Page 1111 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1111
users are not abusing their privileges. For example, if an information
security team has access to eDiscovery tools that allow searching
through the contents of individual user files, security managers should
routinely review the logs of actions taken by those administrative users
to ensure that their file access relates to legitimate eDiscovery
initiatives and does not violate user privacy.
Network flow (NetFlow) logs are particularly useful when
investigating security incidents. These logs provide records of the
connections between systems and the amount of data transferred.
Account Management
Account management reviews ensure that users only retain authorized
permissions and that unauthorized modifications do not occur.
Account management reviews may be a function of information
security management personnel or internal auditors.
One way to perform account management is to conduct a full review of
all accounts. This is typically done only for highly privileged accounts
because of the amount of time consumed. The exact process may vary
from organization to organization, but here’s one example:
1. Managers ask system administrators to provide a list of users with
privileged access and the privileged access rights. They may
monitor the administrator as they retrieve this list to avoid
tampering.
2. Managers ask the privilege approval authority to provide a list of
authorized users and the privileges they should be assigned.
3. The managers then compare the two lists to ensure that only
authorized users retain access to the system and that the access of
each user does not exceed their authorization.
This process may include many other checks, such as verifying that
terminated users do not retain access to the system, checking the
paper trail for specific accounts, or other tasks.
