The responsibilities for identity and access lay with the lines of business, the owners of data and applications, and IT management. The actual division of responsibilities will vary among organizations, and the following provides an illustration.
- The owners of data and applications services are responsible for classifying the sensitivity of data.
- The lines of business managers are responsible for defining what access individuals within their organization should have to the applications and data.
- The HR department, in conjunction with line management, is responsible for performing background checks on new employees, initiating the on-boarding processes that give the access to IT systems, and initiating the off-boarding processes that remove access rights for employees leaving the organization.
- IT management is responsible for ensuring that the identity and access infrastructure is installed, configured and functioning correctly.
- The legal department is responsible for setting up legal agreements to identity federation with partner and supplier organizations as required by corporate management or line of business owners.
- Lines of business owners are also responsible for the control of access to systems by external users such as customers and partners.
In order to govern identity and access, there needs to be a set of measures against which performance can be judged. It is important that the performance at the IT process level can be related back to the strategic business requirements. For example, if a strategic goal of an organization is to comply with EU privacy legislation, then it needs to process the personally identifiable data that it holds within legally defined parameters. The identity and access processes necessary to meet these requirements include:
- The organization needs to know what relevant data it holds and to classify this data accordingly.
- Identity management processes need to correctly manage the user’s lifecycle in a timely manner.
- The access management process needs to control which users have access to information. It also needs to ensure that users with privileged access do not make unauthorized access to data.
- Processes must be in place to monitor and review which users have access rights to the personal data and which users have actually made access.
Managing who can access what is fundamental to information security and to compliance with laws and regulations. Experience has shown that a technology-led approach to this is not effective; what is needed is good governance rather than more technology. One way to attain this is by adopting a holistic governance and management framework such as COBIT 5.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.