IVI Framework Viewer

Access Rights Management

C2

Manage user access rights to information throughout its life cycles, including the granting, denying, and revoking of access privileges.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Access Rights Management at each level of maturity.

2Basic
  • Practices
    • Establish basic login requirements for systems with sensitive data.
    • Plan how security clearance levels for access rights can be mapped to roles and datasets, and establish some sanctions for access right abuses.
    Outcome
    There is increased likelihood that only authorized personnel have access to systems and data.
    Metric
    # of grants and revokes of access rights by department.
3Intermediate
  • Practices
    • Develop and document the authorization approach to grant access rights in line with security classifications for most roles.
    • Grant access rights only to formally approved applicants (e.g. based on least privileges, need to have, or need to know principles), and provide documentary evidence to support most existing access rights.
    Outcome
    Only appropriate access to systems and data is allowed, in line with security classifications and access permissions.
    Metric
    # of grants and revokes of access rights by department.
  • Practice
    Periodically audit access rights, particularly in relation to highly sensitive data, and identify corrective actions where necessary.
    Outcome
    Key access rights issues are evident, and steps can be taken to rectify them.
    Metrics
    • # of audit reported unapproved accesses.
    • # of unapproved or obsolete access rights revoked on audit.
    • # of access rights audit exceptions.
    • # of access logs not implemented.
4Advanced
  • Practices
    • Use semi-automated approaches for the requesting, approval, and granting of access rights with some self-service capability.
    • Synchronize changes to access rights with the organization's human resources system, to cater for new employees, movers/promotions, and leavers, and their corresponding privileges.
    • Base authorizations and revocations on approved changes or those triggered by changes in the scope of an employee's responsibilities or by an employee moving to a different job role.
    Outcomes
    • The administration and management of access rights is dynamic, flexible, and controlled to ensure data and information are accessed appropriately.
    • Access rights can be automatically assigned, reassigned, or removed based on job role.
    Metrics
    • # of grants and revokes of access rights by department.
    • Y/N re access rights synchronization with HR system.
  • Practice
    Regularly audit access rights and act upon detected anomalies.
    Outcome
    There is organization-wide confidence that access rights are properly implemented and that any issues are effectively rectified.
    Metrics
    • # of audit reported unapproved accesses.
    • # of unapproved or obsolete access rights revoked on audit.
    • # of access rights audit exceptions.
    • # of access logs not implemented.
5Optimized
  • Practices
    • Continually review the effectiveness of access rights mechanisms and their controls with users and administrators.
    • Fine tune the approaches used based on the latest recommendations from security agencies, vendors, and emerging research.
    Outcomes
    • Access rights measures effectively protect systems and data but do not hinder or obstruct the efficient operation of the business functions.
    • Account abuses and misuses are almost non-existent.
    Metrics
    • # of grants and revokes of access rights by department.
    • # of user requested improvements outstanding.
  • Practice
    Continually and rigorously scrutinize data, systems, applications, and network access activity to identify opportunities for improving access control.
    Outcome
    Access rights are kept effective and relevant.
    Metrics
    • # of audit reported unapproved accesses.
    • # of unapproved or obsolete access rights revoked on audit.
    • # of access rights audit exceptions.
    • # of access logs not implemented.
    • # of overdue access rights reviews.