Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
· Home
· Content
· Feedback
· News
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account


The five ITIL books can be obtained directly from the publisher's website:

Or as downloadable PDFs: HERE

Current Membership

Latest: ArturoHerl
New Today: 17
New Yesterday: 43
Overall: 231632

People Online:
Visitors: 146
Members: 1
Total: 147 .



Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Related Resources

Service related resources
Service Level Agreement

How to set up
IT Change Management
Process Info-Graphic

NOTE: ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


Select Interface Language:

Please contact us via the feedback page to discuss advertising rates.

The Itil Community Forum: Forums

ITIL :: View topic - Security/Access Management
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Security/Access Management

Post new topic   Reply to topic    ITIL Forum Index -> Miscellaneous
View previous topic :: View next topic  
Author Message

Joined: Mar 10, 2008
Posts: 9

PostPosted: Thu Jul 30, 2009 6:08 am    Post subject: Security/Access Management Reply with quote

OK here goes - I know I'll get slapped for asking this before i receive a valid answer but thought I'd try it anyways.

According to ITIL - who is the correct group to approve access changes to IT systems? Would it be a. The business service owner or b. The IT system person who is under belief they own the data?

In some cases there are many common systems shared by many busines service owners.

Now - if you want to answer that ITIL does not define this and instead it depends on what we want to define at our business, fine. If that's the case then what would be a best practice and why. Is there any ITIL justification behind the answer?

Thank you.
Back to top
View user's profile
Senior Itiler

Joined: May 25, 2008
Posts: 413
Location: Sydney, Australia

PostPosted: Thu Jul 30, 2009 9:47 am    Post subject: Reply with quote

The answer is it depends.

You could always make the call and see if they accept your decision Twisted Evil
ITIL V3 Release, Control & Validation,
ITIL V3 Operation SUpport & Analysis

"In times of universal deceit, telling the truth will be a revolutionary act." George Orwell
Back to top
View user's profile Send e-mail

Joined: Mar 10, 2008
Posts: 9

PostPosted: Thu Jul 30, 2009 11:25 pm    Post subject: I might just try that! Reply with quote

Thanks for the honest answer.

I am going to propose the business owner - and the next question I will be asked is, "What does ITIL say about that?".

Good Ole ITIL - let's you define most everything, so what will my response be? Something like this: Well, the service catalogue samples assumes that business owners own the services, and if they own the services then they therefore own the associated data. If they own the data, then they should be the ones granting access.

I hope that flies!
Back to top
View user's profile
Senior Itiler

Joined: Nov 14, 2007
Posts: 109

PostPosted: Fri Jul 31, 2009 5:25 pm    Post subject: Reply with quote

I recall there may be some guidance on this in the Information Security chapters of the ITIL v2 BOOKS. Warning - ITIL and Info Security is not the feint hearted. i found it mind numbingly tedious.
However it discusses (in unfortunately far too much detail) the concepts of data owners, data integrity etc and assessing the risks against that data including unauthorised / unintended access.

However I agree with your view. The person who is responsible for the data is ultimately the person who is responsible for granting access to that data.

From personal experience I have found the business is generally happy delegating the decision regarding authorising access because it means they have offloaded a business problem (resolving who owns the data ; sorting out a process for granting access to this data) to a third party team. However as soon as something goes wrong (the wrong gets to see the wrong data ; the data is updated / deleted by the wrong person), it all gets horribly messy...
Back to top
View user's profile
Senior Itiler

Joined: Mar 04, 2008
Posts: 1894
Location: Helensburgh

PostPosted: Mon Aug 03, 2009 10:01 pm    Post subject: Reply with quote

Of course there should be high-level policy on this; and each system should specify its access policy and rules (including authority) in its design documentation; and the function(s) that uses the system should have a documented procedure for controlling access in accordance with these policies.

And it is never appropriate for IT service staff to control access to applications systems except in following explicit rules and/or directives from the customer.

In my experience the "just assume" and the "its obvious" schools of thought appear equally in both the customer/user population and the IT population.

I still prefer documented policies and procedures and records.
"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718
Back to top
View user's profile Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> Miscellaneous All times are GMT + 10 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003

Forums ©


Logos/trademarks property of respective owner. Comments property of poster. Rest 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.