CERT Resilience Management Model, Version 1.2 Access Management (AM)
Abstract
The purpose of Access Management is to ensure that access granted to organizational assets is commensurate with their business and resilience requirements. n order to support services, assets such as information, technology, and facilities must be made available (accessible) for use. This requires that persons (employees and contractors),objects (such as systems), and entities (such as business partners) have sufficient (but not excessive) levels of access to these assets. Effective access management requires balancing organizational needs against the appropriate level of controls based on an assets resilience requirements and business objectives. Insufficient access may translate into higher levels of asset protection but may impede the organizations ability to use the assets to their productive capacity. On the other hand, excessive levels of access (due to inadequate levels of control) expose assets to potential unauthorized or inadvertent misuse, which may diminish their productive capacity. Finding the right level of access for persons, objects, and entities so that they can perform their job responsibilities while satisfying the protection needs for the asset is a process that involves business owners, organizational units, and the owners and custodians of assets. In essence, these parties must come to agreement on what level of protection is sufficient given the need to meet objectives. Access management encompasses the processes that the organization uses to address this balancing act.
Document Details
- Document Type
- Technical Report
- Publication Date
- Feb 01, 2016
- Accession Number
- AD1147135
Entities
People
- David W. White
- Julia H. Allen
- Lisa R. Young
- Nader Mehravari
- Pamela D. Curtis
- Richard A. Caralli
Organizations
- Carnegie Mellon University