Access Management is concerned with the management of people’s rights of access to information, and as such has common purpose not only with Information Security Management, but also with Availability Management, giving practical effect to the policies and requirements of both processes. Its goal is to ensure that the confidentiality, integrity and availability of information are effectively managed across the organization. Data and information must not only be protected against unauthorized access and the possibility of it being stolen or changed. It must also be readily available to those who are authorized to access it.
A key part of Access Management is the management of people’s rights to access information and services. People who have the right, in terms of business policy and need, to access information should have that right implemented through access controls. These rights must be consistent with relevant legislation such as data protection legislation, and must be kept under review and changed or revoked when a person’s status changes within the organization, or when a material risk is identified.
In order for access rights to have proper effect and value, Access Management must ensure that people can be properly identified: that each person has a unique identity to which their rights can be attached and to which activities, legitimate or otherwise, can be traced. Identity management is critical to effective Access Management, preventing, for example one person from pretending to be another and hijacking their rights to access and change information or, some would say even more importantly, to create new information. Organizations must take action to manage circumstance where access controls may be bypassed, for example where software developers require access to live systems during Incident Management.
The security objective of an organization is usually considered to be met when the availability, confidentiality, integrity and authenticity and non-repudiation are under control. These are defined below:
• Availability - Information is accessible and usable when required and the host systems can resist attacks and recover from or prevent failures.
• Confidentiality - Information is observed by or disclosed only to those who have a right to know.
• Integrity - Information is complete, accurate and protected against unauthorized modification.
• Authenticity - Authenticity concerns the correct labeling or attribution of information to prevent, for example, the originator of an email making it appear that the email came from another person. Authenticity is about ensuring that business transactions, as well as information exchanges between enterprises or with partners, can be trusted.
• Non-repudiation - The mechanism that prevents the originator of a transaction falsely denying that they originated it or prevents the receiver falsely denying having received it.
Prev: Introduction to Access Management
Next: Important Concepts in Access Management