SlideShare una empresa de Scribd logo

Dit yvol3iss33

Rick Lemieux
Rick Lemieux

The document outlines 6 steps to effective access management according to ITIL v3: 1) Requesting access through defined procedures like HR systems or change/service requests. 2) Verifying requests by confirming identity and legitimacy. 3) Providing appropriate rights once verified. 4) Monitoring identity status for changes triggering access updates. 5) Logging and tracking access for auditing and incidents. 6) Removing or restricting rights when users change roles or statuses. The 6 steps provide a framework for access management that solely executes security policies defined elsewhere, with the goal of streamlining access requests and maintenance.

TecnologíaEmpresariales
1 de 3
Descargar para leer sin conexión
6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management The workable, practical guide to Do IT Yourself Page 1 of 3 Vol. 3.33 • August 21, 2007 6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management By Janet Kuhn We have all been in this situation. We know that managing security is a mandate in today’s IT environment, but calls are swamping the Service Desk. “I’ve been on vacation. I’ve forgotten my password.” “I have a new employee starting today. She needs to be able to log into X application.” “I’ve been promoted. How do I get Manager privileges?” And, the dreaded “Some unauthorized changes were made. Who has access to the system?” It is like herding cats to stay current on who is who in the corporate structure, and who should have which level of authority. Access Management, one of the Service Operation processes, provides key guidance to help rein in those Security lions lying in the bushes. One of the outstanding differences in the ITIL V.3 Service Lifecycle is that it separates operational and execution activities from strategic and design ones. For example, the Service Operation volume clearly defines the boundaries around Access Management, the operational process that grants users’ right to use a particular service, versus the security policies defined and established in Security and Availability Management. ITIL V3 is adamant about it. Access Management does not define security standards; it solely and exclusively executes the Security and Availability policies and actions that are in place. As such, it performs six key activities – requesting access, verification, providing rights, monitoring identity status, logging and tracking access, and removing or restricting rights. The following paragraphs take a closer look at each of these areas. You will see that bringing each one of these under control will help avoid the morass of issues depicted above. Requesting Access This is an excellent place to start defining your Access Management procedures, as requests to change an access generally emanate from only a few, well-defined areas. For instance, the Human Resources system could generate a standard request for access whenever someone is hired, promoted or transferred or leaves the company. Other entry points for a request for access could be a Request for Change (RFC) into the Change Management System (Service Transition) or a Service Request from the Request Fulfillment System (Service Operation). You can include the procedure for requesting access as part of the Service Catalog (Service Design). In general, the Security policies will define which areas and departments may request access, and the Access Management process will design the mechanisms to carry out that request. Verification The verification activity verifies a request for access to ensure that the user requesting the access is who he/she says he/she is, and that the user has a legitimate requirement for the service. There are many methods for verifying the user’s identity, ranging from low-tech personal recognition to high-tech biometric data. Establishing the legitimacy of the request requires a few more verification steps. For instance, you may require notifications to add new users to be co-signed by the Human Resources department or the appropriate manager. http://www.itsmsolutions.com/newsletters/DITYvol3iss33.htm 8/21/2007
6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management Page 2 of 3 The Change Management process should include a review of Access Management rights as it evaluates RFCs to specify who should have access to the service and whether existing users are still valid. Depending on the levels of risk to the organization, the Security policies may define different levels of verifications to access different services. For example, a request to access the banking system may carry a much higher level of verification than a request to add a new employee to the internal network. Providing Rights Once it has verified a user, Access Management provides the appropriate rights to him/her. However, Access Management should also be on the lookout for any role conflicts that might occur. For example, two separate accesses might be granted by different requesters to a single contract worker – one authorizing him to log time sheets for a project and the other authorizing him to approve all payment on work for the same project. In addition, large organizations may have many roles and groups, and sometimes a user may end up with mutually exclusive roles. Access Management does not fix role conflicts or duplications itself, but it informs the originators of the access requests about the issues. Again, the Security policy defines the rights that should be available to an individual, and Access Management grants rights based on this information. The Security team and the Access Management team must work together to build awareness within Access Management regarding potential role conflicts and mutual exclusions. Monitoring Identity Status One of the problems with many manual Access Management systems in use today is that there is no easy way to monitor when a user changes roles or Identity Status. Typical events that trigger a change in Identity Status are job changes, promotions or demotions, transfers, resignation or death, retirement, disciplinary action, dismissals. By identifying trigger events similar to the above, it is possible to seek Access Management tools that will automate the Access Management process and provide an audit trail. Security policies define such trigger events, and Access Management builds ways to capture them. Logging and Tracking Access All Technical and Application Management monitoring activities should include reviews of Access rights and utilization to ensure that the rights are being properly used. The review should direct all exceptions to Incident Management for investigation. Of course, it may be necessary to restrict the view of the Incident Record to only those people with a right to know as it could reveal vulnerabilities in the organization’s security tools or policies. Furthermore, Access Management may provide access records to assist corporate investigations into user activity. The Security group develops the requirements for monitoring and tracking, and Access Management develops the pursuant capabilities. Removing or Restricting Rights Users do not stay in the same jobs or roles forever, and neither should their access rights. This is another place to set up standard procedures and policies to more easily identify events requiring the removal or restriction of rights. Some examples are death, resignation, dismissal, changed user roles, and physical moves to areas with different access rights. Based on such changes in User status or access requirements, Access Management adjusts access rights according to Security policy. Concluding Thoughts The key take-away from this DITY should be that Access Management holds responsibility solely for executing the security procedures that the organization’s Security policies define elsewhere in the organization. As a corollary, the six activities defined above provide a solid http://www.itsmsolutions.com/newsletters/DITYvol3iss33.htm 8/21/2007
6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management Page 3 of 3 framework for building your own Access Management implementation plan. Entire Contents © 2007 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). http://www.itsmsolutions.com/newsletters/DITYvol3iss33.htm 8/21/2007

Recomendados

Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprisehardik soni
 
Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementEMC
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access IntelligenceTim Bell
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Managementrver21
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Computer engineering company
 

Recomendados

Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprisehardik soni
 
Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementEMC
 
Identity and Access Intelligence
Identity and Access IntelligenceIdentity and Access Intelligence
Identity and Access IntelligenceTim Bell
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System AdministrationLisa Dowdell, MSISTM
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NETSupriya G
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and toolsVibhor Raut
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Managementrver21
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Computer engineering company
 
Get Ahead of your Next Security Breach
Get Ahead of your Next Security BreachGet Ahead of your Next Security Breach
Get Ahead of your Next Security BreachAbhishek Sood
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
LTS Secure offers PIM User Activity Monitoring
LTS Secure offers PIM User Activity MonitoringLTS Secure offers PIM User Activity Monitoring
LTS Secure offers PIM User Activity Monitoringrver21
 
Uid security
Uid securityUid security
Uid securityFardin Shaikh
 
Umer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
 
Password policy template
Password policy templatePassword policy template
Password policy templateJayaramachandran Rajendran
 
The Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling AccessThe Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling AccessKylie Dunn
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal ControlsBharath Rao
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Comparision of ISO with NIST and COBIT framework
Comparision of ISO with NIST and COBIT frameworkComparision of ISO with NIST and COBIT framework
Comparision of ISO with NIST and COBIT frameworkPooja Soni
 
Ijcet 06 10_002
Ijcet 06 10_002Ijcet 06 10_002
Ijcet 06 10_002IAEME Publication
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio
 
The 21 CFR Part 11 Compliance Checklist for Digital Applications
The 21 CFR Part 11 Compliance Checklist for Digital ApplicationsThe 21 CFR Part 11 Compliance Checklist for Digital Applications
The 21 CFR Part 11 Compliance Checklist for Digital ApplicationsEMMAIntl
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Consulting
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseNetwrix Corporation
 
Dit yvol2iss22
Dit yvol2iss22Dit yvol2iss22
Dit yvol2iss22Rick Lemieux
 
Dit yvol4iss14
Dit yvol4iss14Dit yvol4iss14
Dit yvol4iss14Rick Lemieux
 
Dit yvol1iss3
Dit yvol1iss3Dit yvol1iss3
Dit yvol1iss3Rick Lemieux
 
Dit yvol3iss27
Dit yvol3iss27Dit yvol3iss27
Dit yvol3iss27Rick Lemieux
 

Más contenido relacionado

La actualidad más candente

Get Ahead of your Next Security Breach
Get Ahead of your Next Security BreachGet Ahead of your Next Security Breach
Get Ahead of your Next Security BreachAbhishek Sood
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
LTS Secure offers PIM User Activity Monitoring
LTS Secure offers PIM User Activity MonitoringLTS Secure offers PIM User Activity Monitoring
LTS Secure offers PIM User Activity Monitoringrver21
 
