5 Service Operations
5.3 Access Management
5.3.1 Process Overview
Access Management consists of the processes and procedures responsible for allowing users to make use of IT services, systems, applications, data, or other IT assets. Access Management helps to protect the Confidentiality, Integrity and Availability of assets by ensuring that only authorized users are able to access or modify the assets. Access Management is sometimes referred to as Rights Management or Identity Management.
Key Objectives of Access Management are:
Verify identity
Provide access to authorized users Deny access to non-authorized users
Execution of policies and actions defined in Security and Availability Management.
Grant, restrict or remove access to controlled IT services, systems, or other IT assets.
Access Management is the tactical execution of company policies relating to Information Security Management and Availability Management. Access Management is critical to IT governance and compliance and is typically managed within the IT operations function and/or Security group.
5.3.2 High Level Process Model
The following diagram illustrates the high level process model.
7. Implement
Corrective Actions 1. Define what you
should measure.
6. Present and Use
the information. 2. Define what you
can measure.
ITIL 7 Step Process
5. Analyze the data. 3. Gather the data.
4. Process the data.
Figure 22 Access Management Model
5.3.3 High Level Process Descriptions
The sub-processes of the high level process model are described at a high level.
Number Sub-process Description
1.0 Initiation of Access Request Assess all Access Requests through verification, providing rights, monitoring identity status, logging and tracking.
2.0 Request/Modify Access Capture requests for access or changes to access privileges. Request changes for end-users as their responsibilities or employment status change.
3.0 Standard Change? Determine the extent of the request. Does it qualify as a Standard Change or will it need to go through the Change Management process?
4.0 Verify ID Validate identify of the person requesting access to a system.
5.0 Validate Access Validate approval of the request.
Provide Rights.
6.0 ID Exists? Checks to determine if the user is already identified in the system.
7.0 Create and Maintain Account Create and maintain ID in the System
Issue/update CAC cards with user identification information.
8.0 Account Exists? Checks to determine if the user has an active account in the system.
9.0 Modify/Delete Account Monitor Identity Status and Maintain Users, Roles and Groups.
Remove or Restrict Rights.
10.0 Create and Maintain ID? Create New Accounts?
Create new accounts for system access when they don't already exist.
5.3.4 Seam Management Authority Matrix
The term seam refers to a connection or interaction between one or more organizations. It could be an interaction between Government (DON) organizations, Government (DON) to IT Service
Provider, or IT Service Provider to IT Service Provider. The seam analysis helps to identify the processes, people and technology required to coordinate end to end management of IT Services.
The following table provides key seam descriptions.
Seam Seam Descriptions
TBD
The following tables identify key process activities and where possible, associate activity with process seams and key roles.
Seam Required ITSM Process Specification
N/A
The authority matrix below identifies process activities that can be associated with key roles and/or process seams. These relationships are documented in terms of RACI (Responsible, Accountable, Consulted, and Informed). This table does NOT represent a RACI mapping to the organization or sub-processes.
Seam Required ITSM Process Specification
Process Owner Process Manager Service Provider Lead Ensure that Service personnel
/subcontractors have the correct level of CAC access, physical access, account rights and clearance(s) to perform the required services.
CI AR R
Conform to the Government requirements that justify needs for level of access.
CI AR R
Conform to NGEN standards for granting access to each access level (e.g. requirement for changing passwords).
CI AR R
Ensure that all personnel
/subcontractors hold or are eligible to obtain the security clearance specified by the Government. At a minimum, personnel/subcontractors will be required to hold or have the ability to obtain a secret clearance.
CI AR R
Use the Government’s Contractor Verification System (CVS) for obtaining access to any Government system.
CI AR R
Have a process in place to ensure that access rights are terminated or restricted upon death, resignation, dismissal, role change, and transfer or travel where different regional access applies (both system, network and physical).
CI AR R
Ensure that Administrator access to a device is controlled to the degree that only authorized users can make changes to a device.
CI AR R
Touch labor will ensure that Administrator access to a device is terminated when their work is complete.
CI AR R
Have the ability to produce a report within one of business day that validates access privileges are relevant for all personnel/subcontractors.
CI AR R
Provide the Government with system access to generate the following reports for each system or service:
• Number of requests for access (Service Request, RFC, etc.)
• Instances of access granted by service, user, departed, etc.
• Instances of access granted by department or individual granting rights
• Number of Incidents requiring a reset of access rights
• Number of Incidents caused by incorrect access settings
CI AR R
5.3.5 Process Interfaces
Any process is triggered by an event or activity and associated artifact(s), and produces an output which typically feeds into another process.
Interfaces
This process has a key relationship or dependency with the following ITSM processes:
Information Security Management Availability Management
Capacity Management
Request Fulfillment
Service Level Management Inputs
Consider the inputs to the process:
• Request for Fulfillment
• Policies from Security and Availability Management
• Change in Employee Status
• Request for Change
• Human Resource Management Event Notification (e.g. position changes, transfers, dismissals)
Outputs
Consider the outputs from the process:
• Access Request Fulfillment
5.3.6 Roles
The following roles have been identified with the process.
Roles Description
Access Management Process Owner
This is the strategic role that is accountable for the Process.
Access Management Process Manager
This is the tactical role that performs cross-segment coordination and runs the day-to-day, end-to-end Process implementation activities.
5.3.7 Performance Metrics
The effectiveness and performance of the process are measured using metrics-based Key Performance Indicators (KPIs) which support high level Critical Success Factors (CSFs). The CSFs and KPIs below are examples which may or may not reflect actual Key Performance Parameters (KPPs).
CSF # Critical Success Factors KPI # Key Performance Indicators
1 Define correct level of filtering of events and alerts
1 Number of Events and Alerts.
2 Number of Events and Alerts that defined Incidents and Problems.
3 Number of Events and Alerts caused by Known Errors.
2 Use appropriate tools for Event and Alert Monitoring supporting the automated monitoring of systems and services
4 Number of Events and Alerts that require human intervention.
5 Number of Events and Alerts duplicated or repeated.
6 Number of Events and Alerts that could be solved without human intervention.
5.3.8 Tools Interface Requirements
The following known tool interfaces requirements should be considered during further development of the process:
Access/Identify Management Software Configuration Management System (CMS) Request Fulfillment Tracking System
Service Knowledge Management System (SKMS)