Access Management is the process of granting authorized users the right to use a service, while preventing access to non-authorized users. It provides users access to services defined in security and availability policies. Critical success factors include verifying user identity, access requirements, and linking access rights. Metrics include access requests, instances of access granted, and incidents requiring access changes. The process involves requesting access, verifying the user and access need, provisioning rights, monitoring for status changes, and removing rights when no longer needed.

1. Access
Management
by ITIL v3 - Service
Operation
Intro
Access Management is the process of granting authorized users the
right to use a service, while preventing access to non-authorized users
It has also been referred to as Rights Management or
Identity Management in different organizations.
Purpose /
goal /
objective
Access Management provides the right for
users to be able to use a service or group of
services. It is therefore the execution of
policies and actions defined in Security and
Availability Management.
Value to
business
1. Controlled access to services ensures that the
organization is able to maintain more effectively
the confidentiality of its information
2. Employees have the right level of access to
execute their jobs effectively
3. There is less likelihood of errors being made in
data entry or in the use of a critical service by an
unskilled user (e.g. production control systems)
4. The ability to audit use of services and to trace the abuse of services
5. The ability more easily to revoke access rights when
needed – an important security consideration
6. May be needed for regulatory compliance (e.g. SOX, HIPAA, COBIT)
Critical
Success
Factors
1. The ability to verify the identity of a user
(that the person is who they say they are)
2. The ability to verify the identity of the approving person or body
3. The ability to verify that a user qualifies for access to a specific service
4. The ability to link multiple access rights to an individual user
5. The ability to determine the status of the user at any time
(e.g. to determine whether they are still employees of the
organization when they log on to a system)
6. The ability to manage changes to a user’s access requirements
7. The ability to restrict access rights to unauthorized users
8. A database of all users and the rights that they have been granted.
Metrics
1. Number of requests for access (Service Request, RFC, etc.)
2. Instances of access granted, by service, user, department, etc.
3. Instances of access granted by department or individual granting rights
4. Number of incidents requiring a reset of access rights
5. Number of incidents caused by incorrect access settings.
Process
Activities
1. Requesting access
2. Verification
That the user requesting access is who they say they are
That they have a legitimate requirement for that service.
3. Providing rights
4. Monitoring
identity status
changes
include
Job changes
Promotions or demotions
Transfers
Resignation or death
Retirement
Disciplinary action
Dismissals
5. Logging and tracking access
6. Removing or
restricting
rights
circumstances
Death
Resignation
Dismissal
When the user has changed
roles and no longer requires
access to the service
•Transfer or travel to an
area where different
regional access applies.
Input
An RFC
A Service Request
A request from the appropriate Human Resources Management personne
A request from the manager of a department, who could be performing an HR role
inter-process
interfaces
1. Information Security Management
2. Availability Management
3. Change Management
4. Configuration Management
5. Incident Management
mm Access management (ITIL).mmap - 15.01.2016 - Mindjet