Umer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
 
The Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling AccessThe Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling AccessKylie Dunn
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal ControlsBharath Rao
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Comparision of ISO with NIST and COBIT framework
Comparision of ISO with NIST and COBIT frameworkComparision of ISO with NIST and COBIT framework
Comparision of ISO with NIST and COBIT frameworkPooja Soni
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio
 
The 21 CFR Part 11 Compliance Checklist for Digital Applications
The 21 CFR Part 11 Compliance Checklist for Digital ApplicationsThe 21 CFR Part 11 Compliance Checklist for Digital Applications
The 21 CFR Part 11 Compliance Checklist for Digital ApplicationsEMMAIntl
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Consulting
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseNetwrix Corporation
 

La actualidad más candente (18)

Get Ahead of your Next Security Breach
Get Ahead of your Next Security BreachGet Ahead of your Next Security Breach
Get Ahead of your Next Security Breach
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
LTS Secure offers PIM User Activity Monitoring
LTS Secure offers PIM User Activity MonitoringLTS Secure offers PIM User Activity Monitoring
LTS Secure offers PIM User Activity Monitoring
 
Uid security
Uid securityUid security
Uid security
 
Umer Khalid Thesis Abstract
Umer Khalid Thesis AbstractUmer Khalid Thesis Abstract
Umer Khalid Thesis Abstract
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM
 
Password policy template
Password policy templatePassword policy template
Password policy template
 
The Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling AccessThe Increasing Problems Of Controlling Access
The Increasing Problems Of Controlling Access
 
IS Audits and Internal Controls
IS Audits and Internal ControlsIS Audits and Internal Controls
IS Audits and Internal Controls
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
Comparision of ISO with NIST and COBIT framework
Comparision of ISO with NIST and COBIT frameworkComparision of ISO with NIST and COBIT framework
Comparision of ISO with NIST and COBIT framework
 
Ijcet 06 10_002
Ijcet 06 10_002Ijcet 06 10_002
Ijcet 06 10_002
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical Brief
 
The 21 CFR Part 11 Compliance Checklist for Digital Applications
The 21 CFR Part 11 Compliance Checklist for Digital ApplicationsThe 21 CFR Part 11 Compliance Checklist for Digital Applications
The 21 CFR Part 11 Compliance Checklist for Digital Applications
 
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah HurleyCedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
Cedar Day 2018 - Is Your PeopleSoft Ready for the GDPR - Sarah Hurley
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the Enterprise
 

Destacado

Open it sm solutions final
Open it sm solutions finalOpen it sm solutions final
Open it sm solutions finalRick Lemieux
 

Destacado (18)

Dit yvol2iss22
Dit yvol2iss22Dit yvol2iss22
Dit yvol2iss22
 
Dit yvol4iss14
Dit yvol4iss14Dit yvol4iss14
Dit yvol4iss14
 
Dit yvol1iss3
Dit yvol1iss3Dit yvol1iss3
Dit yvol1iss3
 
Dit yvol3iss27
Dit yvol3iss27Dit yvol3iss27
Dit yvol3iss27
 
Dit yvol4iss46
Dit yvol4iss46Dit yvol4iss46
Dit yvol4iss46
 
Dit yvol4iss30
Dit yvol4iss30Dit yvol4iss30
Dit yvol4iss30
 
Dit yvol6iss23
Dit yvol6iss23Dit yvol6iss23
Dit yvol6iss23
 
Dit yvol3iss7
Dit yvol3iss7Dit yvol3iss7
Dit yvol3iss7
 
Dit yvol5iss39
Dit yvol5iss39Dit yvol5iss39
Dit yvol5iss39
 
Dit yvol3iss50
Dit yvol3iss50Dit yvol3iss50
Dit yvol3iss50
 
Dit yvol5iss40
Dit yvol5iss40Dit yvol5iss40
Dit yvol5iss40
 
Dit yvol4iss34
Dit yvol4iss34Dit yvol4iss34
Dit yvol4iss34
 
Dit yvol2iss10
Dit yvol2iss10Dit yvol2iss10
Dit yvol2iss10
 
Dit yvol4iss19
Dit yvol4iss19Dit yvol4iss19
Dit yvol4iss19
 
Dit yvol2iss3
Dit yvol2iss3Dit yvol2iss3
Dit yvol2iss3
 
Dit yvol2iss49
Dit yvol2iss49Dit yvol2iss49
Dit yvol2iss49
 
Open it sm solutions final
Open it sm solutions finalOpen it sm solutions final
Open it sm solutions final
 
Dit yvol3iss16
Dit yvol3iss16Dit yvol3iss16
Dit yvol3iss16
 

Similar a Dit yvol3iss33

Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptxKinetic Potential
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Gord Reynolds
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business AccountsAnayaGrewal
 
The Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptxThe Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptxSecurityComplianceCo
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...csandit
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference ArchitectureHannu Kasanen
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Managementrver21
 
Priviledged identity management
Priviledged identity managementPriviledged identity management
Priviledged identity managementrver21
 
Importance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityImportance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityNexlar Security
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
 
OverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxOverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxaman341480
 

Similar a Dit yvol3iss33 (20)

Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
Access Control and Maintenance.pptx
Access Control and Maintenance.pptxAccess Control and Maintenance.pptx
Access Control and Maintenance.pptx
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
 
5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
 
The Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptxThe Role of User Access Reviews in Compliance.pptx
The Role of User Access Reviews in Compliance.pptx
 
5182
51825182
5182
 
5182
51825182
5182
 
Mm Access Management (ITIL)
Mm Access Management (ITIL)Mm Access Management (ITIL)
Mm Access Management (ITIL)
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
 
Priviledged Identity Management
Priviledged Identity ManagementPriviledged Identity Management
Priviledged Identity Management
 
Priviledged identity management
Priviledged identity managementPriviledged identity management
Priviledged identity management
 
Importance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization SecurityImportance of Access Control System for Your Organization Security
Importance of Access Control System for Your Organization Security
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
OverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docxOverviewYou have been hired as an auditor for a local univer.docx
OverviewYou have been hired as an auditor for a local univer.docx
 

Más de Rick Lemieux

IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementRick Lemieux
 

Más de Rick Lemieux (20)

IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
 
Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
 
Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
 
Dit yvol5iss36
Dit yvol5iss36Dit yvol5iss36
Dit yvol5iss36
 
Dit yvol5iss35
Dit yvol5iss35Dit yvol5iss35
Dit yvol5iss35
 
Dit yvol5iss34
Dit yvol5iss34Dit yvol5iss34
Dit yvol5iss34
 
Dit yvol5iss31
Dit yvol5iss31Dit yvol5iss31
Dit yvol5iss31
 
Dit yvol5iss33
Dit yvol5iss33Dit yvol5iss33
Dit yvol5iss33
 
Dit yvol5iss32
Dit yvol5iss32Dit yvol5iss32
Dit yvol5iss32
 
Dit yvol5iss30
Dit yvol5iss30Dit yvol5iss30
Dit yvol5iss30
 
Dit yvol5iss29
Dit yvol5iss29Dit yvol5iss29
Dit yvol5iss29
 
Dit yvol5iss28
Dit yvol5iss28Dit yvol5iss28
Dit yvol5iss28
 
Dit yvol5iss26
Dit yvol5iss26Dit yvol5iss26
Dit yvol5iss26
 
Dit yvol5iss25
Dit yvol5iss25Dit yvol5iss25
Dit yvol5iss25
 
Dit yvol5iss24
Dit yvol5iss24Dit yvol5iss24
Dit yvol5iss24
 
Dit yvol5iss23
Dit yvol5iss23Dit yvol5iss23
Dit yvol5iss23
 
Dit yvol5iss22
Dit yvol5iss22Dit yvol5iss22
Dit yvol5iss22
 
Dit yvol5iss21
Dit yvol5iss21Dit yvol5iss21
Dit yvol5iss21
 
Dit yvol5iss20
Dit yvol5iss20Dit yvol5iss20
Dit yvol5iss20
 
Dit yvol5iss19
Dit yvol5iss19Dit yvol5iss19
Dit yvol5iss19
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Dit yvol3iss33

