IVI Framework Viewer

Access Rights Management

D2

Manage user access rights to information throughout its life cycle, including granting, denying, and revoking access privileges.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Access Rights Management at each level of maturity.

1Initial
  • Practice
    Grant and replace access rights upon request using informal procedures.
    Outcome
    Access to sensitive data is controlled but may lack granularity of control.
    Metric
    # grant/revoke changes approved by management
2Basic
  • Practice
    Establish a process to withdraw employee access rights if abused. Discourage sharing of credentials. Provide employees with access to a password management package.
    Outcome
    There is increased likelihood that only well behaved authorized personnel have access.
    Metric
    # Access rights audit exceptions # Grant/Revoke of access rights by department
3Intermediate
  • Practice
    Develop and use a formal procedure/authorization process for access control inclusive of access logging across IT and some business units. Review/Audit data access rights at regular intervals.
    Outcome
    Only appropriate access to data is allowed. Access rights are automatically assigned or removed based on role.
    Metric
    # Audit reported unapproved accesses found. # Access logs not implemented # Overdue access rights reviews ~ Trends - audit exceptions
4Advanced
  • Practice
    Request the provision of meta-data to support the granularity and flexibility of control over access rights and the administration of access rights organization-wide. Log all accesses appropriately and scrutinize logs when anomalous activity is suspected. Audit access permissions and logs regularly.
    Outcome
    The administration and management of access rights is dynamic, flexible and controlled to ensure data and information are accessed appropriately.
    Metric
    # Meta-data requests outstanding # Meta-data not utilized in access controls # Unapproved or obsolete access rights revoked on audit # Missing access logs % Code not reviewed for access and logging controls Y/N Last administrator cannot be revoked
5Optimized
  • Practice
    Regularly review with users and administrators the efficiency of access mechanisms and their controls. Fine tune and revise these for efficiency purposes while maintaining appropriate security levels for the data and information.
    Outcome
    Security measures protect business activity but do not hinder or obstruct the efficient operation of the business functions.
    Metric
    # User requested improvements outstanding # Administration staff outstanding requests # Business managers data stewards outstanding requests # Security impact complaints