Page 997 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 997

Managing the Identity and Access

               Provisioning Lifecycle


               The identity and access provisioning lifecycle refers to the creation,
               management, and deletion of accounts. Although these activities may

               seem mundane, they are essential to a system’s access control
               capabilities. Without properly defined and maintained user accounts,
               a system is unable to establish accurate identity, perform
               authentication, provide authorization, or track accountability. As
               mentioned previously, identification occurs when a subject claims an
               identity. This identity is most commonly a user account, but it also
               includes computer accounts and service accounts.


               Access control administration is the collection of tasks and duties
               involved in managing accounts, access, and accountability during the
               life of the account. These tasks are contained within three main
               responsibilities of the identity and access provisioning lifecycle:
               provisioning, account review, and account revocation.


               Provisioning


               An initial step in identity management is the creation of new accounts
               and provisioning them with appropriate privileges. Creating new user
               accounts is usually a simple process, but the process must be protected
               and secured via organizational security policy procedures. User
               accounts should not be created at an administrator’s whim or in
               response to random requests. Rather, proper provisioning ensures

               that personnel follow specific procedures when creating accounts.

               The initial creation of a new user account is often called an enrollment
               or registration. The enrollment process creates a new identity and
               establishes the factors the system needs to perform authentication. It
               is critical that the enrollment process be completed fully and
               accurately. It is also critical that the identity of the individual being

               enrolled be proved through whatever means your organization deems
               necessary and sufficient. Photo ID, birth certificate, background check,
               credit check, security clearance verification, FBI database search, and
   992   993   994   995   996   997   998   999   1000   1001   1002