Access Rights Management
Manage user access rights to information throughout its life cycle, including granting, denying, and revoking access privileges.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Access Rights Management at each level of maturity.
- 1Initial
- Practice
- Grant and replace access rights upon request using informal procedures.
- Outcome
- Access to sensitive data is controlled but may lack granularity of control.
- Metric
- # grant/revoke changes approved by management
- 2Basic
- Practice
- Establish a process to withdraw employee access rights if abused. Discourage sharing of credentials. Provide employees with access to a password management package.
- Outcome
- There is increased likelihood that only well behaved authorized personnel have access.
- Metric
- # Access rights audit exceptions # Grant/Revoke of access rights by department
- 3Intermediate
- Practice
- Develop and use a formal procedure/authorization process for access control inclusive of access logging across IT and some business units. Review/Audit data access rights at regular intervals.
- Outcome
- Only appropriate access to data is allowed. Access rights are automatically assigned or removed based on role.
- Metric
- # Audit reported unapproved accesses found. # Access logs not implemented # Overdue access rights reviews ~ Trends - audit exceptions
- 4Advanced
- Practice
- Request the provision of meta-data to support the granularity and flexibility of control over access rights and the administration of access rights organization-wide. Log all accesses appropriately and scrutinize logs when anomalous activity is suspected. Audit access permissions and logs regularly.
- Outcome
- The administration and management of access rights is dynamic, flexible and controlled to ensure data and information are accessed appropriately.
- Metric
- # Meta-data requests outstanding # Meta-data not utilized in access controls # Unapproved or obsolete access rights revoked on audit # Missing access logs % Code not reviewed for access and logging controls Y/N Last administrator cannot be revoked
- 5Optimized
- Practice
- Regularly review with users and administrators the efficiency of access mechanisms and their controls. Fine tune and revise these for efficiency purposes while maintaining appropriate security levels for the data and information.
- Outcome
- Security measures protect business activity but do not hinder or obstruct the efficient operation of the business functions.
- Metric
- # User requested improvements outstanding # Administration staff outstanding requests # Business managers data stewards outstanding requests # Security impact complaints