Page 1112 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1112
Organizations that do not have time to conduct this thorough process
may use sampling instead. In this approach, managers pull a random
sample of accounts and perform a full verification of the process used
to grant permissions for those accounts. If no significant flaws are
found in the sample, they make the assumption that this is
representative of the entire population.
Sampling only works if it is random! Don’t allow system
administrators to generate the sample or use nonrandom criteria
to select accounts for review, or you may miss entire categories of
users where errors may exist.
Organizations may also automate portions of their account review
process. Many identity and access management (IAM) vendors
provide account review workflows that prompt administrators to
conduct reviews, maintain documentation for user accounts, and
provide an audit trail demonstrating the completion of reviews.
Backup Verification
In Chapter 18, “Disaster Recovery Planning,” you will learn the
importance of maintaining a consistent backup program. Managers
should periodically inspect the results of backups to ensure that the
process functions effectively and meets the organization’s data
protection needs. This may involve reviewing logs, inspecting hash
values, or requesting an actual restore of a system or file.
Key Performance and Risk Indicators
Security managers should also monitor key performance and risk
indicators on an ongoing basis. The exact metrics they monitor will
vary from organization to organization but may include the following:
Number of open vulnerabilities
Time to resolve vulnerabilities
Vulnerability/defect recurrence
