Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 164

Three major activities—account access review, auditing, and enforcement—should be part of the ongoing monitoring and assessment of the health, status, and effective operation of any identity management and access control system. As you might expect, the particular CIANA+PS needs of your organization should drive how rigorous and extensive these efforts are—and what you do when you discover indications that something about a particular identity, its privileges, and the actions taken in its name reveals.

Let's start with account review. In the case of human users who have identities in your systems, this review should encompass two sets of data being reviewed by the right team of information risk managers from IT, human resources management, functional area supervisors or division managers, and possibly your legal team.

 Identity data review: Individual employees of almost any organization will go through any number of changes in their jobs as well as in their personal lives. Some of these changes are probably reflected in the organization's human resources (HR) or payroll functions; these systems do not, as a general rule, automatically notify IT security departments or the integrated IAM system that a change has occurred. Changes in marital status, significant changes in credit score or indebtedness, or legal actions (such as lawsuits, divorces, child custody actions, or criminal matters) might all be events in any person's life. The key question, though, is whether your security needs dictate such a high degree of personnel integrity and reliability that changes of these types are warning signs of greater risk levels regarding the affected employee.

 Privilege and access review: Regardless of changes in personal circumstances, all of your employees who have access to organizational IT systems and information assets should have a periodic review of those access privileges in the context of their current job or duties.

Note that in both cases, employment law and regulations may establish constraints or conditions as to how these sorts of reviews are done, how frequently they can be done, or whether changes in conditions outside of job-related functional requirements provide reasonable grounds for such a review. Your organization's HR and legal teams, as well as your compliance officer (or department), should take the lead on ensuring this is done properly. In any event, your organization should create and use detailed, specific procedures for these reviews, that specify what data to gather and how it is evaluated in the context of such a review. Procedures should also provide for an employee appeal process—quite often bad data or poorly validated data has either granted or denied access and privileges in both incorrect and damaging ways.

Other factors to balance when establishing such review processes should include:

 How frequently employees change jobs, in ways that may require changes in access privileges

 The pace of change, generally speaking, across your organization (or its individual but larger business units)

 The burden that such reviews place on administrative, IT, and other staff within the organization

 The direct and indirect costs of such reviews

After all, these reviews are a safeguard—they are an administrative control that is attempting to mitigate the risk of privilege abuse leading to an information security incident and the loss or damage that results from it. In all things, seek a cost-effective balance.

Account access review should consider two broad categories of accounts: users and systems. Let's take a closer look at each.