It seems that only when the topic of audit comes up do we think about the way we
review the overall Access Management process. While it is likely that we
regularly review the access to systems (quarterly etc.), should we not be thinking in terms of the access lifecycle. In other words, do we really review
the way that access is managed?
To take this back a
step, IT organizations in simplest terms are managing the way that access is
granted to key systems through 3 activities
- Onboarding – person is starting new position / role and access is granted via a manual process, or automated with tools and may be verified through a “source of truth” authority in either a team (HR) or an application
- Changes / Modifications – person is modifying position / role and will require either manual intervention through various managers or again automated through a toolset
- Offboarding – person is leaving position / role in one way or another and the termination process drives the removal of access either manually or through tools
For the most part
validating the onboarding and offboarding (joiners and leavers) may be simplest
to define. “Gillian is unable to do her work as access has not been granted”
(Onboard) “Desmond has quit, remove access” (Offboard).
It is the “Changes /
Modifications” component that may need to be tightened up from a process
perspective. The managing of users and roles across the enterprise, especially
large and diverse ones, can be quite complex when there is no underpinning
process to govern it.
For example, let’s
suppose we have an employee who works in Business Unit “A” and is moving to
work in Business Unit “B”.
Questions
you should be asking already:
- When people change roles does your Access Management process discontinue all access from role A and then grant access to role B in a seamless way?
- How is access to roles validated – the dreaded “just mirror John Smith” can create major access issue?
- Could lingering access from Business Unit A follow this person to the new role?
You really need to ask yourself if your overall
Access Management process is checked in a regular time frame (quarterly,
annually)?
Automation
I can already hear some people saying, we
have an automated tool that handles all of this. Just because it is automated
does not mean it is working or still valid. The process governing how the tool
works should be validated just like in the situation above
This process impacts a wide variety of
stakeholders, not just the service desk and the users. Any improvements to the
process should be reviewed with them as well. It might include:
- Human Resources
- Audit and Compliance
- Business Owners
- Application Owners
- and Risk Management to name a few
Remember, finding gaps
in the process and mitigating risk shouldn’t be something that is discovered as
a result of an issue. Regular process checkpoints should allow you and your
organization to proactively move on these before they become problematic
If you like these articles please take a few minutes to share on social media or comment
Labels: Access Management, Continual Service Improvement, Service Management