To take this back a step, IT organizations in simplest terms are managing the way that access is granted to key systems through 3 activities
- Onboarding – person is starting new position / role and access is granted via a manual process, or automated with tools and may be verified through a “source of truth” authority in either a team (HR) or an application
- Changes / Modifications – person is modifying position / role and will require either manual intervention through various managers or again automated through a toolset
- Offboarding – person is leaving position / role in one way or another and the termination process drives the removal of access either manually or through tools
For the most part validating the onboarding and offboarding (joiners and leavers) may be simplest to define. “Gillian is unable to do her work as access has not been granted” (Onboard) “Desmond has quit, remove access” (Offboard).
It is the “Changes / Modifications” component that may need to be tightened up from a process perspective. The managing of users and roles across the enterprise, especially large and diverse ones, can be quite complex when there is no underpinning process to govern it.
For example, let’s suppose we have an employee who works in Business Unit “A” and is moving to work in Business Unit “B”.
Questions you should be asking already:
- When people change roles does your Access Management process discontinue all access from role A and then grant access to role B in a seamless way?
- How is access to roles validated – the dreaded “just mirror John Smith” can create major access issue?
- Could lingering access from Business Unit A follow this person to the new role?
You really need to ask yourself if your overall Access Management process is checked in a regular time frame (quarterly, annually)?
I can already hear some people saying, we have an automated tool that handles all of this. Just because it is automated does not mean it is working or still valid. The process governing how the tool works should be validated just like in the situation above
This process impacts a wide variety of stakeholders, not just the service desk and the users. Any improvements to the process should be reviewed with them as well. It might include:
- Human Resources
- Audit and Compliance
- Business Owners
- Application Owners
- and Risk Management to name a few
Remember, finding gaps in the process and mitigating risk shouldn’t be something that is discovered as a result of an issue. Regular process checkpoints should allow you and your organization to proactively move on these before they become problematic