ITIL Access Management|Access Management Best Practices
Access Management Best Practices
Best practices are those real practices that have delivered efficient, effective, and excellent results in the IT processes and real operations.
Best practices for access management processes and operations can be defined as mentioned below:
Planning is a must for implementing access management
Implementation of access management should not start with tool implementation; instead, it should start with definition of access management processes understanding vision, business drivers, and goals.
Planning should involve analysis on aspects like:
- What requirements are there for the identity, access privileges, privileged identity, etc.
- Repositories currently used
- Understanding and address the concerns of application owners, administrators, and other key stakeholders.
- Involvement of the all key stakeholders (HR and IT teams) in the project implementation right from the beginning.
- Definition of IAM processes should be done by referring to ITIL, MOF, and COBIT best practices.
Selection of Access management tools
- Select and purchase the access management tools – only after PoC (Proof of Concept) and written documentation mentioning what is out of the box and what needs customization.
- Tools should have features like authentication, authorization, access controls, SOD, PAM (Privileged Access Management), identity federation, and multi-factor authentication for effective confidentiality, integrity, and non-repudiation.
- Selection of the solution should be based on scalability, ease for maintenance, and integration with other applications.
Regular training sessions
- Training sessions on access management process, policies, procedures and technical knowledge is a must which should happen at regular intervals.
- Most of the delays and discrepancies in access management operations happen due to unawareness on process, policies, and procedures; hence, it is a mandatory objective for IT management to conduct training sessions which can bring thorough awareness to all stakeholders. Management should also conduct exams and assessments to evaluate the proficiency of the staff, and reward them with some gifts or incentives.
Reusing the existing infrastructure
- Leverage existing identity and access infrastructure
- Create links between IT roles and business roles.
- Automate identity administration tasks like provisioning, de-provisioning, reconciliation, password reset, access controls, audits at regular intervals, etc.
- Automation improves the user satisfaction through timely creation, provision of IT accounts, and access to respective services and resources.
- Perform a post implementation review after IAM implementation in the infrastructure.
- Deploy IAM solutions on applications and users in a phased approach one after the other.
- Conduct appropriate risk analysis before deployment of any major tasks.
- Fully backup IAM objects (with data) at regular intervals.
- Adhere to IS (Information Security) policies in IT operational activities.
- Conduct internal audits with specifications and code of practices as defined in ISO/IEC27001 and ISO/IEC27002.
- Regulations like SOX, HIPAA, GLBA, Basel II have become a mandatory aspect for all multinational companies, by regular auditing, information security risks are mitigated.