Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 167

It may seem strange to separate account reviews from account auditing. Reviews have as their focus the task of identifying any cases of privilege creep or the retention of privileges no longer required for that user ID to perform its currently assigned set of functions, tasks, or duties. Reviews may be periodic or based on known changes in circumstances, such as a change of jobs or changes in the software and systems themselves. Reviews are more often than not performed internally by the organization and its own people, using internally generated procedures and measurement or assessment standards. By contrast, audits are used to generate an evidence-grade record of behavior on the part of one or more user IDs, either as part of troubleshooting a problem, investigating an incident, or building a forensics case to support a legal or administrative corrective action. Audits are often required (by law or by insurance or financial services regulations) to be done by outside auditors who may have to meet various certification standards, producing audit findings and reports that are authoritative.

Note that in many organizations it's common to refer to a special, circumstances-driven review of a particular user account or set of accounts as an informal audit. This often happens when there is sufficient grounds to worry that an employee or a group of employees may be acting in ways that violate inappropriate systems use policies or that their accounts (rather than they themselves) have been hijacked by others.

Whether it's a review or an audit, formal or informal, it's good practice to get the requesting management or leadership team's clear statement of the purpose and expectations regarding this examination of the data from the third A in AAA.