DS05 Security Access Management

DS05: Security Access Management

Version 1.0

Printable Version

Version History

1. Description

Ensure that access to the systems, data and programmes is restricted to authorized users.

2. Service Activities

Manage Security Measures: Technology security should be managed such that security measures are in line with business requirements. This includes: translating risk assessment information to IT security plans, implementing and monitoring the IT security plan, and, updating it to reflect changes in the IT configuration, assessing the impact of change requests on IT security, aligning IT security procedures to other policies and procedures.
Identifying and authenticating access : The logical access to, and use of the information services function’s computing resources.
User Account Management: Ensure timely action relating to requesting, establishing, issuing, suspending and closing of user accounts.
Data Classification: classify data in terms of sensitivity by a formal and explicit decision by the data owner according to the data classification scheme.
Violation and Security Activity Reports: assure that violation and security activity is logged, reported, reviewed and appropriately escalated on a regular basis to identify and resolve incidents involving unauthorized activity.
Incident Handling: Maintain a computer security incident handling capability to address security incidents
Cryptographic Key Management: define and implement procedures and protocols to be used for generation, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure.
Malicious Software Prevention, Detection and Correction: Regarding malicious software, such as computer viruses or trojan horses, management should establish a framework of adequate preventative, detective and corrective control measures,

3. Key Goal Indicators

No incidents causing public embarrassment
Immediate reporting on critical incidents
Alignment of access rights with organisational responsibilities
Reduced number of new implementations delayed by security concerns
Full compliance, or agreed and recorded deviations from minimum security requirements
Reduced number of incidents involving unauthorised access, loss or corruption of information

ebc Service Commitments

the development and presentation of EBC security program per ministry, at ITMCs and potentially MMCs, including threat risk and vulnerability assessments, business continuity planning, information classification, disaster recovery planning and testing, security clearance implementation, inappropriate use, security training, etc, and implementation of approved ministry priorities,
Review and recommendations, and if approved, implementation of a new firewall configuration for Thunder Bay operations, prior to new ViSION implementation,

4. Key Performance Indicators

Reduced number of security-related service calls, change requests and fixes
Amount of downtime caused by security incidents
Reduced turnaround time for security administration requests
Number of systems subject to an intrusion detection process
Number of systems with active monitoring capabilities
Reduced time to investigate security incidents
Time lag between detection, reporting and acting upon security incidents
Number of IT security awareness training days

ebc Service Commitments

Logon and Application ID and Password Issuance

upon management approval and receipt of a Network Access Request Form (NARF), and after being acknowledged within 1 day, a logon or application ID and password will be issued within 5 business days, 95% of the time,

Upon special request a premium level of service can be invoked where the 5 days are collapsed to 1 business day,

Upon receipt of a Service Request at the ebc Service Desk,

a logon password will be acknowledged within 20 seconds and completed within 1 hours 95% of the time,

an application password will be acknowledged within 20 seconds and completed within 2 hours 95% of the time,

a PKI certificate will be acknowledged within 1 day and modified within 10 days, 95% of the time.

5. Critical Success Factors

An overall security plan is developed that covers the building of awareness, establishes clear policies and standards, identifies a cost-effective and sustainable implementation, and defines monitoring and enforcement processes
There is awareness that a good security plan takes time to evolve
The corporate security function reports to senior management and is responsible for executing the security plan
Management and staff have a common understanding of security requirements, vulnerabilities and threats, and they understand and accept their own security responsibilities
Third-party evaluation of security policy and architecture is conducted periodically
A “building permit” programme is defined, identifying security baselines that have to be adhered to
A “drivers licence” programme is in place for those developing, implementing and using systems, enforcing security certification of staff
The security function has the means and ability to detect, record, analyse significance, report and act upon security incidents when they do occur, while minimising the probability of occurrence by applying intrusion testing and active monitoring
A centralised user management process and system provides the means to identify and assign authorisations to users in a standard and efficient manner
A process is in place to authenticate users at reasonable cost, light to implement and easy to use

6. Additional Information

Maturity Level Characteristics


0	1	2	3	4	5