Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 181

You might say that there are two kinds of organizations in this world: those with thoughtful, deliberate, and effective information security plans and processes already in effect when an information security event occurs and those that realize the need for those security processes after their first major security breach has disrupted their business. Ideally, your organization is more of the former and less of the latter. In either case, the information risk assessment leads to an information classification policy that dictates how types or groups of users need to use information assets to get vital business processes accomplished. That mapping of the confidentiality, integrity, availability, nonrepudiation, and authentication aspects of information security needs to groups of users (or types of roles and functions users can take on) is the starting point for identity management and access control, as you've seen throughout this chapter.

Those CIANA+PS attributes guide your work in creating and managing the process by which identities are created for people and processes and by which privileges are assigned that allow (or deny) these identities the capabilities to do things with the information assets you're charged with protecting. You've seen how this involves creating and maintaining trust relationships that allow different access control strategies and techniques to be put in place. These are the nuts and bolts of the systems that achieve the authentication, authorization, and accounting functions—the “big AAA”—that are the heart and soul of identity management and access control.

Identities and access control, privileges and actions, subjects and objects—they're all different perspectives upon the same underlying and important needs.