Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 161

Provisioning starts with the initial claim of identity and a request to create a set of credentials for that identity; typically, a responsible manager in the organization must approve requests to provision new identities. (This demonstrates separation of duties by preventing the same IT provisioning clerk from creating new identities surreptitiously.) Key to this step is identity proofing, which separately validates that the evidence of identity as submitted by the applicant is truthful, authoritative, and current. Such evidence might include the following:

 Identity cards or papers, such as government-issued ID cards, passports, or birth certificates. You validate against third-party identity systems (which should draw directly from databases supporting those government ID processes).

 Citizenship, permanent resident, or right to reside and work status, as pertains to the country in which the applicant will perform work-related functions for you. You'll validate this via official channels or third parties who can access that data for you.

 Personal employment history data, which you validate via credit histories or direct contact with those employers.

 Residential address information, supported by applicant-provided utility bills, leases, or deeds, which you validate via issuing parties or agencies.

 Personal and professional references, which you validate via contact.

 Legal, criminal, or other court system records. (Your human resources management screening functions often have a “block-crimes” list, which they use to preclude hiring someone with such convictions as a way of limiting the company's exposure to risks. Note that the old-fashioned concept of a “crime of moral turpitude” can include such acts as making false statements to government officials, which might be a valid indicator of a personal integrity risk.)

 Open source information via social media websites, web searches, news media, and so on.

Whether your organization uses a few of these proofing techniques or all of them or adds even more to the proofing process should be driven by two things: the overall risk management process and how that drives the requirements for personnel integrity and reliability.

All of that results in the first decision to hire the individual in question and for what duties; this leads to the decisions as to what information assets they'll need to use and what information or business processes they'll need to execute to perform those duties. This should lead in fairly straightforward ways to which systems, platforms, and server-provided services the individual will need access to and what mix of privileges they'll need on each of those systems or platforms.