Page 998 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 998

even calling references are all valid forms of verifying a person’s
               identity before enrolling them in any secured system.

               Many organizations have automated provisioning systems. For

               example, once a person is hired, the HR department completes initial
               identification and in-processing steps and then forwards a request to
               the IT department to create an account. Users within the IT
               department enter information such as the employee’s name and their
               assigned department via an application. The application then creates

               the account using predefined rules. Automated provisioning systems
               create accounts consistently, such as always creating usernames the
               same way and treating duplicate usernames consistently. If the policy
               dictates that usernames include first and last names, then the
               application will create a username as suziejones for a user named
               Suzie Jones. If the organization hires a second employee with the same
               name, then the second username might be suziejones2.


               If the organization is using groups (or roles), the application can
               automatically add the new user account to the appropriate groups
               based on the user’s department or job responsibilities. The groups will
               already have appropriate privileges assigned, so this step provisions
               the account with appropriate privileges.

               As part of the hiring process, new employees should be trained on
               organization security policies and procedures. Before hiring is

               complete, employees are typically required to review and sign an
               agreement committing to uphold the organization’s security
               standards. This often includes an acceptable use policy.

               Throughout the life of a user account, ongoing maintenance is
               required. Organizations with static organizational hierarchies and low
               employee turnover or promotion will conduct significantly less
               account administration than an organization with a flexible or

               dynamic organizational hierarchy and high employee turnover and
               promotion rates. Most account maintenance deals with altering rights
               and privileges. Procedures similar to those used when creating new
               accounts should be established to govern how access is changed
               throughout the life of a user account. Unauthorized increases or
               decreases in an account’s access capabilities can cause serious security
   993   994   995   996   997   998   999   1000   1001   1002   1003