Access Management Process
2 Access management process 2.1 Overview and process diagram The process of access management is shown in Figure 1 and summarised below. Changes to access for individuals may arise for a number of reasons, including new starters, leavers, secondments and promotions and they will therefore be submitted from a number of sources such as Human Resources, line management and the individual themselves. It is important that the rules for granting, removing and amending access are clear and are in line with [Organization Name] information security policies. These rules include who may approve such access and this will vary according to the system or area involved. Access management has a strong link with the request fulfilment process as this will usually be used as the vehicle for processing access requests; a request model will therefore exist for each type of access request and will include the appropriate routing for approval. Checks will be made at each stage of the process to ensure that the people involved are who they say they are and that the correct approvals are given at each stage. The security management information system will be used to enable this. Once checked and approved, the access request will be carried out according to its type (e.g. new, change or removal). Separation of duties between the IT analysts involved will also be in place so that no one person is able to carry out a task on their own e.g. create a new user and provide that account with access to resources. This policy will be implemented with appropriate access restrictions on the members of the team carrying it out. In addition to fulfilling requests related to access management, the process also involves monitoring levels of access and identifying occasions where the access control policy has been violated e.g. when one user uses another’s account to access a system. Such instances will be raised as security incidents via the incident management process. Regular access reports will also be produced to allow system owners to verify that the users and their access levels are correct.
Version 1
Page 11 of 36
[Insert date]
