Security/Access Management

[ItilyWoman]

OK here goes - I know I'll get slapped for asking this before i receive a valid answer but thought I'd try it anyways.

According to ITIL - who is the correct group to approve access changes to IT systems? Would it be a. The business service owner or b. The IT system person who is under belief they own the data?

In some cases there are many common systems shared by many busines service owners.

Now - if you want to answer that ITIL does not define this and instead it depends on what we want to define at our business, fine. If that's the case then what would be a best practice and why. Is there any ITIL justification behind the answer?

Thank you.

[DYbeach]

The answer is it depends.

You could always make the call and see if they accept your decision
_________________
DYbeach
ITIL V3 Release, Control & Validation,
ITIL V3 Operation SUpport & Analysis
PMI CAPM (R)

"In times of universal deceit, telling the truth will be a revolutionary act." George Orwell

[ItilyWoman]

Thanks for the honest answer.

I am going to propose the business owner - and the next question I will be asked is, "What does ITIL say about that?".

Good Ole ITIL - let's you define most everything, so what will my response be? Something like this: Well, the service catalogue samples assumes that business owners own the services, and if they own the services then they therefore own the associated data. If they own the data, then they should be the ones granting access.

I hope that flies!

[swansong]

I recall there may be some guidance on this in the Information Security chapters of the ITIL v2 BOOKS. Warning - ITIL and Info Security is not the feint hearted. i found it mind numbingly tedious.
However it discusses (in unfortunately far too much detail) the concepts of data owners, data integrity etc and assessing the risks against that data including unauthorised / unintended access.

However I agree with your view. The person who is responsible for the data is ultimately the person who is responsible for granting access to that data.

From personal experience I have found the business is generally happy delegating the decision regarding authorising access because it means they have offloaded a business problem (resolving who owns the data ; sorting out a process for granting access to this data) to a third party team. However as soon as something goes wrong (the wrong gets to see the wrong data ; the data is updated / deleted by the wrong person), it all gets horribly messy...

[Diarmid]

Of course there should be high-level policy on this; and each system should specify its access policy and rules (including authority) in its design documentation; and the function(s) that uses the system should have a documented procedure for controlling access in accordance with these policies.

And it is never appropriate for IT service staff to control access to applications systems except in following explicit rules and/or directives from the customer.

In my experience the "just assume" and the "its obvious" schools of thought appear equally in both the customer/user population and the IT population.

I still prefer documented policies and procedures and records.
_________________
"Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718