changes to an user’s access requirements and Restricting access rights to an unauthorized users can also become challenge for the process Similarly, the risks that the process might face are; • Lack of appropriate supporting technologies to manage and control access to services and Controlling access from back door sources • Managing and controlling access to services by external third party suppliers and Ensuring that necessary levels of access to services and the necessary management controls are provided in a manner that does not necessarily hinder the ability of users to conduct business can be a major risk concerned. In the next slide we will learn about the critical success factors of access management.
6.16 Access Management - CSFs and KPIs
The given list includes some sample CSFs for access management. Each organization should identify appropriate CSFs and KPIs based on its objectives for the process. Each sample CSF is followed by a small number if typical KPIs that support the CSF. These KPIs should not be adopted without careful consideration. Each organization should develop KPIs that are appropriate for its level of maturity, its CSFs and its particular circumstances. Achievement against KPIs should be monitored and used to identify opportunities for improvement, which should be logged in the continual service improvement (CSI) register for evaluation and possible implementation Let us see for example one of the CSFs which states ensure that the confidentiality, integrity and availability of services are protected in accordance with the information security policy. Supporting this CSF, the KPIs would be Percentage of incidents that involved inappropriate security access or attempts at access to services, Number of audit findings that discovered incorrect access settings for users that have changed roles or left the company, Number of incidents requiring a reset of access rights and Number of incidents caused by incorrect access settings Another CSF states Provide appropriate access to services on a timely basis that meets business needs. Supporting KPI is Percentage of requests for access Last example of another CSF which states provide timely communication about improper access or abuse of services on a timely basis and the supporting KPI is Average duration of access related incidents With this we have come to the end of the module 6. Before moving on to module 7 on Service Desk, let us quickly recap access management in the next slide.
6.17 Access Management - Summary
Access Management – Summary Like all other previous modules, we have covered the purpose, objectives, scope, inputs and outputs, triggers, challenges, risks, activities, information management and metrics of access management. Thankyou! Meet you in module 7.
About the On-Demand Webinar
About the Webinar