The size of a company will determine the number of people needed, and the type of access will determine how to distribute staff for various provisioning functions.
For example, a small company that has a limited IT staff but no dedicated IT security group will have to make due with its existing IT department. In many smaller and midmarket companies, the IT staff handles everything -- managing the network, repairing hardware and workstations and setting up new users -- and that usually means issuing user IDs and passwords.
But for a larger company, particularly a global organization with far-flung offices around the globe, the internal support model has to be a bit more structured. Even if a company is only domestic but has many offices around the country, a dedicated access management group is still needed, preferably within the IT security department, if there is one.
Why the IT security department? Because access management is an IT security function. If there isn't a dedicated IT security team in place, then it should be handled by whomever sets up new users and maintains existing ones, usually part of a desktop or hardware group.
Functionally, If the company is big enough, the access management team should have its own manager or director who reports directly to the chief information security officer (CISO). This way someone at the director level or higher can coordinate all access management activities and make sure the access management department complies with the company's IT security policy.
In addition, compliance with regulations such as SOX, HIPAA and PCI require accounting for users and logging of their access to corporate systems. Establishing a senior management team to oversee access management makes it easier to assemble these reports for executives.
The type of access required by applications will govern how duties are split up within the team. If a corporation has a number of different applications, each requiring their own unique user IDs and passwords, the team may have to be split by application. There might be team members specializing in only Lotus Notes or Outlook access, another team for mainframe access and yet another for desktop and workstation access. But again, this is driven by the size and complexity of an organization.
If the company occasionally handles large projects, or it just acquired another company and needs to provision thousands of users at once, for example, it may makes sense to have a special projects team, if the staff resources are available.
As for daily operation, access provisioning is one of those never ending headaches in IT security. Staff will need to be available 24x7 to handle requests and the inevitable password resets. Companies with offshore locations may want to spread the work around the globe to achieve availability in every time zone where they operate.
Finally, establish clear access management procedures for support. Have the team accessible via a ticket system through the help desk or through a series of rotating pagers. All tickets and access management requests should be logged, so that malicious access can be tracked. Make sure someone is available at all times -- even in the middle of the night -- and has a backup. The last thing you want is to have employees calling or paging individual members of the team all the time for special favors. That's a prescription for chaos.
For more information
This was first published in February 2008