Search
Topics
  Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Feedback
· Forums
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account

Current Membership

Latest: RLoewenth
New Today: 43
New Yesterday: 54
Overall: 146256

People Online:
Visitors: 43
Members: 0
Total: 43

Languages
Select Interface Language:


Major ITIL Portals
For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone

Related Resources
Service related resources
Service Level Agreement
Outsourcing

Note: ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


The Itil Community Forum: Forums

ITIL :: View topic - Security/Access Management
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Security/Access Management

 
Post new topic   Reply to topic    ITIL Forum Index -> Miscellaneous
View previous topic :: View next topic  
Author Message
ItilyWoman
Newbie
Newbie


Joined: Mar 10, 2008
Posts: 9

PostPosted: Thu Jul 30, 2009 6:08 am    Post subject: Security/Access Management Reply with quote

OK here goes - I know I'll get slapped for asking this before i receive a valid answer but thought I'd try it anyways.

According to ITIL - who is the correct group to approve access changes to IT systems? Would it be a. The business service owner or b. The IT system person who is under belief they own the data?

In some cases there are many common systems shared by many busines service owners.

Now - if you want to answer that ITIL does not define this and instead it depends on what we want to define at our business, fine. If that's the case then what would be a best practice and why. Is there any ITIL justification behind the answer?

Thank you.
Back to top
View user's profile
DYbeach
Senior Itiler


Joined: May 25, 2008
Posts: 413
Location: Sydney, Australia

PostPosted: Thu Jul 30, 2009 9:47 am    Post subject: Reply with quote

The answer is it depends.

You could always make the call and see if they accept your decision Twisted Evil
_________________
DYbeach
ITIL V3 Release, Control & Validation,
ITIL V3 Operation SUpport & Analysis
PMI CAPM (R)

"In times of universal deceit, telling the truth will be a revolutionary act." George Orwell
Back to top
View user's profile Send e-mail
ItilyWoman
Newbie
Newbie


Joined: Mar 10, 2008
Posts: 9

PostPosted: Thu Jul 30, 2009 11:25 pm    Post subject: I might just try that! Reply with quote

Thanks for the honest answer.

I am going to propose the business owner - and the next question I will be asked is, "What does ITIL say about that?".

Good Ole ITIL - let's you define most everything, so what will my response be? Something like this: Well, the service catalogue samples assumes that business owners own the services, and if they own the services then they therefore own the associated data. If they own the data, then they should be the ones granting access.

I hope that flies!
Back to top
View user's profile
swansong
Senior Itiler


Joined: Nov 14, 2007
Posts: 109

PostPosted: Fri Jul 31, 2009 5:25 pm    Post subject: Reply with quote

I recall there may be some guidance on this in the Information Security chapters of the ITIL v2 BOOKS. Warning - ITIL and Info Security is not the feint hearted. i found it mind numbingly tedious.
However it discusses (in unfortunately far too much detail) the concepts of data owners, data integrity etc and assessing the risks against that data including unauthorised / unintended access.

However I agree with your view. The person who is responsible for the data is ultimately the person who is responsible for granting access to that data.

From personal experience I have found the business is generally happy delegating the decision regarding authorising access because it means they have offloaded a business problem (resolving who owns the data ; sorting out a process for granting access to this data) to a third party team. However as soon as something goes wrong (the wrong gets to see the wrong data ; the data is updated / deleted by the wrong person), it all gets horribly messy...
Back to top
View user's profile
Diarmid
Senior Itiler


Joined: Mar 04, 2008
Posts: 1884
Location: Newcastle-under-Lyme

PostPosted: Mon Aug 03, 2009 10:01 pm    Post subject: Reply with quote

Of course there should be high-level policy on this; and each system should specify its access policy and rules (including authority) in its design documentation; and the function(s) that uses the system should have a documented procedure for controlling access in accordance with these policies.

And it is never appropriate for IT service staff to control access to applications systems except in following explicit rules and/or directives from the customer.

In my experience the "just assume" and the "its obvious" schools of thought appear equally in both the customer/user population and the IT population.

I still prefer documented policies and procedures and records.
_________________
"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718
Back to top
View user's profile Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> Miscellaneous All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

Logos/trademarks property of respective owner. Comments property of poster. Rest 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.