  • 1. 6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management The workable, practical guide to Do IT Yourself Page 1 of 3 Vol. 3.33 • August 21, 2007 6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management By Janet Kuhn We have all been in this situation. We know that managing security is a mandate in today’s IT environment, but calls are swamping the Service Desk. “I’ve been on vacation. I’ve forgotten my password.” “I have a new employee starting today. She needs to be able to log into X application.” “I’ve been promoted. How do I get Manager privileges?” And, the dreaded “Some unauthorized changes were made. Who has access to the system?” It is like herding cats to stay current on who is who in the corporate structure, and who should have which level of authority. Access Management, one of the Service Operation processes, provides key guidance to help rein in those Security lions lying in the bushes. One of the outstanding differences in the ITIL V.3 Service Lifecycle is that it separates operational and execution activities from strategic and design ones. For example, the Service Operation volume clearly defines the boundaries around Access Management, the operational process that grants users’ right to use a particular service, versus the security policies defined and established in Security and Availability Management. ITIL V3 is adamant about it. Access Management does not define security standards; it solely and exclusively executes the Security and Availability policies and actions that are in place. As such, it performs six key activities – requesting access, verification, providing rights, monitoring identity status, logging and tracking access, and removing or restricting rights. The following paragraphs take a closer look at each of these areas. You will see that bringing each one of these under control will help avoid the morass of issues depicted above. Requesting Access This is an excellent place to start defining your Access Management procedures, as requests to change an access generally emanate from only a few, well-defined areas. For instance, the Human Resources system could generate a standard request for access whenever someone is hired, promoted or transferred or leaves the company. Other entry points for a request for access could be a Request for Change (RFC) into the Change Management System (Service Transition) or a Service Request from the Request Fulfillment System (Service Operation). You can include the procedure for requesting access as part of the Service Catalog (Service Design). In general, the Security policies will define which areas and departments may request access, and the Access Management process will design the mechanisms to carry out that request. Verification The verification activity verifies a request for access to ensure that the user requesting the access is who he/she says he/she is, and that the user has a legitimate requirement for the service. There are many methods for verifying the user’s identity, ranging from low-tech personal recognition to high-tech biometric data. Establishing the legitimacy of the request requires a few more verification steps. For instance, you may require notifications to add new users to be co-signed by the Human Resources department or the appropriate manager. http://www.itsmsolutions.com/newsletters/DITYvol3iss33.htm 8/21/2007
  • 2. 6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management Page 2 of 3 The Change Management process should include a review of Access Management rights as it evaluates RFCs to specify who should have access to the service and whether existing users are still valid. Depending on the levels of risk to the organization, the Security policies may define different levels of verifications to access different services. For example, a request to access the banking system may carry a much higher level of verification than a request to add a new employee to the internal network. Providing Rights Once it has verified a user, Access Management provides the appropriate rights to him/her. However, Access Management should also be on the lookout for any role conflicts that might occur. For example, two separate accesses might be granted by different requesters to a single contract worker – one authorizing him to log time sheets for a project and the other authorizing him to approve all payment on work for the same project. In addition, large organizations may have many roles and groups, and sometimes a user may end up with mutually exclusive roles. Access Management does not fix role conflicts or duplications itself, but it informs the originators of the access requests about the issues. Again, the Security policy defines the rights that should be available to an individual, and Access Management grants rights based on this information. The Security team and the Access Management team must work together to build awareness within Access Management regarding potential role conflicts and mutual exclusions. Monitoring Identity Status One of the problems with many manual Access Management systems in use today is that there is no easy way to monitor when a user changes roles or Identity Status. Typical events that trigger a change in Identity Status are job changes, promotions or demotions, transfers, resignation or death, retirement, disciplinary action, dismissals. By identifying trigger events similar to the above, it is possible to seek Access Management tools that will automate the Access Management process and provide an audit trail. Security policies define such trigger events, and Access Management builds ways to capture them. Logging and Tracking Access All Technical and Application Management monitoring activities should include reviews of Access rights and utilization to ensure that the rights are being properly used. The review should direct all exceptions to Incident Management for investigation. Of course, it may be necessary to restrict the view of the Incident Record to only those people with a right to know as it could reveal vulnerabilities in the organization’s security tools or policies. Furthermore, Access Management may provide access records to assist corporate investigations into user activity. The Security group develops the requirements for monitoring and tracking, and Access Management develops the pursuant capabilities. Removing or Restricting Rights Users do not stay in the same jobs or roles forever, and neither should their access rights. This is another place to set up standard procedures and policies to more easily identify events requiring the removal or restriction of rights. Some examples are death, resignation, dismissal, changed user roles, and physical moves to areas with different access rights. Based on such changes in User status or access requirements, Access Management adjusts access rights according to Security policy. Concluding Thoughts The key take-away from this DITY should be that Access Management holds responsibility solely for executing the security procedures that the organization’s Security policies define elsewhere in the organization. As a corollary, the six activities defined above provide a solid http://www.itsmsolutions.com/newsletters/DITYvol3iss33.htm 8/21/2007
  • 3. 6 Steps to Making Your Security Policies Work - ITIL v.3 Access Management Page 3 of 3 framework for building your own Access Management implementation plan. Entire Contents © 2007 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). http://www.itsmsolutions.com/newsletters/DITYvol3iss33.htm 8/21/2007