Posted: Thu Jul 30, 2009 6:08 am Post subject: Security/Access Management
OK here goes - I know I'll get slapped for asking this before i receive a valid answer but thought I'd try it anyways.
According to ITIL - who is the correct group to approve access changes to IT systems? Would it be a. The business service owner or b. The IT system person who is under belief they own the data?
In some cases there are many common systems shared by many busines service owners.
Now - if you want to answer that ITIL does not define this and instead it depends on what we want to define at our business, fine. If that's the case then what would be a best practice and why. Is there any ITIL justification behind the answer?
Posted: Thu Jul 30, 2009 11:25 pm Post subject: I might just try that!
Thanks for the honest answer.
I am going to propose the business owner - and the next question I will be asked is, "What does ITIL say about that?".
Good Ole ITIL - let's you define most everything, so what will my response be? Something like this: Well, the service catalogue samples assumes that business owners own the services, and if they own the services then they therefore own the associated data. If they own the data, then they should be the ones granting access.
I recall there may be some guidance on this in the Information Security chapters of the ITIL v2 BOOKS. Warning - ITIL and Info Security is not the feint hearted. i found it mind numbingly tedious.
However it discusses (in unfortunately far too much detail) the concepts of data owners, data integrity etc and assessing the risks against that data including unauthorised / unintended access.
However I agree with your view. The person who is responsible for the data is ultimately the person who is responsible for granting access to that data.
From personal experience I have found the business is generally happy delegating the decision regarding authorising access because it means they have offloaded a business problem (resolving who owns the data ; sorting out a process for granting access to this data) to a third party team. However as soon as something goes wrong (the wrong gets to see the wrong data ; the data is updated / deleted by the wrong person), it all gets horribly messy...
Joined: Mar 04, 2008 Posts: 1892 Location: Helensburgh
Posted: Mon Aug 03, 2009 10:01 pm Post subject:
Of course there should be high-level policy on this; and each system should specify its access policy and rules (including authority) in its design documentation; and the function(s) that uses the system should have a documented procedure for controlling access in accordance with these policies.
And it is never appropriate for IT service staff to control access to applications systems except in following explicit rules and/or directives from the customer.
In my experience the "just assume" and the "its obvious" schools of thought appear equally in both the customer/user population and the IT population.
I still prefer documented policies and procedures and records. _________________ "Method goes far to prevent trouble in business: for it makes the task easy, hinders confusion, saves abundance of time, and instructs those that have business depending, both what to do and what to hope."
William Penn 1644-1718
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum